On Sun, Feb 23, 2020 at 10:45:14PM +0100, Michael wrote:
> After upgrading from debian stretch (providing postfix 3.1.14) to
> buster (providing postfix 3.4.8), I just found out that no incoming
> mail was received any longer. Digging a little deeper showed me that
> turning of tls resolved this issue. but then again, there was no
> tls...
>
> I would appreciate a little help on why postfix doesn't like my old
> settings any longer and what I have to change to get it working with
> 3.4.8.
>
>
> I used the very same main.cf and master.cf file with the following tls
> related settings:
> smtpd_tls_security_level = may
> smtpd_tls_loglevel = 1
That's fine, but not consistent with the verbose logging below, did you
temporarily set a higher log level?
> smtpd_tls_ciphers = low
These days, "medium" makes more sense, the "low" and "export"
ciphers are dead.
> here's what the log file says:
> Feb 22 08:50:07 mail postfix/smtpd[12952]: initializing the server-side TLS
> engine
> Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from
> bendel.debian.org[82.195.75.100]
TLS library initialization was successful.
> Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection from
> bendel.debian.org[82.195.75.100]
> Feb 22 08:50:07 mail postfix/smtpd[12952]: bendel.debian.org[82.195.75.100]:
> TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL"
That's the "low" cipherlist, so far so good...
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL
> initialization
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL
> initialization
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read client
> hello
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write server
> hello
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write change
> cipher spec
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write encrypted
> extensions
Based on the TLS ClientHello, the server believes the client supports
TLS 1.3.
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
> certificate request
And is soliciting a client certificate.
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write
> certificate
And sends its own.
> Feb 22 08:50:07 mail postfix/smtpd[12815]: SSL_accept error from
> bendel.debian.org[82.195.75.100]: lost connection
> Feb 22 08:50:07 mail postfix/smtpd[12816]: SSL_accept error from
> bendel.debian.org[82.195.75.100]: lost connection
These two are from an unrelated concurrent session and should be ignored.
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write server
> certificate verify
The server signs its certificate message.
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write finished
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early data
And is now ready to hear back from the client, but what happened next?
This isn't the end of the logging from smtpd[12952]...
--
Viktor.
