Thanks Eric for the update. Here is what I see: [root@mail ~]# update-crypto-policies --show LEGACY [root@mail ~]# update-crypto-policies --set DEFAULT Setting system policy to DEFAULT Note: System-wide crypto policies are applied on application start-up. It is recommended to restart the system for the change of policies to fully take place.
Is restarting qmail enough or should I even reboot? And is there some difference between DEFAULT and FUTURE or are they the same? Best, Peter On Mon, Feb 21, 2022 at 4:39 PM Eric Broch <ebr...@whitehorsetc.com> wrote: > > Upon further reflection, at the end of the qt/cos8 install script there > is a command, 'update-crypto-policies --set LEGACY' intended for old > email clients I don't wonder if this change between cos7 and cos8 might > caused the problem. Have a look here: > > https://www.redhat.com/en/blog/how-customize-crypto-policies-rhel-82 > > If you've change it to 'update-crypto-policies --set DEFAULT' or > 'update-crypto-policies --set FUTURE' and are still having issue ask > hornet security if we can see the actual smtp transaction. > > In my earlier email I was saying that there was not much difference > between the old code and the new code for remote delivery and it was not > immediately obvious why we would be having a problem. > > Eric > > > On 2/21/2022 7:17 AM, Peter Peltonen wrote: > > Hi, > > > > Is there something I can test? I didn't quite understand from Eric's > > earlier msg what I should try... > > > > One email address producing this error for me is > > supp...@hornetsecurity.com -> If you like Eric, you could try emailing > > themselves asking for more details (either they reply to you or you > > will face the same error). If you don't face the same error then we > > could try figuring out what is different in our setups? > > > > Best, > > Peter > > > > > > > > > > On Sat, Feb 19, 2022 at 6:29 PM Eric Broch <ebr...@whitehorsetc.com> wrote: > >> Looking through the function tls_init() in the code for qmail-remote.c > >> > >> I don't see much that it could be, they're almost identical between > >> 2.2.1 and 3.3.5 > >> > >> Will continue looking... > >> > >> On 2/18/2022 1:54 PM, Andreas Galatis wrote: > >>> Hi Finn, > >>> > >>> > >>> I have tested with the tlsserverciphers of my older server, completed > >>> with some of the ciphers from the new file and my mails came through. > >>> > >>> > >>> Thanks a lot for your tip, Finn, I didn't find it in the code > >>> > >>> > >>> Andreas > >>> > >>> > >>> Am 18.02.22 um 16:56 schrieb Qmail: > >>>> Hi Andreas. > >>>> > >>>> In qmail You're properly using /var/qmail/control/tlsclientciphers > >>>> (that are a link to tlcserverciphers) > >>>> > >>>> According to what I read at the Nginx forum, the problem there is > >>>> because some of the included ciphers are with underscore '_' and not > >>>> hyphen '-' - I don't know if changing that in the tlsservercipher > >>>> file will solve the problem. > >>>> > >>>> > >>>> /Finn > >>>> > >>>> Den 18-02-2022 kl. 16:29 skrev Andreas: > >>>>> I cannot find any file where those ciphers could be adjust. > >>>>> Is that compiled in? > >>>>> > >>>>> Me too, I have clients not beeing reachable with the new server > >>>>> (qmail-1.03-3.3.5), but my old server running qmail-1.03.2.2.1.qt. > >>>>> Did anyone find a solution? > >>>>> > >>>>> Andreas > >>>>> > >>>>> Am 17.02.22 um 20:28 schrieb Qmail: > >>>>>> Hi. > >>>>>> > >>>>>> Not sure it is related, but I just read in the Nginx forum that > >>>>>> some have issues (failed (SSL: error:0A0000B9:SSL routines::no > >>>>>> cipher match)) using Mozillas 'modern' 5.5 ciphers, but everything > >>>>>> works with Mozillas 'modern' ciphers 4.0. > >>>>>> (found testing the Nginx config) > >>>>>> > >>>>>> The 5.5 list contains : > >>>>>> > >>>>>> ssl_ciphers'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'; > >>>>>> > >>>>>> > >>>>>> The 4.0 list contains: > >>>>>> > >>>>>> ssl_ciphers'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; > >>>>>> > >>>>>> > >>>>>> > >>>>>> These are matched against the openssl ciphers that are located on > >>>>>> the server but are more or less same as the tlsclientciphers used > >>>>>> in qmail. > >>>>>> > >>>>>> Nginx can be setup as a MAIL proxy and therefore may be the reason > >>>>>> for Your issue ?? > >>>>>> > >>>>>> or maybe it's just a coincidence ? > >>>>>> > >>>>>> Regards, > >>>>>> Finn > >>>>>> > >>>>>> > >>>>>> > >>>>>> Den 17-02-2022 kl. 08:14 skrev Andreas: > >>>>>>> Hi list, > >>>>>>> I have the same failure-mails with some servers, my version of > >>>>>>> qmail is > >>>>>>> qmail-1.03-3.3.5.qt.md.el8.x86_64 > >>>>>>> > >>>>>>> TLS connect failed: error:1421C105:SSL > >>>>>>> routines:set_client_ciphersuite:wrong > >>>>>>> cipher returnedZConnected to 83.246.65.85 but connection died. > >>>>>>> > >>>>>>> With my old server (qmail-1.03-2.2.1.qt.el7.x86_64) I can send > >>>>>>> emails to the same recipients. > >>>>>>> Andreas > >>>>>>> > >>>>>>> Am 15.02.22 um 09:39 schrieb Peter Peltonen: > >>>>>>>> What I have installed is qmail-1.03-3.3.1.qt.md.el8.x86_64 > >>>>>>>> > >>>>>>>> Any reason to update? > >>>>>>>> > >>>>>>>> Best, > >>>>>>>> Peter > >>>>>>>> > >>>>>>>> On Sun, Feb 13, 2022 at 5:15 PM Eric Broch > >>>>>>>> <ebr...@whitehorsetc.com> wrote: > >>>>>>>>> What version of qmail ? > >>>>>>>>> > >>>>>>>>> On 2/12/2022 12:56 PM, Peter Peltonen wrote: > >>>>>>>>>> Finally got an answer from them (see list below). I see some > >>>>>>>>>> matching > >>>>>>>>>> siphers on their and on my own list. Any idea how I could debug > >>>>>>>>>> this > >>>>>>>>>> more so I can find out why mail is not being delivered to their > >>>>>>>>>> server? > >>>>>>>>>> > >>>>>>>>>> best, > >>>>>>>>>> Peter > >>>>>>>>>> > >>>>>>>>>> " > >>>>>>>>>> OPTON > >>>>>>>>>> All ciphers > >>>>>>>>>> > >>>>>>>>>> DESCRIPTION > >>>>>>>>>> TLS encryption is only possible with ciphers that are > >>>>>>>>>> considered as > >>>>>>>>>> secure by the German Federal Office for Information Security. A > >>>>>>>>>> TLS > >>>>>>>>>> connection is only established if the email server of the > >>>>>>>>>> communication partner supports one of the following ciphers: > >>>>>>>>>> > >>>>>>>>>> • ECDHE-RSA-AES256-GCM-SHA384 > >>>>>>>>>> • ECDHE-RSA-AES256-SHA384 > >>>>>>>>>> • ECDHE-RSA-AES256-SHA > >>>>>>>>>> • DHE-RSA-AES256-GCM-SHA384 > >>>>>>>>>> • DHE-RSA-AES256-SHA256 > >>>>>>>>>> • DHE-RSA-AES256-SHA > >>>>>>>>>> • AES256-GCM-SHA384 > >>>>>>>>>> • AES256-SHA256 > >>>>>>>>>> • AES256-SHA > >>>>>>>>>> • ECDHE-RSA-DES-CBC3-SHA > >>>>>>>>>> • EDH-RSA-DES-CBC3-SHA > >>>>>>>>>> • DES-CBC3-SHA > >>>>>>>>>> > >>>>>>>>>> OPTION > >>>>>>>>>> Secure ciphers > >>>>>>>>>> > >>>>>>>>>> DESCRIPTION > >>>>>>>>>> Secure ciphers TLS encryption is only possible with ciphers > >>>>>>>>>> that are > >>>>>>>>>> considered as secure by the German Federal Office for Information > >>>>>>>>>> Security. A TLS connection is only established if the email > >>>>>>>>>> server of the communication partner supports one of the > >>>>>>>>>> following ciphers: > >>>>>>>>>> > >>>>>>>>>> • ECDHE-RSA-AES256-GCM-SHA384 > >>>>>>>>>> • ECDHE-RSA-AES256-SHA384 > >>>>>>>>>> • DHE-RSA-AES256-GCM-SHA384 > >>>>>>>>>> • DHE-RSA-AES256-SHA256 > >>>>>>>>>> • ECDHE-RSA-AES128-GCM-SHA256 > >>>>>>>>>> • ECDHE-RSA-AES128-SHA256 > >>>>>>>>>> • DHE-RSA-AES128-GCM-SHA256 > >>>>>>>>>> • DHE-RSA-AES128-SHA256 > >>>>>>>>>> " > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> On Mon, Feb 7, 2022 at 4:08 PM Eric Broch > >>>>>>>>>> <ebr...