On 2022-04-06, Tom Smyth <tom.smyth@wirelessconnect.eu> wrote:
> Hi Stephan,
> at a guess I would say that there is no overlap between supported TLS
> protool versions and ciphers
> available on the client vs the server.
This message explicitly suggests protocol version rather than cipher
> if your system is using a recent version of an Os and you are trying
> to relay to an older legacy system,
> ideally ask the older system to uprade / enable higher ciphers....
> or you can be more permissive on your tls configuration...
> I hope this is helpful
It's Postfix which is by default fairly lenient for standard SMTP
connections from other MXes (it requires something more modern for
authenticated users but there's not much point for standard SMTP as
most people will be accepting plaintext anyway). In terms of
protocol it's >=TLSv1.0
So unless Stephan's config is using stronger TLS settings than the
defaults it's more likely to be either very old software on the client
(which seems unlikely for web.de) or some incompatibility.
> On Wed, 6 Apr 2022 at 23:32, Stephan Mending <list@md5collisions.eu> wrote:
>>
>> Hi *,
>> I've noticed on my mail relays, that tls handshake with one certain email relay keep failing. I was wondering what the
>> reason for that may be.
>>
>> Following error from postfix:
>>
>> connect from mout.web.de[ IP ]:44003
>> SSL_accept error from mout.web.de[ IP ]:44003: -1
>> warning: TLS library problem: error:1404A42E:SSL routines:ST_ACCEPT:tlsv1 alert protocol version:/usr/src/lib/libssl/tls13_lib.c:150:
>> lost connection after STARTTLS from mout.web.de
>>
>> Can anybody with more knowledge of libressl and it's error messages tell by this error what is wrong?
I would bump up Postfix log settings and see if it gives more clues
smtpd_tls_loglevel = 2
If this was mail you were sending *out* and had TLS problems with a specific
destination, you could use smtp_tls_policy_maps to disable it individually.
I don't think there's a similar method built-in to Postfix for controlling
whether to advertise STARTTLS to a particular client, but if you need to
receive the mail and want a way to do that, you can have Postfix listen
on another port for SMTP without advertising STARTTLS
127.0.0.1:10025 inet n - y - - smtpd
-o syslog_name=postfix/smtpd/tlsdisabled
-o smtpd_tls_security_level=none
and use PF rdr-to to direct connections from the relevant IP to it.
(Also you don't say what version of things you're running, but make sure
they're up to date?)
--
Please keep replies on the mailing list.
No comments:
Post a Comment