On 07/09/2023 03:49 EEST Ralph Seichter via dovecot dovecot@dovecot.org wrote:
- Marc Schiffbauer via dovecot:
Wild guess: you need to explicitely allow for example DEFAULT@SECLEVEL=0 ciphersuite in postfix to make *your* openssl accept this remote sslv3 connection
Thanks, Marc. I had thought about this, and have tried various Postfix parameters related to TLS ciphers and protocols. So far, no dice. In the meantime, I also ran tests using Swaks, and this resulted in a possible different route of investigation: Postfix uses a certificate issued by Let's Encrypt (secp384r1) for both in- and outbound connections with STARTTLS. If I use the same certificate with Swaks, I see the same error as I do with Postfix. If I use Swaks *without* specifying a local TLS certificate, the STARTTLS handshake works:
=== Trying talvi.dovecot.org:25... === Connected to talvi.dovecot.org. <- 220 talvi.dovecot.org ESMTP Postfix (Debian/GNU) -> EHLO ra.horus-it.com <- 250-talvi.dovecot.org <- 250-PIPELINING <- 250-SIZE 104857600 <- 250-ETRN <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250-DSN <- 250 CHUNKING -> STARTTLS <- 220 2.0.0 Ready to start TLS === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 === TLS no local certificate set === TLS peer DN="/CN=talvi.dovecot.org"
Looks the combination of certificate ciphers and OpenSSL library versions on my end and on the talvi.dovecot.org end is causing some bother. The original error message points to a protocol issue, not a cipher problem, and how SSLv3 gets into the mix is anybody's guess. Perhaps I'll see clearer after some much needed sleep.
-Ralph
I updated the settings a bit on the server as well. Maybe it works better now?
Aki