On Sat, Oct 15, 2022 at 06:54:56PM +0200, Gerald Galster wrote: > >> This server does not support TLS 1.3 yet and TLS 1.2 is the only > >> version currently allowed for submission.
That sounds like a rather old (EOL) version of OpenSSL. TLS 1.3 support was added in OpenSSL 1.1.1 [11 Sep 2018]. Are you using OpenSSL 1.1.0 or the even older 1.0.2? > > Do you have "tls_preempt_cipherlist = yes"? I wonder why AES128 is used > > as opposed to AES256. > > Yes, sorry, I've tried different options while troubleshooting. > > With tls_preempt_cipherlist unset it logs: > > Anonymous TLS connection established from <redacted>: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Though I'll see it if you provide a PCAP file, what is the lifetime of your certificate? # cert=$(postconf -xh smtpd_tls_cert_file) # or just explicit path # openssl x509 -noout -dates -in $cert -- Viktor.