postfix help cannot start tls: handshake failure

67 views
Skip to first unread message

Dan Walters

unread,
Feb 4, 2022, 5:26:08 PMFeb 4
to
Im looking for a bit of help in reguards to postfix and tls and one particuar customer or seems to be anyways we removed ssl3, tls1.0 and tls 1.1 from the configuration recently and have been getting this tls handshake failure but what is weird about it is after it sits in the queue for 7 min or so it sends.... so im looking to figgure out how to fix this issue.

mail log
Feb 4 22:06:57 smtp01 postfix/smtp[232395]: setting up TLS connection to mail.redacted.com[redactedip]:25
Feb 4 22:06:57 smtp01 postfix/smtp[232395]: mail.redacted.com[redactedip]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Feb 4 22:06:57 smtp01 postfix/smtp[232395]: SSL_connect:before SSL initialization
Feb 4 22:06:57 smtp01 postfix/smtp[232395]: SSL_connect:SSLv3/TLS write client hello
Feb 4 22:06:58 smtp01 postfix/smtp[232395]: SSL_connect:SSLv3/TLS write client hello
Feb 4 22:06:58 smtp01 postfix/smtp[232395]: SSL3 alert write:fatal:protocol version
Feb 4 22:06:58 smtp01 postfix/smtp[232395]: SSL_connect:error in error
Feb 4 22:06:58 smtp01 postfix/smtp[232395]: SSL_connect error to mail.redacted.com[redactedip]:25: -1
Feb 4 22:06:58 smtp01 postfix/smtp[232395]: warning: TLS library problem: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1947:
Feb 4 22:06:58 smtp01 postfix/smtp[232395]: redactedid: to=<911.re...@redacted.com>, relay=mail.redacted.com[redactedip]:25, delay=0.37, delays=0.13/0/0.24/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Feb 4 22:11:17 smtp01 postfix/smtp[233789]: initializing the client-side TLS engine
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: setting up TLS connection to mail.redacted.com[redactedip]:25
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: mail.redacted.com[redactedip]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: SSL_connect:before SSL initialization
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: SSL_connect:SSLv3/TLS write client hello
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: SSL_connect:SSLv3/TLS write client hello
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: SSL3 alert write:fatal:protocol version
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: SSL_connect:error in error
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: SSL_connect error to mail.redacted.com[redactedip]:25: -1
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: warning: TLS library problem: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:ssl/statem/statem_lib.c:1947:
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: BA4AD10B78A4: Cannot start TLS: handshake failure
Feb 4 22:11:17 smtp01 postfix/smtp[233789]: BA4AD10B78A4: to=<911.re...@redacted.com>, relay=mail.redacted.com[redactedip]:25, delay=580, delays=579/0.06/0.27/0.15, dsn=2.0.0, status=sent (250 message queued)

main.cf

#
# TLS configuration
#
# With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.
smtpd_use_tls = yes
smtpd_tls_security_level = may
# Configures the server certificate file and key file as well as the CA's intermediate certificate file.
smtpd_tls_cert_file = /etc/postfix/clientcert.cer
smtpd_tls_key_file = /etc/postfix/clientcert.key
smtpd_tls_CAfile = /etc/postfix/cacerts.cer
# Enable logging of summary message for TLS handshake and to include information about the protocol and cipher used as well as the client and issuer CommonName
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtp_tls_loglevel = 0
# Postfix SMTP server and the remote SMTP client negotiate a session, which takes some computer time and network bandwidth. SSL protocol versions other than SSLv2 support resumption of
# cached sessions.
#smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
# Cached Postfix SMTP server session information expires after a certain amount of time.RFC2246 recommends a maximum of 24 hours.
smtpd_tls_session_cache_timeout = 10800s
maximal_queue_lifetime = 1d
# Milter configuration
milter_default_action = accept
milter_protocol = 6
smtpd_milters = inet:127.0.0.1:8891
non_smtpd_milters = $smtpd_milters

#DRW 1/11/2022 – removed legacy protocolls
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1, !TLSv1.1
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256,RSA+AES, eNULL, RC4, ARC4



Reply all
Reply to author
Forward
0 new messages