Discussion: Problems with removed old TLS and CIPHERS
I came across the issue that the new TLS settings might cause some existing scripts to fail sending mail.
Reason: Older PHP versions (at least 5.6, don't know about 7.0/7.1/7.2) use a lower TLS transport as default. That means when you open a TLS connection to the mailserver via tls://
PHP is not using TLSv1.2 or higher. You have to explicitly use tlsv1.2://
transport.
It would not even be enough removing !TLSv1
or !TLSv1.1
from the tls_protocols
in main.cf
because then the CIPHER list is not providing any valid ciphers for the lower tls versions.
To make my PHP skript work (needs 5.6 currently) I had to remove both !TLSv1
and !TLSv1.1
from the deny list and in addition comment out smtpd_tls_mandatory_ciphers
and tls_medium_cipherlist
so the connection succeeded again.
Please state your opinions @jnorell @thom @tbrehm
For reference some log entries from different configurations:
Sep 24 12:04:47 mx postfix/smtps/smtpd[9957]: SSL_accept error from unknown[x.y.z.a]: -1
Sep 24 12:04:47 mx postfix/smtps/smtpd[9957]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1661:
Sep 24 11:51:28 mx postfix/smtpd[7286]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2259:
Sep 24 11:23:08 mx postfix/smtps/smtpd[5505]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2259:
This also seems to apply to some "rare" mail servers and clients.