smtp_tls_wrappermode
Liebeskind Uri (luri)
luri at zhaw.ch
Do Nov 11 08:22:08 CET 2021
Hi,
I've been debugging this problem for some hours w/o any result and w/o
understanding what postfix does.
PROBLEM: postfix 3.3.0 (ubuntu server) complains:
2021-11-11T08:05:56.523648+01:00 srv-mx-001 postfix/smtp[128867]: SMTPS
wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode =
yes", and "smtp_tls_security_level = encrypt" (or stronger)
An extract of the relevant main.cf config is:
smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_loglevel = 0
smtp_tls_session_cache_timeout = 7200s
smtp_tls_session_cache_database =
btree:${data_directory}/smtp_tls_session_cache
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
relayhost = [smtpa.zhaw.ch]:465 # Exchange Server
SITUATION:
Mails are sent fine, but the warning is disturbing. tcpdump verifies
that a TLSv1.1 connection is established with the exchange server.
After adding "smtp_tls_wrappermode = yes" to main.cf mails are stuck in
the queue and the maillog notes:
2021-11-10T15:35:58.486907+01:00 srv-mx-001 postfix/smtp[77257]:
SSL_connect:before SSL initialization
2021-11-10T15:35:58.487233+01:00 srv-mx-001 postfix/smtp[77257]:
SSL_connect:SSLv3/TLS write client hello
2021-11-10T15:35:58.488035+01:00 srv-mx-001 postfix/smtp[77257]:
SSL_connect:error in error
2021-11-10T15:35:58.488197+01:00 srv-mx-001 postfix/smtp[77257]:
SSL_connect error to smtpa.zhaw.ch[160.85.196.22]:465: -1
2021-11-10T15:35:58.488403+01:00 srv-mx-001 postfix/smtp[77257]:
warning: TLS library problem: error:1408F10B:SSL
routines:ssl3_get_record:wrong version
number:../ssl/record/ssl3_record.c:332:
2021-11-10T15:35:58.488573+01:00 srv-mx-001 postfix/smtp[77257]: remove
session
smtp&[smtpa.zhaw.ch]:465&smtpa.zhaw.ch&160.85.196.22&&C446696C381BB4783617E247C83E64CA02BCF13BDDA1472FA70290A9E56E2965
from client cache
2021-11-10T15:35:58.488790+01:00 srv-mx-001 postfix/tlsmgr[77254]:
delete smtp session
id=smtp&[smtpa.zhaw.ch]:465&smtpa.zhaw.ch&160.85.196.22&&C446696C381BB4783617E247C83E64CA02BCF13BDDA1472FA70290A9E56E2965
2021-11-10T15:35:58.497053+01:00 srv-mx-001 postfix/smtp[77257]:
7156C3FAA3: to=<luri at zhaw.ch>, relay=smtpa.zhaw.ch[160.85.196.22]:465,
delay=0.03, delays=0.01/0.01/0/0, dsn=4.7.5, status=deferred (Cannot
start TLS: handshake failure)
tcpdump shows that postfix tried to connect with TLSv1 and this will
expectedly fail
Why does postfix change from TLSv1.1 to TLSv1? How can I fix this?
Thank you and kind regards,
Uri Liebeskind
--
------------------------------------
Zurich University of Applied Sciences
Information and Communication Technology
Uri Liebeskind
System Administrator
Gertrudstrasse 15
Postfach 805
CH-8401 Winterthur
Tel. +41 58 934 72 63
http://www.zhaw.ch/en/
-------------------------------------
Mehr Informationen über die Mailingliste postfix-users