GitLab

I came across the issue that the new TLS settings might cause some existing scripts to fail sending mail.

Reason: Older PHP versions (at least 5.6, don't know about 7.0/7.1/7.2) use a lower TLS transport as default. That means when you open a TLS connection to the mailserver via tls:// PHP is not using TLSv1.2 or higher. You have to explicitly use tlsv1.2:// transport.
It would not even be enough removing !TLSv1 or !TLSv1.1 from the tls_protocols in main.cf because then the CIPHER list is not providing any valid ciphers for the lower tls versions.

To make my PHP skript work (needs 5.6 currently) I had to remove both !TLSv1 and !TLSv1.1 from the deny list and in addition comment out smtpd_tls_mandatory_ciphers and tls_medium_cipherlist so the connection succeeded again.

Please state your opinions @jnorell @thom @tbrehm

For reference some log entries from different configurations:

Sep 24 12:04:47 mx postfix/smtps/smtpd[9957]: SSL_accept error from unknown[x.y.z.a]: -1
Sep 24 12:04:47 mx postfix/smtps/smtpd[9957]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1661:

Sep 24 11:51:28 mx postfix/smtpd[7286]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2259:
Sep 24 11:23:08 mx postfix/smtps/smtpd[5505]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2259:

This also seems to apply to some "rare" mail servers and clients.