
<!DOCTYPE html>

<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

  </head>

  <body>

    <div class="moz-cite-prefix">Am 24.09.2024 um 09:32 schrieb

      gnitzsche via Postfixbuch-users:<br>

    </div>

    <blockquote type="cite"

      cite="mid:712c3541b134558ede817a1e4b8fe105@netcologne.de">

      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

      <p id="v1reply-intro">On 2024-09-24 09:01, Frank Kirschner via

        Postfixbuch-users wrote:</p>

      <blockquote type="cite"

style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">

        <div id="v1replybody1">

          <div>

            <p><br>

            </p>

            <div class="v1v1moz-cite-prefix">Am 24.09.2024 um 08:47

              schrieb gnitzsche via Postfixbuch-users:</div>

            <blockquote type="cite"

style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">

              <p id="v1v1reply-intro">On 2024-09-24 07:43, Frank

                Kirschner via Postfixbuch-users wrote:</p>

              <blockquote

style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0;">

                <div id="v1v1replybody1">

                  <div>

                    <p><span

style="font-family: Helvetica, Arial, sans-serif; font-size: small;"><-snip-></span><span

style="font-family: Helvetica, Arial, sans-serif; font-size: small;"></span></p>

                    <p><span

style="font-family: Helvetica, Arial, sans-serif; font-size: small;">Sep

                        24 06:17:52 farm11 postfix/smtpd[2767072]:

                        warning: TLS library problem:

                        2767072:error:1408A0C1:SSL

                        routines:ssl3_get_client_hello:no shared

                        cipher:s3_srvr.c:1435:</span></p>

                  </div>

                </div>

              </blockquote>

              <p>Denke, das liegt an dem "<span

style="font-family: Helvetica, Arial, sans-serif; font-size: small;">no

                  shared cipher". </span></p>

              <p><span

style="font-family: Helvetica, Arial, sans-serif; font-size: small;">Hier

                  kommt mail1.gothaer.de an mit TLSv1.2 mit Cipher

                  DHE-RSA-AES256-GCM-SHA384 (256/256 bits)</span></p>

              <p><span

style="font-family: Helvetica, Arial, sans-serif; font-size: small;"><-snip-></span></p>

            </blockquote>

            <p>Hmm, folgende cipherlist habe ich konfiguriert:</p>

            <p>tls_medium_cipherlist =

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384</p>

            <p><-snip-></p>

            <p>Habe ich irgend etwas falsch angegeben?</p>

          </div>

        </div>

      </blockquote>

      <p><br>

      </p>

      <p>postfix sagt dazu:</p>

      <p><span

style="font-family: Helvetica, Arial, sans-serif; font-size: small;"><strong>medium</strong></span></p>

      <p><span

style="font-family: Helvetica, Arial, sans-serif; font-size: small;">Enable

          "MEDIUM" grade or better OpenSSL ciphers. The underlying

          cipherlist is specified via the <a

href="https://www.postfix.org/postconf.5.html#tls_medium_cipherlist"

            target="_blank" rel="noopener noreferrer"

            moz-do-not-send="true">tls_medium_cipherlist</a>

          configuration parameter, which you are strongly encouraged not

          to change.</span></p>

      <p><span

style="font-family: Helvetica, Arial, sans-serif; font-size: small;"><strong><a

              name="v1tls_medium_cipherlist" moz-do-not-send="true"></a>tls_medium_cipherlist

            (default: see "postconf -d" output)</strong></span></p>

      <p><span

style="font-family: Helvetica, Arial, sans-serif; font-size: small;"><strong>..You

            are strongly encouraged not to change this setting. </strong></span></p>

      <p><br>

      </p>

      <p>openssl s_client -connect farm**.de:25 -starttls smtp -cipher

        DHE-RSA-AES256-GCM-SHA384</p>

      <p>schlägt fehl; mit   ECDHE-ECDSA-AES256-GCM-SHA384 funktioniert

        es..</p>

      <p><br>

        Ich empfehle, die Konfig für die cipherlist (und evtl. excludes

        ?) genau zu prüfen</p>

      <p>bzw. den Default herzustellen. Mal bei postconf -n gegen den

        Default postconf -d die</p>

      <p>tls-Zeilen genau prüfen.</p>

    </blockquote>

    <p>Danke Gunther, sehr gute Idee, Folgendes habe ich herausgefunden:</p>

    <p>postconf -d<br>

      tls_medium_cipherlist =

      aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH<br>

      <br>

      postconf -n<br>

      tls_medium_cipherlist =

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384</p>

    <p>Ich habe jetzt mal in der Postfix Konfiguration die default

      tls_medium_cipherlist =

      aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH aktiviert, leider

      immer noch das Problem.</p>

    <p>Jedoch gibt mir:<br>

      # openssl s_client -connect localhost:25 -starttls smtp -cipher

      DHE-RSA-AES256-GCM-SHA384<br>

      CONNECTED(00000003)<br>

      140338129299344:error:14077410:SSL

      routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake

      failure:s23_clnt.c:769:<br>

      ---<br>

      <b>no peer certificate available</b><br>

      ---<br>

      No client certificate CA names sent</p>

    <p>einen wertvollen Hinweis. Meine Zertifikate werden mit

      "tehydrated" von Let's Encrypt erzeugt. Scheinbar fehlen da RSA

      ciphers. Werde da mal nachforschen.<br>

      Danke für den Hinweis zur Fehlersuche.</p>

    <p>lg Frank<br>

    </p>

    <p><br>

    </p>

  </body>

</html>