hey,
after upgrading from debian stretch (providing postfix 3.1.14) to buster
(providing postfix 3.4.8), i just found out that no incoming mail was
received any longer. digging a little deeper showed me that turning of tls
resolved this issue. but then again, there was no tls...
i would appreciate a little help on why postfix doesn't like my old
settings any longer and what i have to change to get it working with 3.4.8.
i used the very same main.cf and master.cf file with the following tls
related settings:
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_ciphers = low
smtpd_tls_cert_file = /etc/letsencrypt/certs/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/certs/privkey.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams/dh2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dhparams/dh512.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_ask_ccert = yes
relay_clientcerts = hash:/etc/postfix/relay_clientcerts
smtpd_client_restrictions = permit_tls_clientcerts, check_client_access
hash:/etc/postfix/client_access, reject_rbl_client zen.spamhaus.org
smtpd_relay_restrictions = permit_tls_clientcerts, permit_mynetworks,
defer_unauth_destination
here's what the log file says:
Feb 22 08:50:07 mail postfix/smtpd[12952]: initializing the server-side TLS
engine
Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from
bendel.debian.org[82.195.75.100]
Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection from
bendel.debian.org[82.195.75.100]
Feb 22 08:50:07 mail postfix/smtpd[12952]:
bendel.debian.org[82.195.75.100]: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL"
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL
initialization
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL
initialization
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read client
hello
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
server hello
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
change cipher spec
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write
encrypted extensions
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
certificate request
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
certificate
Feb 22 08:50:07 mail postfix/smtpd[12815]: SSL_accept error from
bendel.debian.org[82.195.75.100]: lost connection
Feb 22 08:50:07 mail postfix/smtpd[12816]: SSL_accept error from
bendel.debian.org[82.195.75.100]: lost connection
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write server
certificate verify
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
finished
Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early data
greetings...