@whitehorsetc.com> wrote: > >>>>>>>>>>> Is there a way to contact them and find out what obscure B.S. > >>>>>>>>>>> they want? > >>>>>>>>>>> > >>>>>>>>>>> On 2/7/2022 12:26 AM, Peter Peltonen wrote: > >>>>>>>>>>>> When trying to deliver email to a domain that is using spam > >>>>>>>>>>>> protection > >>>>>>>>>>>> from antispameurope.com I get the following error: > >>>>>>>>>>>> > >>>>>>>>>>>> deferral: > >>>>>>>>>>>> TLS_connect_failed:_error:1421C105:SSL_routines:set_client_ciphersuite:wrong_cipher_returnedZConnected_to_83.246.65.85_but_connection_died._(#4.4.2)/ > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> So am I missing something here: > >>>>>>>>>>>> > >>>>>>>>>>>> [root@mail ~]# cat /var/qmail/control/tlsclientciphers > >>>>>>>>>>>> TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:DHE-DSS-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:ADH-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-DSS-ARIA128-GCM-SHA256:DHE-RSA-ARIA128-GCM-SHA256:ADH-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM8:DHE-PSK-AES256-CCM:RSA-PSK-ARIA256-GCM-SHA384:DHE-PSK-ARIA256-GCM-SHA384:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:ARIA256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM8:PSK-AES256-CCM:PSK-ARIA256-GCM-SHA384:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM8:DHE-PSK-AES128-CCM:RSA-PSK-ARIA128-GCM-SHA256:DHE-PSK-ARIA128-GCM-SHA256:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:ARIA128-GCM-SHA256:PSK-AES128-GCM-SHA256:PSK-AES128-CCM8:PSK-AES128-CCM:PSK-ARIA128-GCM-SHA256:AES256-SHA256:CAMELLIA256-SHA256:AES128-SHA256:CAMELLIA128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:ECDHE-PSK-CAMELLIA256-SHA384:RSA-PSK-CAMELLIA256-SHA384:DHE-PSK-CAMELLIA256-SHA384:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:PSK-CAMELLIA256-SHA384:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CAMELLIA128-SHA256:RSA-PSK-CAMELLIA128-SHA256:DHE-PSK-CAMELLIA128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:PSK-CAMELLIA128-SHA256 > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> ? > >>>>>>>>>>>> > >>>>>>>>>>>> Best, > >>>>>>>>>>>> Peter > >>>>>>>>>>>> > >>>>>>>>>>>> --------------------------------------------------------------------- > >>>>>>>>>>>> > >>>>>>>>>>>> To unsubscribe, e-mail: > >>>>>>>>>>>> qmailtoaster-list-unsubscr...@qmailtoaster.com > >>>>>>>>>>>> For additional commands, e-mail: > >>>>>>>>>>>> qmailtoaster-list-h...@qmailtoaster.com > >>>>>>>>>>>> > >>>>>>>>>> --------------------------------------------------------------------- > >>>>>>>>>> > >>>>>>>>>> To unsubscribe, e-mail: > >>>>>>>>>> qmailtoaster-list-unsubscr...@qmailtoaster.com > >>>>>>>>>> For additional commands, e-mail: > >>>>>>>>>> qmailtoaster-list-h...@qmailtoaster.com > >>>>>>>>>> > >>>>>>>> --------------------------------------------------------------------- > >>>>>>>> > >>>>>>>> To unsubscribe, e-mail: > >>>>>>>> qmailtoaster-list-unsubscr...@qmailtoaster.com > >>>>>>>> For additional commands, e-mail: > >>>>>>>> qmailtoaster-list-h...@qmailtoaster.com > >>>>>>>> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com > > --------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com