Discussion: Problems with removed old TLS and CIPHERS
I came across the issue that the new TLS settings might cause some existing scripts to fail sending mail.
Reason: Older PHP versions (at least 5.6, don't know about 7.0/7.1/7.2) use a lower TLS transport as default. That means when you open a TLS connection to the mailserver via
tls:// PHP is not using TLSv1.2 or higher. You have to explicitly use
It would not even be enough removing
!TLSv1.1 from the
main.cf because then the CIPHER list is not providing any valid ciphers for the lower tls versions.
To make my PHP skript work (needs 5.6 currently) I had to remove both
!TLSv1.1 from the deny list and in addition comment out
tls_medium_cipherlist so the connection succeeded again.
For reference some log entries from different configurations:
Sep 24 12:04:47 mx postfix/smtps/smtpd: SSL_accept error from unknown[x.y.z.a]: -1 Sep 24 12:04:47 mx postfix/smtps/smtpd: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1661:
Sep 24 11:51:28 mx postfix/smtpd: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2259: Sep 24 11:23:08 mx postfix/smtps/smtpd: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2259:
This also seems to apply to some "rare" mail servers and clients.