Re: [qmailtoaster] TLS connection failed: ciphersuite wrong
No update necessary. No difference in TLS, it is the same in 3.3.1 and 3.3.5. What about a shot in the dark as I'm at a loss (right now) as to what they want: Since tlsclientciphers is a link to tlsserverciphers I'm wondering if copying tlsserverciphers to tlsserverciphers.bak and only putting those allowable ciphers in tlsserverciphers. I'm not sure why it is a problem since all ciphers are being passed to the server host and it is indicating that the ones they want aren't among them. Eric On 2/15/2022 1:39 AM, Peter Peltonen wrote: What I have installed is qmail-1.03-3.3.1.qt.md.el8.x86_64 Any reason to update? Best, Peter On Sun, Feb 13, 2022 at 5:15 PM Eric Broch wrote: What version of qmail ? On 2/12/2022 12:56 PM, Peter Peltonen wrote: Finally got an answer from them (see list below). I see some matching siphers on their and on my own list. Any idea how I could debug this more so I can find out why mail is not being delivered to their server? best, Peter " OPTON All ciphers DESCRIPTION TLS encryption is only possible with ciphers that are considered as secure by the German Federal Office for Information Security. A TLS connection is only established if the email server of the communication partner supports one of the following ciphers: • ECDHE-RSA-AES256-GCM-SHA384 • ECDHE-RSA-AES256-SHA384 • ECDHE-RSA-AES256-SHA • DHE-RSA-AES256-GCM-SHA384 • DHE-RSA-AES256-SHA256 • DHE-RSA-AES256-SHA • AES256-GCM-SHA384 • AES256-SHA256 • AES256-SHA • ECDHE-RSA-DES-CBC3-SHA • EDH-RSA-DES-CBC3-SHA • DES-CBC3-SHA OPTION Secure ciphers DESCRIPTION Secure ciphers TLS encryption is only possible with ciphers that are considered as secure by the German Federal Office for Information Security. A TLS connection is only established if the email server of the communication partner supports one of the following ciphers: • ECDHE-RSA-AES256-GCM-SHA384 • ECDHE-RSA-AES256-SHA384 • DHE-RSA-AES256-GCM-SHA384 • DHE-RSA-AES256-SHA256 • ECDHE-RSA-AES128-GCM-SHA256 • ECDHE-RSA-AES128-SHA256 • DHE-RSA-AES128-GCM-SHA256 • DHE-RSA-AES128-SHA256 " On Mon, Feb 7, 2022 at 4:08 PM Eric Broch wrote: Is there a way to contact them and find out what obscure B.S. they want? On 2/7/2022 12:26 AM, Peter Peltonen wrote: When trying to deliver email to a domain that is using spam protection from antispameurope.com I get the following error: deferral: TLS_connect_failed:_error:1421C105:SSL_routines:set_client_ciphersuite:wrong_cipher_returnedZConnected_to_83.246.65.85_but_connection_died._(#4.4.2)/ So am I missing something here: [root@mail ~]# cat /var/qmail/control/tlsclientciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:DHE-DSS-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:ADH-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-DSS-ARIA128-GCM-SHA256:DHE-RSA-ARIA128-GCM-SHA256:ADH-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM8:DHE-PSK-AES256-CCM:RSA-PSK-ARIA256-GCM-SHA384:DHE-PSK-ARIA256-GCM-SHA384:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:ARIA256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM8:PSK-AES256-CCM:PSK-ARIA256-GCM-SHA384:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM8:DHE-PSK-AES128-CCM:RSA-PSK-ARIA128-GCM-SHA256:DHE-PSK-ARIA128-GCM-SHA256:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:ARIA128-GCM-SHA256:PSK-AES128-GCM-SHA2
Re: [qmailtoaster] TLS connection failed: ciphersuite wrong
What I have installed is qmail-1.03-3.3.1.qt.md.el8.x86_64 Any reason to update? Best, Peter On Sun, Feb 13, 2022 at 5:15 PM Eric Broch wrote: > > What version of qmail ? > > On 2/12/2022 12:56 PM, Peter Peltonen wrote: > > Finally got an answer from them (see list below). I see some matching > > siphers on their and on my own list. Any idea how I could debug this > > more so I can find out why mail is not being delivered to their > > server? > > > > best, > > Peter > > > > " > > OPTON > > All ciphers > > > > DESCRIPTION > > TLS encryption is only possible with ciphers that are considered as > > secure by the German Federal Office for Information Security. A TLS > > connection is only established if the email server of the > > communication partner supports one of the following ciphers: > > > > • ECDHE-RSA-AES256-GCM-SHA384 > > • ECDHE-RSA-AES256-SHA384 > > • ECDHE-RSA-AES256-SHA > > • DHE-RSA-AES256-GCM-SHA384 > > • DHE-RSA-AES256-SHA256 > > • DHE-RSA-AES256-SHA > > • AES256-GCM-SHA384 > > • AES256-SHA256 > > • AES256-SHA > > • ECDHE-RSA-DES-CBC3-SHA > > • EDH-RSA-DES-CBC3-SHA > > • DES-CBC3-SHA > > > > OPTION > > Secure ciphers > > > > DESCRIPTION > > Secure ciphers TLS encryption is only possible with ciphers that are > > considered as secure by the German Federal Office for Information > > Security. A TLS connection is only established if the email > > server of the communication partner supports one of the following ciphers: > > > > • ECDHE-RSA-AES256-GCM-SHA384 > > • ECDHE-RSA-AES256-SHA384 > > • DHE-RSA-AES256-GCM-SHA384 > > • DHE-RSA-AES256-SHA256 > > • ECDHE-RSA-AES128-GCM-SHA256 > > • ECDHE-RSA-AES128-SHA256 > > • DHE-RSA-AES128-GCM-SHA256 > > • DHE-RSA-AES128-SHA256 > > " > > > > > > On Mon, Feb 7, 2022 at 4:08 PM Eric Broch wrote: > >> Is there a way to contact them and find out what obscure B.S. they want? > >> > >> On 2/7/2022 12:26 AM, Peter Peltonen wrote: > >>> When trying to deliver email to a domain that is using spam protection > >>> from antispameurope.com I get the following error: > >>> > >>> deferral: > >>> TLS_connect_failed:_error:1421C105:SSL_routines:set_client_ciphersuite:wrong_cipher_returnedZConnected_to_83.246.65.85_but_connection_died._(#4.4.2)/ > >>> > >>> So am I missing something here: > >>> > >>> [root@mail ~]# cat /var/qmail/control/tlsclientciphers > >>> TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:DHE-DSS-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:ADH-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-DSS-ARIA128-GCM-SHA256:DHE-RSA-ARIA128-GCM-SHA256:ADH-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM8:DHE-PSK-AES256-CCM:RSA-PSK-ARIA256-GCM-SHA384:DHE-PSK-ARIA256-GCM-SHA384:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:ARIA256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM8:PSK-AES256-CCM:PSK-ARIA256-GCM-SHA384:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM8:DHE-PSK-AES128-CCM:RSA-PSK-ARIA128-GCM-SHA256:DHE-PSK-ARIA128-GCM-SHA256:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:ARIA128-GCM-SHA256:PSK-AES128-GCM-SHA256:PSK-AES128-CCM8:PSK-AES128-CCM:PSK-ARIA128-GCM-SHA256:AES256-SHA256:CAMELLIA256-SHA256:AES128-SHA256:CAMELLIA128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES25