On Fri, Jun 07, 2024 at 10:20:58AM +0200, Daniel Hiepler via Postfix-users
wrote:
> I'm trying to rule out a config error on my setup since Postfix is a
> beast and I'm no beastmaster :)
If you're willing to keep making progress, just give it time...
> When I enabled "reject_plaintext_session" for
> smtpd_sender/relay/client_restrictions,
That's modestly aggressive. I was about to say that there's still a
significant fraction of sending systems that are cleartext only. But
looking at the latest stats from Gmail:
https://transparencyreport.google.com/safer-email/overview?encrypt_in=start:1703980800000;end:1717804799999;series:inbound&lu=encrypt_out&encrypt_out=start:1703980800000;end:1717804799999;series:outbound
I was pleasantly surprised to see that the inbound share of TLS has
lately been a fairly steady 99%. Which still leaves around 1% in
cleartext, and that's still non-negligible, but perhaps no longer
a "significant" fraction, rather an annoying minority most operators
can't blithely ignore.
> I got the following log output from some big national mailprovider.
> Does that mean, that the other server is trying to deliver mail via
> TLS1.0 or TLS1.1 ? The mailprovider claims to have disabled those.
No, the TLS alert sub-protocol has not changed since it was introduced
TLS 1.0, and so alerts are always "tlsv1" alerts.
> Jun 7 08:57:01 cerberos postfix/smtpd[1859]: warning: TLS library problem:
> error:0A00042F:SSL routines::tlsv1 alert insufficient
> security:../openssl-3.0.13/ssl/record/rec_layer_s3.c:1590:SSL alert number 71:
The real problem is that the remote system believes something about your
domain (perhaps the DH parameters, or certificate signature size, ...)
to not meet its demands. It therefore sends a TLS alert to your server
to signal the reason for the aborted handshake. The crypto-maximalist
game is a two-player game. :-)
> My cipher config is:
>
> smtpd_tls_mandatory_ciphers = medium
> smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, LOW, 3DES, MD5, EXP, PSK,
> SRP, DSS, DES, RC4, PSK
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> tls_medium_cipherlist =
> aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH
> tls_preempt_cipherlist = yes
> tls_session_ticket_cipher = aes-256-cbc
Nothing particularly unusual. The other side might be expecting some
crypto parameters to be turned up to 11. Better ask them.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
