Liebeskind Uri (luri) luri at
Do Nov 11 08:22:08 CET 2021


I've been debugging this problem for some hours w/o any result and w/o 
understanding what postfix does.

PROBLEM: postfix 3.3.0 (ubuntu server) complains:

2021-11-11T08:05:56.523648+01:00 srv-mx-001 postfix/smtp[128867]: SMTPS 
wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = 
yes", and "smtp_tls_security_level = encrypt" (or stronger)

An extract of the relevant config is:

smtp_use_tls                    = yes
smtp_tls_security_level         = encrypt
smtp_tls_note_starttls_offer    = yes
smtp_tls_loglevel               = 0
smtp_tls_session_cache_timeout  = 7200s
smtp_tls_session_cache_database = 
smtp_tls_CAfile                 = /etc/ssl/certs/ca-certificates.crt

relayhost = []:465   # Exchange Server


Mails are sent fine, but the warning is disturbing. tcpdump verifies 
that a TLSv1.1 connection is established with the exchange server.

After adding "smtp_tls_wrappermode = yes" to mails are stuck in 
the queue and the maillog notes:

2021-11-10T15:35:58.486907+01:00 srv-mx-001 postfix/smtp[77257]: 
SSL_connect:before SSL initialization
2021-11-10T15:35:58.487233+01:00 srv-mx-001 postfix/smtp[77257]: 
SSL_connect:SSLv3/TLS write client hello
2021-11-10T15:35:58.488035+01:00 srv-mx-001 postfix/smtp[77257]: 
SSL_connect:error in error
2021-11-10T15:35:58.488197+01:00 srv-mx-001 postfix/smtp[77257]: 
SSL_connect error to[]:465: -1
2021-11-10T15:35:58.488403+01:00 srv-mx-001 postfix/smtp[77257]: 
warning: TLS library problem: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version 
2021-11-10T15:35:58.488573+01:00 srv-mx-001 postfix/smtp[77257]: remove 
from client cache
2021-11-10T15:35:58.488790+01:00 srv-mx-001 postfix/tlsmgr[77254]: 
delete smtp session 
2021-11-10T15:35:58.497053+01:00 srv-mx-001 postfix/smtp[77257]: 
7156C3FAA3: to=<luri at>,[]:465, 
delay=0.03, delays=0.01/0.01/0/0, dsn=4.7.5, status=deferred (Cannot 
start TLS: handshake failure)

tcpdump shows that postfix tried to connect with TLSv1 and this will 
expectedly fail

Why does postfix change from TLSv1.1 to TLSv1? How can I fix this?

Thank you and kind regards,

Uri Liebeskind

Zurich University of Applied Sciences
Information and Communication Technology

Uri Liebeskind
System Administrator
Gertrudstrasse 15
Postfach 805
CH-8401 Winterthur

Tel. +41 58 934 72 63

Mehr Informationen über die Mailingliste postfix-users