Fehler wg. TLS 1.3 mismatch

Frank Röhm francwalter at gmx.net
Di Dez 17 12:42:24 CET 2024 

Morgen Markus,

Ich hab deine Nachricht erst jetzt zufällig auf pipermail entdeckt - ich
hatte die Liste wohl mal deaktiviert. Ich hatte mich schon gewundert,
warum niemand mehr antwortet, Sorry :)

 > wie schon geschrieben: Du musst bitte zusätzlich auch 'postconf -n'
verwenden. Poste also bitte sicherheitshalber auch mal den kompletten
Output von 'postconf -nf'.


#postconf -nf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases,hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
bounce_template_file = /etc/postfix/bounce.de-DE.cf
broken_sasl_auth_clients = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
default_process_limit = 500
dovecot_destination_recipient_limit = 1
greylist = check_policy_service inet:127.0.0.1:60000
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
message_size_limit = 51200000
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = ew6.org
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:12301
queue_directory = /var/spool/postfix
readme_directory = no
receive_override_options = no_address_mappings
recipient_delimiter = +
smtp_tls_loglevel = 1
smtp_tls_protocols = >=TLSv1
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = dsn
smtpd_hard_error_limit = 100
smtpd_milters = inet:localhost:12301
smtpd_recipient_restrictions = reject_unknown_sender_domain,
     reject_unknown_recipient_domain, permit_mynetworks,
     reject_unlisted_recipient, reject_non_fqdn_sender,
     reject_non_fqdn_recipient, reject_unlisted_sender,
     permit_sasl_authenticated, reject_unauth_destination,
     reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname,
     reject_unknown_client_hostname, reject_unknown_helo_hostname,
     check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
     check_client_access hash:/etc/postfix/rbl_client_exceptions,
     check_policy_service inet:127.0.0.1:10040
smtpd_relay_before_recipient_restrictions = no
smtpd_restriction_classes = greylist
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 80
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/ew6.org/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/letsencrypt/live/ew6.org/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
soft_bounce = no
tls_preempt_cipherlist = yes
unknown_local_recipient_reject_code = 550
virtual_alias_maps =

mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains =
mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000


Also das smtp_tls_protocols hab ich da nicht drin, dann müsste das
Default ja wirken.

 > > ...
 > > Oct  1 06:04:22 ew6 postfix/smtpd[30580]: Anonymous TLS connection
established from
dynamic-095-112-037-129.95.112.pool.telefonica.de[95.112.37.129]:
TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
 > > ...
 > ... Und genau diese Anzeige müsste bei 'smtp_tls_loglevel = 1' auch
bei ausgehenden Verbindungen angezeigt werden. ...

Da sehe ich aber leider nichts, bei ausgehenden Verbindungen fehlt diese
Anzeige im Log :(
Ich hab grad noch mal ein Test an info at ladenburger.de gemacht, das steht
dabei im Log:

