On Sat, Oct 15, 2022 at 06:54:56PM +0200, Gerald Galster wrote:
> >> This server does not support TLS 1.3 yet and TLS 1.2 is the only
> >> version currently allowed for submission.
That sounds like a rather old (EOL) version of OpenSSL. TLS 1.3
support was added in OpenSSL 1.1.1 [11 Sep 2018]. Are you using
OpenSSL 1.1.0 or the even older 1.0.2?
> > Do you have "tls_preempt_cipherlist = yes"? I wonder why AES128 is used
> > as opposed to AES256.
>
> Yes, sorry, I've tried different options while troubleshooting.
>
> With tls_preempt_cipherlist unset it logs:
>
> Anonymous TLS connection established from <redacted>: TLSv1.2 with cipher
> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Though I'll see it if you provide a PCAP file, what is the lifetime of
your certificate?
# cert=$(postconf -xh smtpd_tls_cert_file) # or just explicit path
# openssl x509 -noout -dates -in $cert
--
Viktor.
