<!DOCTYPE html>
<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <div class="moz-cite-prefix">Am 24.09.2024 um 09:32 schrieb
      gnitzsche via Postfixbuch-users:<br>
    </div>
    <blockquote type="cite"
      cite="mid:712c3541b134558ede817a1e4b8fe105@netcologne.de">
      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
      <p id="v1reply-intro">On 2024-09-24 09:01, Frank Kirschner via
        Postfixbuch-users wrote:</p>
      <blockquote type="cite"
style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
        <div id="v1replybody1">
          <div>
            <p><br>
            </p>
            <div class="v1v1moz-cite-prefix">Am 24.09.2024 um 08:47
              schrieb gnitzsche via Postfixbuch-users:</div>
            <blockquote type="cite"
style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
              <p id="v1v1reply-intro">On 2024-09-24 07:43, Frank
                Kirschner via Postfixbuch-users wrote:</p>
              <blockquote
style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0;">
                <div id="v1v1replybody1">
                  <div>
                    <p><span
style="font-family: Helvetica, Arial, sans-serif; font-size: small;"><-snip-></span><span
style="font-family: Helvetica, Arial, sans-serif; font-size: small;"></span></p>
                    <p><span
style="font-family: Helvetica, Arial, sans-serif; font-size: small;">Sep
                        24 06:17:52 farm11 postfix/smtpd[2767072]:
                        warning: TLS library problem:
                        2767072:error:1408A0C1:SSL
                        routines:ssl3_get_client_hello:no shared
                        cipher:s3_srvr.c:1435:</span></p>
                  </div>
                </div>
              </blockquote>
              <p>Denke, das liegt an dem "<span
style="font-family: Helvetica, Arial, sans-serif; font-size: small;">no
                  shared cipher". </span></p>
              <p><span
style="font-family: Helvetica, Arial, sans-serif; font-size: small;">Hier
                  kommt mail1.gothaer.de an mit TLSv1.2 mit Cipher
                  DHE-RSA-AES256-GCM-SHA384 (256/256 bits)</span></p>
              <p><span
style="font-family: Helvetica, Arial, sans-serif; font-size: small;"><-snip-></span></p>
            </blockquote>
            <p>Hmm, folgende cipherlist habe ich konfiguriert:</p>
            <p>tls_medium_cipherlist =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384</p>
            <p><-snip-></p>
            <p>Habe ich irgend etwas falsch angegeben?</p>
          </div>
        </div>
      </blockquote>
      <p><br>
      </p>
      <p>postfix sagt dazu:</p>
      <p><span
style="font-family: Helvetica, Arial, sans-serif; font-size: small;"><strong>medium</strong></span></p>
      <p><span
style="font-family: Helvetica, Arial, sans-serif; font-size: small;">Enable
          "MEDIUM" grade or better OpenSSL ciphers. The underlying
          cipherlist is specified via the <a
href="https://www.postfix.org/postconf.5.html#tls_medium_cipherlist"
            target="_blank" rel="noopener noreferrer"
            moz-do-not-send="true">tls_medium_cipherlist</a>
          configuration parameter, which you are strongly encouraged not
          to change.</span></p>
      <p><span
style="font-family: Helvetica, Arial, sans-serif; font-size: small;"><strong><a
              name="v1tls_medium_cipherlist" moz-do-not-send="true"></a>tls_medium_cipherlist
            (default: see "postconf -d" output)</strong></span></p>
      <p><span
style="font-family: Helvetica, Arial, sans-serif; font-size: small;"><strong>..You
            are strongly encouraged not to change this setting. </strong></span></p>
      <p><br>
      </p>
      <p>openssl s_client -connect farm**.de:25 -starttls smtp -cipher
        DHE-RSA-AES256-GCM-SHA384</p>
      <p>schlägt fehl; mit   ECDHE-ECDSA-AES256-GCM-SHA384 funktioniert
        es..</p>
      <p><br>
        Ich empfehle, die Konfig für die cipherlist (und evtl. excludes
        ?) genau zu prüfen</p>
      <p>bzw. den Default herzustellen. Mal bei postconf -n gegen den
        Default postconf -d die</p>
      <p>tls-Zeilen genau prüfen.</p>
    </blockquote>
    <p>Danke Gunther, sehr gute Idee, Folgendes habe ich herausgefunden:</p>
    <p>postconf -d<br>
      tls_medium_cipherlist =
      aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH<br>
      <br>
      postconf -n<br>
      tls_medium_cipherlist =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384</p>
    <p>Ich habe jetzt mal in der Postfix Konfiguration die default
      tls_medium_cipherlist =
      aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH aktiviert, leider
      immer noch das Problem.</p>
    <p>Jedoch gibt mir:<br>
      # openssl s_client -connect localhost:25 -starttls smtp -cipher
      DHE-RSA-AES256-GCM-SHA384<br>
      CONNECTED(00000003)<br>
      140338129299344:error:14077410:SSL
      routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
      failure:s23_clnt.c:769:<br>
      ---<br>
      <b>no peer certificate available</b><br>
      ---<br>
      No client certificate CA names sent</p>
    <p>einen wertvollen Hinweis. Meine Zertifikate werden mit
      "tehydrated" von Let's Encrypt erzeugt. Scheinbar fehlen da RSA
      ciphers. Werde da mal nachforschen.<br>
      Danke für den Hinweis zur Fehlersuche.</p>
    <p>lg Frank<br>
    </p>
    <p><br>
    </p>
  </body>
</html>