Hi, Is there something I can test? I didn't quite understand from Eric's earlier msg what I should try...
One email address producing this error for me is supp...@hornetsecurity.com -> If you like Eric, you could try emailing themselves asking for more details (either they reply to you or you will face the same error). If you don't face the same error then we could try figuring out what is different in our setups? Best, Peter On Sat, Feb 19, 2022 at 6:29 PM Eric Broch <ebr...@whitehorsetc.com> wrote: > > Looking through the function tls_init() in the code for qmail-remote.c > > I don't see much that it could be, they're almost identical between > 2.2.1 and 3.3.5 > > Will continue looking... > > On 2/18/2022 1:54 PM, Andreas Galatis wrote: > > Hi Finn, > > > > > > I have tested with the tlsserverciphers of my older server, completed > > with some of the ciphers from the new file and my mails came through. > > > > > > Thanks a lot for your tip, Finn, I didn't find it in the code > > > > > > Andreas > > > > > > Am 18.02.22 um 16:56 schrieb Qmail: > >> Hi Andreas. > >> > >> In qmail You're properly using /var/qmail/control/tlsclientciphers > >> (that are a link to tlcserverciphers) > >> > >> According to what I read at the Nginx forum, the problem there is > >> because some of the included ciphers are with underscore '_' and not > >> hyphen '-' - I don't know if changing that in the tlsservercipher > >> file will solve the problem. > >> > >> > >> /Finn > >> > >> Den 18-02-2022 kl. 16:29 skrev Andreas: > >>> I cannot find any file where those ciphers could be adjust. > >>> Is that compiled in? > >>> > >>> Me too, I have clients not beeing reachable with the new server > >>> (qmail-1.03-3.3.5), but my old server running qmail-1.03.2.2.1.qt. > >>> Did anyone find a solution? > >>> > >>> Andreas > >>> > >>> Am 17.02.22 um 20:28 schrieb Qmail: > >>>> Hi. > >>>> > >>>> Not sure it is related, but I just read in the Nginx forum that > >>>> some have issues (failed (SSL: error:0A0000B9:SSL routines::no > >>>> cipher match)) using Mozillas 'modern' 5.5 ciphers, but everything > >>>> works with Mozillas 'modern' ciphers 4.0. > >>>> (found testing the Nginx config) > >>>> > >>>> The 5.5 list contains : > >>>> > >>>> ssl_ciphers'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'; > >>>> > >>>> > >>>> The 4.0 list contains: > >>>> > >>>> ssl_ciphers'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; > >>>> > >>>> > >>>> > >>>> These are matched against the openssl ciphers that are located on > >>>> the server but are more or less same as the tlsclientciphers used > >>>> in qmail. > >>>> > >>>> Nginx can be setup as a MAIL proxy and therefore may be the reason > >>>> for Your issue ?? > >>>> > >>>> or maybe it's just a coincidence ? > >>>> > >>>> Regards, > >>>> Finn > >>>> > >>>> > >>>> > >>>> Den 17-02-2022 kl. 08:14 skrev Andreas: > >>>>> Hi list, > >>>>> I have the same failure-mails with some servers, my version of > >>>>> qmail is > >>>>> qmail-1.03-3.3.5.qt.md.el8.x86_64 > >>>>> > >>>>> TLS connect failed: error:1421C105:SSL > >>>>> routines:set_client_ciphersuite:wrong > >>>>> cipher returnedZConnected to 83.246.65.85 but connection died. > >>>>> > >>>>> With my old server (qmail-1.03-2.2.1.qt.el7.x86_64) I can send > >>>>> emails to the same recipients. > >>>>> Andreas > >>>>> > >>>>> Am 15.02.22 um 09:39 schrieb Peter Peltonen: > >>>>>> What I have installed is qmail-1.03-3.3.1.qt.md.el8.x86_64 > >>>>>> > >>>>>> Any reason to update? > >>>>>> > >>>>>> Best, > >>>>>> Peter > >>>>>> > >>>>>> On Sun, Feb 13, 2022 at 5:15 PM Eric Broch > >>>>>> <ebr...@whitehorsetc.com> wrote: > >>>>>>> What version of qmail ? > >>>>>>> > >>>>>>> On 2/12/2022 12:56 PM, Peter Peltonen wrote: > >>>>>>>> Finally got an answer from them (see list below). I see some > >>>>>>>> matching > >>>>>>>> siphers on their and on my own list. Any idea how I could debug > >>>>>>>> this > >>>>>>>> more so I can find out why mail is not being delivered to their > >>>>>>>> server? > >>>>>>>> > >>>>>>>> best, > >>>>>>>> Peter > >>>>>>>> > >>>>>>>> " > >>>>>>>> OPTON > >>>>>>>> All ciphers > >>>>>>>> > >>>>>>>> DESCRIPTION > >>>>>>>> TLS encryption is only possible with ciphers that are > >>>>>>>> considered as > >>>>>>>> secure by the German Federal Office for Information Security. A > >>>>>>>> TLS > >>>>>>>> connection is only established if the email