[ext] cipher Fehlermeldung
Florian Vierke
florian at bodici.de
Do Mai 21 10:55:35 CEST 2026
Hallo Timm,
Der Renault-/IronPort-Server bietet ausschließlich RSA-basierte TLS-Cipher an, z. B.:
ECDHE-RSA-*
DHE-RSA-*
AES*-RSA-*
Dein Mailserver bietet dagegen aktuell praktisch nur ECDSA-basierte Cipher an:
ECDHE-ECDSA-*
Ist das beabsichtigt? Lösung wäre, zusätzlich ein RSA-Zertifikat bzw. RSA-Cipher für Postfix bereitzustellen.
VG
Florian
> On 20. May 2026, at 21:57, Timm Schneider via Postfixbuch-users <postfixbuch-users at listen.jpberlin.de> wrote:
>
> Hallo Ralf
>
>
> Das hat mir ein tlstest rausgegeben:
>
> rDNS (194.165.192.44): esa.hc1506-8.eu.iphmx.com.
> Service set: STARTTLS via SMTP
> Testing ciphers per protocol via OpenSSL plus sockets against the server, ordered by encryption strength
>
> Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
> -----------------------------------------------------------------------------------------------------------------------------
> SSLv2
> SSLv3
> TLS 1
> TLS 1.1
> TLS 1.2
> xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
> x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
> xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> xccaa DHE-RSA-CHACHA20-POLY1305 DH 2048 ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
> x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
> xc077 ECDHE-RSA-CAMELLIA256-SHA384 ECDH 253 Camellia 256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384
> xc4 DHE-RSA-CAMELLIA256-SHA256 DH 2048 Camellia 256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256
> x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384
> xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM
> x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256
> xc0 CAMELLIA256-SHA256 RSA Camellia 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256
> xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
> xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
> x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
> xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM
> x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
> xc076 ECDHE-RSA-CAMELLIA128-SHA256 ECDH 253 Camellia 128 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
> xbe DHE-RSA-CAMELLIA128-SHA256 DH 2048 Camellia 128 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256
> x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256
> x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256
> xba CAMELLIA128-SHA256 RSA Camellia 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256
> TLS 1.3
>
> und Meiner:
>
> rDNS (83.137.45.114): ns.tms-it.net.
> Service set: STARTTLS via SMTP
>
> Testing ciphers per protocol via OpenSSL plus sockets against the server, ordered by encryption strength
>
> Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC)
> -----------------------------------------------------------------------------------------------------------------------------
> SSLv2
> SSLv3
> TLS 1
> TLS 1.1
> TLS 1.2
> xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
> xc024 ECDHE-ECDSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
> xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
> xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
> xc0af ECDHE-ECDSA-AES256-CCM8 ECDH 253 AESCCM8 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
> xc0ad ECDHE-ECDSA-AES256-CCM ECDH 253 AESCCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_CCM
> xc073 ECDHE-ECDSA-CAMELLIA256-SHA384 ECDH 253 Camellia 256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
> xc019 AECDH-AES256-SHA ECDH 521 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA
> xa7 ADH-AES256-GCM-SHA384 DH 3072 AESGCM 256 TLS_DH_anon_WITH_AES_256_GCM_SHA384
> x6d ADH-AES256-SHA256 DH 3072 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA256
> x3a ADH-AES256-SHA DH 3072 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA
> xc5 ADH-CAMELLIA256-SHA256 DH 3072 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256
> x89 ADH-CAMELLIA256-SHA DH 3072 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
> xc05d ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384
> xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
> xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
> xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
> xc0ae ECDHE-ECDSA-AES128-CCM8 ECDH 253 AESCCM8 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
> xc0ac ECDHE-ECDSA-AES128-CCM ECDH 253 AESCCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_CCM
> xc072 ECDHE-ECDSA-CAMELLIA128-SHA256 ECDH 253 Camellia 128 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256
> xc018 AECDH-AES128-SHA ECDH 521 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA
> xa6 ADH-AES128-GCM-SHA256 DH 1024 AESGCM 128 TLS_DH_anon_WITH_AES_128_GCM_SHA256
> x6c ADH-AES128-SHA256 DH 1024 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA256
> x34 ADH-AES128-SHA DH 1024 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA
> xbf ADH-CAMELLIA128-SHA256 DH 1024 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256
> x46 ADH-CAMELLIA128-SHA DH 1024 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
> xc05c ECDHE-ECDSA-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256
> TLS 1.3
> x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384
> x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256
> x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256
>
> Done 2026-05-20 21:31:55 [ 17s] -->> 83.137.45.114:25 (mail.tms-itdienst.at) <<--
>
>
>
>
> Am 20.05.2026 um 21:37 schrieb Ralf Hildebrandt via Postfixbuch-users:
>> * Timm Schneider via Postfixbuch-users <postfixbuch-users at listen.jpberlin.de>:
>>> Hallo nochmal.
>>>
>>> Welche cipher nutzt den Postfix, wenn nichts definiert ist?
>> postconf smtpd_tls_ciphers
>>
>> da kommt bei mir "medium" raus, dann fragt man sich: "Medium? Mit wenig Blubber?"
>>
>> postconf tls_medium_cipherlist
>> sagt dann WAS das " medium" bedeutet -- da kommt bei mir raus:
>>
>> tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH
>>
>> Das ist dann natürlich OpenSLL-Sprech. Und welche das konkret sind sagt dir dann ein:
>> openssl ciphers -v 'aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH'
>>
>> TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
>> TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
>> TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
>> ...
>>
>
> --
> Timm Schneider
> 4840 Vöcklabruck
> T. (AT) 0720.501078
> T. (DE) 089.2441 3327
> T. (CH) 032.510 9875
> T. (IT) 366.908 0087
>
> Video-Konferenz mit mir: https://tmspbx.3cx.at/meet/timmschneider
>
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20260521/c48a86af/attachment-0001.htm>
Mehr Informationen über die Mailingliste Postfixbuch-users