Dec 17 11:57:25 ew6 postfix/smtpd[2091753]: connect from
dynamic-077-003-120-015.77.3.pool.telefonica.de[77.3.120.15]
Dec 17 11:57:25 ew6 postfix/smtpd[2091753]: Anonymous TLS connection
established from
dynamic-077-003-120-015.77.3.pool.telefonica.de[77.3.120.15]: TLSv1.3
with cipher TLS_AES_256_GCM_SHA384
  (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048
bits) server-digest SHA256
Dec 17 11:57:25 ew6 postfix/smtpd[2091753]: discarding EHLO keywords: DSN
Dec 17 11:57:25 ew6 postfix/smtpd[2091753]: C5B7ABFBEE:
client=dynamic-077-003-120-015.77.3.pool.telefonica.de[77.3.120.15],
sasl_method=PLAIN, sasl_username=francwalter at ew6.org
Dec 17 11:57:25 ew6 postfix/cleanup[2091734]: C5B7ABFBEE:
message-id=<58104880-1b62-46ec-9b33-0f7a4b9133fc at ew6.org>
Dec 17 11:57:25 ew6 opendkim[1008]: C5B7ABFBEE: DKIM-Signature field
added (s=mail, d=ew6.org)
Dec 17 11:57:25 ew6 postfix/qmgr[2091698]: C5B7ABFBEE:
from=<francwalter at ew6.org>, size=1202, nrcpt=1 (queue active)
Dec 17 11:57:26 ew6 postfix/smtpd[2091733]: connect from
localhost[127.0.0.1]
Dec 17 11:57:26 ew6 postfix/smtpd[2091733]: discarding EHLO keywords: DSN
Dec 17 11:57:26 ew6 postfix/smtpd[2091733]: 6F980BFBF3:
client=localhost[127.0.0.1], orig_queue_id=C5B7ABFBEE,
orig_client=dynamic-077-003-120-015.77.3.pool.telefonica.de[77.3.120.15]
Dec 17 11:57:26 ew6 postfix/cleanup[2091734]: 6F980BFBF3:
message-id=<58104880-1b62-46ec-9b33-0f7a4b9133fc at ew6.org>
Dec 17 11:57:26 ew6 opendkim[1008]: 6F980BFBF3: DKIM-Signature field
added (s=mail, d=ew6.org)
Dec 17 11:57:26 ew6 postfix/smtpd[2091733]: disconnect from
localhost[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 quit=1
commands=6
Dec 17 11:57:26 ew6 postfix/qmgr[2091698]: 6F980BFBF3:
from=<francwalter at ew6.org>, size=1966, nrcpt=1 (queue active)
Dec 17 11:57:26 ew6 amavis[2089869]: (2089869-06) Passed CLEAN
{RelayedOpenRelay}, [77.3.120.15]:7673 [77.3.120.15]
<francwalter at ew6.org> -> <info at ladenburger.de>, Queue-ID: C5B7ABFBEE, Mess
age-ID: <58104880-1b62-46ec-9b33-0f7a4b9133fc at ew6.org>, mail_id:
a00ks94Iepwm, Hits: -2.698, size: 1522, queued_as: 6F980BFBF3, 603 ms
Dec 17 11:57:26 ew6 postfix/smtp[2091754]: C5B7ABFBEE:
to=<info at ladenburger.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.73,
delays=0.12/0.01/0/0.6, dsn=2.0.0, status=sent (250 2.0.0 from
MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 6F980BFBF3)
Dec 17 11:57:26 ew6 postfix/qmgr[2091698]: C5B7ABFBEE: removed
Dec 17 11:57:26 ew6 postfix/smtp[2091757]: 6F980BFBF3:
to=<info at ladenburger.de>,
relay=mx-01-eu-central-1.prod.hydra.sophos.com[3.66.6.170]:25,
delay=0.41, delays=0.05/0.01/0.12/0.24, dsn=5.7.4, status=bounced (host
mx-01-eu-central-1.prod.hydra.sophos.com[3.66.6.170] said: 550 5.7.4
XGEMAIL_0006 Command rejected : The rejection of the message occurred
due to a mismatch in TLS versions between the configured TLS version is
Preferred TLS 1.3 for the recipient: info at ladenburger.de and the sender:
ew6.org TLS version is not available (in reply to RCPT TO command))
Dec 17 11:57:26 ew6 postfix/cleanup[2091734]: D5629C060C:
message-id=<20241217105726.D5629C060C at ew6.org>
Dec 17 11:57:26 ew6 postfix/bounce[2091758]: 6F980BFBF3: sender
non-delivery notification: D5629C060C
Dec 17 11:57:26 ew6 postfix/qmgr[2091698]: D5629C060C: from=<>,
size=5540, nrcpt=1 (queue active)
Dec 17 11:57:26 ew6 postfix/qmgr[2091698]: 6F980BFBF3: removed
Dec 17 11:57:26 ew6 postfix/pipe[2091735]: D5629C060C:
to=<francwalter at ew6.org>, orig_to=<francwalter at ew6.org>, relay=dovecot,
delay=0.04, delays=0/0/0/0.03, dsn=2.0.0, status=sent (delivered via
dovecot service)
Dec 17 11:57:26 ew6 postfix/qmgr[2091698]: D5629C060C: removed


Aber Mails via GMX und Konsorten werden dort empfangen, also muss es
schon auch was mit meinem Postfix zu tun haben, aber was?

Danke!
Gruß frank

Mehr Informationen über die Mailingliste postfix-users