Postfix says "Cannot start TLS: handshake failure" when try to send to Exchange 2007 Server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix says "Cannot start TLS: handshake failure" when try to send to Exchange 2007 Server

SysAdmin EM
I use Postfix as an SMTP server, in the last few days I have started to see an error delivering mail to some servers.

I am trying to deliver an email to a Server with Microsoft Exchange 2007 and I receive the following message.

> Nov 30 15:29:40 smarthost04-ded postfix-out/qmgr[9305]: 56253920A60:
> from=<[hidden email]>, size=7238, nrcpt=1 (queue active) Nov
> 30 15:29:40 smarthost04-ded postfix/smtp[9335]: 32FEC920C41:
> to=<[hidden email]>,
> relay=127.0.0.1[127.0.0.1]:10026, delay=0.24, delays=0.1/0/0.04/0.09,
> dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 56253920A60) Nov 30
> 15:29:40 smarthost04-ded postfix-out/smtp[9312]: 56253920A60: Cannot
> start TLS: handshake failure Nov 30 15:29:40 smarthost04-ded
> postfix-out/smtp[9312]: 56253920A60:
> to=<[hidden email]>,
> relay=exet02.hostmar.com[200.58.120.69]:25, delay=0.12,
> delays=0.09/0/0.03/0, dsn=4.7.5, status=deferred (Cannot start TLS:
> handshake failure)

I have read the documentation but I cannot understand why this error occurs.

This is my configuration

```
postconf mail_version
mail_version = 3.5.2

smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_protocols = !SSLv2:!SSLv3
smtpd_tls_cert_file = /etc/pki/tls/certs/linux.ferozo.com.pem
smtpd_tls_key_file = /etc/pki/tls/private/linux.ferozo.com.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtpd_ssl_cache
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtp_ssl_cache

```

Here I make a connection to the destination server

```
posttls-finger -c -Ldebug "exet02.hostmar.com"
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to exet02.hostmar.com[200.58.120.69]:25
posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: SSL_connect:before/connect initialization
posttls-finger: SSL_connect:SSLv2/v3 write client hello A
posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25: lost connection
```
Any ideas??

Regards,
Reply | Threaded
Open this post in threaded view
|

Re: Postfix says "Cannot start TLS: handshake failure" when try to send to Exchange 2007 Server

@lbutlr
On 30 Nov 2020, at 12:07, SysAdmin EM <[hidden email]> wrote:
> TLS: handshake failure Nov 30 15:29:40 smarthost04-ded

> I have read the documentation but I cannot understand why this error occurs.

Because the server running thirteen year old software does not support valid encryption methods.

Here is an article for 4 ½ years ago.

<https://dirteam.com/dave/2016/04/11/the-end-is-nigh-for-exchange-2007/>
Another potentially important tidbit is that Exchange 2007 SMTP, IMAP and POP3 do not support TLS1.1 and TLS1.2

Nothing you can do put tell them if they want encrypted mail delivery, they have to update their ancient and decrepit software.

--
I went down the street to the 24-hour grocery. When I got there, the
        guy was locking the front door. I said, "Hey, the sign says
        you're open 24 hours." He said, "Yes, but not in a row." --
        Steven Wright

Reply | Threaded
Open this post in threaded view
|

Re: Postfix says "Cannot start TLS: handshake failure" when try to send to Exchange 2007 Server

Michael-4
In reply to this post by SysAdmin EM

Several years ago, I had trouble delivering to an old exchange server while trying to enforce TLS. I'm not sure if this applies to your situation, but this worked for me.

In main.cf, I have

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

In tls_policy, I added

domainname  encrypt ciphers=low exclude=MD5:SRP:PSK:aDSS:kECDH:kDH:SEED:IDEA:RC2

 

 

 

On 2020-11-30 1:07 pm, SysAdmin EM wrote:

I use Postfix as an SMTP server, in the last few days I have started to see an error delivering mail to some servers.

I am trying to deliver an email to a Server with Microsoft Exchange 2007 and I receive the following message.

> Nov 30 15:29:40 smarthost04-ded postfix-out/qmgr[9305]: 56253920A60:
> from=<[hidden email]>, size=7238, nrcpt=1 (queue active) Nov
> 30 15:29:40 smarthost04-ded postfix/smtp[9335]: 32FEC920C41:
> to=<[hidden email]>,
> relay=127.0.0.1[127.0.0.1]:10026, delay=0.24, delays=0.1/0/0.04/0.09,
> dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 56253920A60) Nov 30
> 15:29:40 smarthost04-ded postfix-out/smtp[9312]: 56253920A60: Cannot
> start TLS: handshake failure Nov 30 15:29:40 smarthost04-ded
> postfix-out/smtp[9312]: 56253920A60:
> to=<[hidden email]>,
> relay=exet02.hostmar.com[200.58.120.69]:25, delay=0.12,
> delays=0.09/0/0.03/0, dsn=4.7.5, status=deferred (Cannot start TLS:
> handshake failure)

I have read the documentation but I cannot understand why this error occurs.

This is my configuration

```
postconf mail_version
mail_version = 3.5.2

smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_protocols = !SSLv2:!SSLv3
smtpd_tls_cert_file = /etc/pki/tls/certs/linux.ferozo.com.pem
smtpd_tls_key_file = /etc/pki/tls/private/linux.ferozo.com.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtpd_ssl_cache
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtp_ssl_cache

```

Here I make a connection to the destination server

```
posttls-finger -c -Ldebug "exet02.hostmar.com"
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to exet02.hostmar.com[200.58.120.69]:25
posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: SSL_connect:before/connect initialization
posttls-finger: SSL_connect:SSLv2/v3 write client hello A
posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25: lost connection
```
Any ideas??

Regards,