hello, after moving from courier to dovecot in spring 2023 I've learned that some emails are not received or accepted by the mailing system. I tried different cipher-variations und protocol versions but it doesn't make a difference. do you have a clue what's wrong now? to me it looks like the arz (they've been aquired by accenture) mail exchanger is trying to force a transfer via SSL3, and dovecot 2.3.4.1 doesn't support it, only TLS. Code: Aug 2 14:23:48 ispc postfix/smtpd[16299]: connect from mx02.arz.at[193.110.182.62] Aug 2 14:23:48 ispc postfix/smtpd[16299]: setting up TLS connection from mx02.arz.at[193.110.182.62] Aug 2 14:23:48 ispc postfix/smtpd[16299]: mx02.arz.at[193.110.182.62]: TLS cipher list "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!RC4:!aNULL" Aug 2 14:23:48 ispc postfix/smtpd[16299]: SSL_accept:before SSL initialization Aug 2 14:23:48 ispc postfix/smtpd[16299]: SSL_accept:before SSL initialization Aug 2 14:23:48 ispc postfix/smtpd[16299]: SSL3 alert write:fatal:handshake failure Aug 2 14:23:48 ispc postfix/smtpd[16299]: SSL_accept:error in error Aug 2 14:23:48 ispc postfix/smtpd[16299]: SSL_accept error from mx02.arz.at[193.110.182.62]: -1 Aug 2 14:23:48 ispc postfix/smtpd[16299]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2285: Aug 2 14:23:48 ispc postfix/smtpd[16299]: lost connection after STARTTLS from mx02.arz.at[193.110.182.62] Aug 2 14:23:48 ispc postfix/smtpd[16299]: disconnect from mx02.arz.at[193.110.182.62] ehlo=1 starttls=0/1 commands=1/2 Aug 2 14:23:48 ispc postfix/smtpd[16450]: connect from mx02.arz.at[193.110.182.62] Aug 2 14:23:49 ispc postfix/smtpd[16450]: disconnect from mx02.arz.at[193.110.182.62] ehlo=1 quit=1 commands=2 interesting enough newsletter mailings by arz are transferred. kind regards
You seem to mix up Postfix and dovecot here. Postfix is the software that receives emails, not Dovecot. Dovecot is just the IMAP server to fetch emails received with a mail client. There are no changes on the receiving side when switching from Courier to dovecot, as postfix is the relevant part and it stays the same.
thank you, that's my postfix tls config: Code: postconf -n | grep tls smtp_sasl_tls_security_options = noanonymous smtp_tls_exclude_ciphers = RC4, aNULL smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_exclude_ciphers = RC4, aNULL smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_loglevel = 2 smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES tls_preempt_cipherlist = no is there anything I could change to get those emails by their server? I tried to remove !SSLv3 but it didn't change a thing.
Hi, can you please run "nmap --script ssl-enum-ciphers -p 587 yourmail.server.tld" against your sever and see if it offers any TLS_RSA ciphers?
Code: Host is up (0.00016s latency). rDNS record for XXX.XXX.XXX.XXX: mymail.server.tld PORT STATE SERVICE 587/tcp open submission | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CCM (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CCM (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | compressors: | NULL | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 2.83 seconds after re-enabling RC4 and TLSv1 and TLSv1.1 I get Code: PORT STATE SERVICE 587/tcp open submission | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | compressors: | NULL | cipher preference: server | TLSv1.1: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | compressors: | NULL | cipher preference: server | TLSv1.2: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CCM (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CCM (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (ecdh_x25519) - A | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (ecdh_x25519) - A | compressors: | NULL | cipher preference: server | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 10.50 seconds
The certificate in use maybe wrong, i've had this issue before where the acme generated the certificate with ECDHE only. The server does not offer any TLS_RSA only TLS_ECDHE which results in the error initial reported. Try regenerating the SSL certificate and check it manually.
thanks a lot! I see, eff switched to ECDSA from RSA since version 2.0.0. https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys I changed the renewal file and switched to RSA. Code: PORT STATE SERVICE 587/tcp open submission | ssl-enum-ciphers: | TLSv1.0: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp384r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A | compressors: | NULL | cipher preference error: Error when comparing TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | TLSv1.1: | ciphers: | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (secp384r1) - A | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (secp384r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp384r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A | compressors: | NULL | cipher preference error: Error when comparing TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA and TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 2048) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp384r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp384r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 4096) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 4096) - A | compressors: | NULL | cipher preference error: Error when comparing TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | warnings: | Key exchange (dh 2048) of lower strength than certificate key | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_256_GCM_SHA384 (secp384r1) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (secp384r1) - A | TLS_AKE_WITH_AES_128_GCM_SHA256 (secp384r1) - A | cipher preference: server |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds e-mails incoming again from source.