server of the > >>>>>>>> communication partner supports one of the following ciphers: > >>>>>>>> > >>>>>>>> • ECDHE-RSA-AES256-GCM-SHA384 > >>>>>>>> • ECDHE-RSA-AES256-SHA384 > >>>>>>>> • ECDHE-RSA-AES256-SHA > >>>>>>>> • DHE-RSA-AES256-GCM-SHA384 > >>>>>>>> • DHE-RSA-AES256-SHA256 > >>>>>>>> • DHE-RSA-AES256-SHA > >>>>>>>> • AES256-GCM-SHA384 > >>>>>>>> • AES256-SHA256 > >>>>>>>> • AES256-SHA > >>>>>>>> • ECDHE-RSA-DES-CBC3-SHA > >>>>>>>> • EDH-RSA-DES-CBC3-SHA > >>>>>>>> • DES-CBC3-SHA > >>>>>>>> > >>>>>>>> OPTION > >>>>>>>> Secure ciphers > >>>>>>>> > >>>>>>>> DESCRIPTION > >>>>>>>> Secure ciphers TLS encryption is only possible with ciphers > >>>>>>>> that are > >>>>>>>> considered as secure by the German Federal Office for Information > >>>>>>>> Security. A TLS connection is only established if the email > >>>>>>>> server of the communication partner supports one of the > >>>>>>>> following ciphers: > >>>>>>>> > >>>>>>>> • ECDHE-RSA-AES256-GCM-SHA384 > >>>>>>>> • ECDHE-RSA-AES256-SHA384 > >>>>>>>> • DHE-RSA-AES256-GCM-SHA384 > >>>>>>>> • DHE-RSA-AES256-SHA256 > >>>>>>>> • ECDHE-RSA-AES128-GCM-SHA256 > >>>>>>>> • ECDHE-RSA-AES128-SHA256 > >>>>>>>> • DHE-RSA-AES128-GCM-SHA256 > >>>>>>>> • DHE-RSA-AES128-SHA256 > >>>>>>>> " > >>>>>>>> > >>>>>>>> > >>>>>>>> On Mon, Feb 7, 2022 at 4:08 PM Eric Broch > >>>>>>>> <ebr...@whitehorsetc.com> wrote: > >>>>>>>>> Is there a way to contact them and find out what obscure B.S. > >>>>>>>>> they want? > >>>>>>>>> > >>>>>>>>> On 2/7/2022 12:26 AM, Peter Peltonen wrote: > >>>>>>>>>> When trying to deliver email to a domain that is using spam > >>>>>>>>>> protection > >>>>>>>>>> from antispameurope.com I get the following error: > >>>>>>>>>> > >>>>>>>>>> deferral: > >>>>>>>>>> TLS_connect_failed:_error:1421C105:SSL_routines:set_client_ciphersuite:wrong_cipher_returnedZConnected_to_83.246.65.85_but_connection_died._(#4.4.2)/ > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> So am I missing something here: > >>>>>>>>>> > >>>>>>>>>> [root@mail ~]# cat /var/qmail/control/tlsclientciphers > >>>>>>>>>> TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:DHE-DSS-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:ADH-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-DSS-ARIA128-GCM-SHA256:DHE-RSA-ARIA128-GCM-SHA256:ADH-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM8:DHE-PSK-AES256-CCM:RSA-PSK-ARIA256-GCM-SHA384:DHE-PSK-ARIA256-GCM-SHA384:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:ARIA256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM8:PSK-AES256-CCM:PSK-ARIA256-GCM-SHA384:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM8:DHE-PSK-AES128-CCM:RSA-PSK-ARIA128-GCM-SHA256:DHE-PSK-ARIA128-GCM-SHA256:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:ARIA128-GCM-SHA256:PSK-AES128-GCM-SHA256:PSK-AES128-CCM8:PSK-AES128-CCM:PSK-ARIA128-GCM-SHA256:AES256-SHA256:CAMELLIA256-SHA256:AES128-SHA256:CAMELLIA128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:ECDHE-PSK-CAMELLIA256-SHA384:RSA-PSK-CAMELLIA256-SHA384:DHE-PSK-CAMELLIA256-SHA384:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:PSK-CAMELLIA256-SHA384:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CAMELLIA128-SHA256:RSA-PSK-CAMELLIA128-SHA256:DHE-PSK-CAMELLIA128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:PSK-CAMELLIA128-SHA256 > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> ? > >>>>>>>>>> > >>>>>>>>>> Best, > >>>>>>>>>> Peter > >>>>>>>>>> > >>>>>>>>>> --------------------------------------------------------------------- > >>>>>>>>>> > >>>>>>>>>> To unsubscribe, e-mail: > >>>>>>>>>> qmailtoaster-list-unsubscr...@qmailtoaster.com > >>>>>>>>>> For additional commands, e-mail: > >>>>>>>>>> qmailtoaster-list-h...@qmailtoaster.com > >>>>>>>>>> > >>>>>>>> --------------------------------------------------------------------- > >>>>>>>> > >>>>>>>> To unsubscribe, e-mail: > >>>>>>>> qmailtoaster-list-unsubscr...@qmailtoaster.com > >>>>>>>> For additional commands, e-mail: > >>>>>>>> qmailtoaster-list-h...@qmailtoaster.com > >>>>>>>> > >>>>>> --------------------------------------------------------------------- > >>>>>> > >>>>>> To unsubscribe, e-mail: > >>>>>> qmailtoaster-list-unsubscr...@qmailtoaster.com > >>>>>> For additional commands, e-mail: > >>>>>> qmailtoaster-list-h...@qmailtoaster.com > >>>>>> > >>>>> > >>> --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
