How to understand what is needed for this client? [solved]

Discussion in 'Installation/Configuration' started by Georgy Goshin, Dec 15, 2021.

  1. Georgy Goshin

    Georgy Goshin New Member

    Hello
    My mailserver does not support some SSL/TLS configuration part. How to debug and find what is missing? Client is on the Windows server 2012.

    Dec 15 13:32:45 ispcc postfix/submission/smtpd[60981]: connect from 5-88-235-88.sta.estpak.ee[88.235.88.5]
    Dec 15 13:32:45 ispcc postfix/submission/smtpd[60981]: lost connection after CONNECT from 5-88-235-88.sta.estpak.ee[88.235.88.5]
    Dec 15 13:32:45 ispcc postfix/submission/smtpd[60981]: disconnect from 5-88-235-88.sta.estpak.ee[88.235.88.5] commands=0/0
    Dec 15 13:33:00 ispcc postfix/submission/smtpd[60981]: connect from 5-88-235-88.sta.estpak.ee[88.235.88.5]
    Dec 15 13:33:00 ispcc postfix/submission/smtpd[60981]: SSL_accept error from 5-88-235-88.sta.estpak.ee[88.235.88.5]: -1
    Dec 15 13:33:00 ispcc postfix/submission/smtpd[60981]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1686:
    Dec 15 13:33:00 ispcc postfix/submission/smtpd[60981]: lost connection after STARTTLS from 5-88-235-88.sta.estpak.ee[88.235.88.5]
    Dec 15 13:33:00 ispcc postfix/submission/smtpd[60981]: disconnect from 5-88-235-88.sta.estpak.ee[88.235.88.5] ehlo=1 starttls=0/1 commands=1/2


    few lines from main.cf
    smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
    smtpd_tls_protocols = !SSLv2,!SSLv3
    smtp_tls_protocols = !SSLv2,!SSLv3
    smtpd_tls_exclude_ciphers = RC4, aNULL
    smtp_tls_exclude_ciphers = RC4, aNULL
    smtpd_tls_mandatory_ciphers = medium
    tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
    tls_preempt_cipherlist = yes


    Thank you a lot for help.
     
  2. Georgy Goshin

    Georgy Goshin New Member

    I did not found the simple way to debug but found that 1 and 1.1 was disabled by policy and
    update-crypto-policies --set LEGACY has got it back. I'm on CentOS 8.
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I see this is changed in CentOS indeed. @till shall we add this command to the perfect server guide? Not sure if it's a good idea, for most users the default is fine. Maybe add a note to the mailserver paragraph with "To enable support for old/outdated devices...".
     
    till likes this.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I'll add a comment in the guide.
     

Share This Page