postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: smtpd TLS handhake failures with specific sit

Re: smtpd TLS handhake failures with specific site

From: <lists_at_nospam>
Date: Sat May 17 2014 - 10:28:55 GMT
To: postfix-users@postfix.org

Am 17.05.2014 12:19, schrieb Thomas Leuxner:
> recently I’m seeing STARTTLS issues with a specific site, while the TLS-handshakes work fine for other sites. The failed handshake manifests in this excerpt:
> May 14 11:07:20 nihlus postfix/smtpd[60685]: warning: TLS library problem: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:960:
>
> smtpd_tls_protocols = !SSLv2,!SSLv3
>
> A quick test with SSL3 enabled allows a TLS connection from this particular server:
> How does one best implement a workaround for this site?

just don't break you configuration and blindly disable SSLv3
and you don't need a workaround for your own mistake

the other site don't support anything better than SSLv3

as first step you need to understand that you don't make
anything better in case of opportunistic TLS if you disable
ciphers and protocols left and right because you obviously
missed that it ends in connections from other servers falling
back to unencrypted connections if there is no suiteable
cipher both sides supporting or as in your case if you
disable a protocol the otehr side needs to connect it fails

you made that problem by add !SSLv3
solve it the same way by remove that