Problem with starttls / orange.fr

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with starttls / orange.fr

DEPRÉ Gaëtan - NGServers.com

Hi !

 

While trying to send an email to [hidden email], I get this error log :

 

Mar 30 06:47:39 mail postfix/qmgr[18959]: 29D0248A23DC: from=[hidden email], size=93541, nrcpt=1 (queue active)

Mar 30 06:47:39 mail postfix/smtp[24365]: SSL_connect error to smtp-in.orange.fr[80.12.242.9]:25: -1

Mar 30 06:47:39 mail postfix/smtp[24365]: warning: TLS library problem: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

Mar 30 06:47:39 mail postfix/smtp[24365]: 29D0248A23DC: Cannot start TLS: handshake failure

Mar 30 06:47:39 mail postfix/smtp[24365]: SSL_connect error to smtp-in.orange.fr[193.252.22.65]:25: -1

Mar 30 06:47:39 mail postfix/smtp[24365]: warning: TLS library problem: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

Mar 30 06:47:39 mail postfix/smtp[24365]: 29D0248A23DC: to=[hidden email], relay=smtp-in.orange.fr[193.252.22.65]:25, delay=0.52, delays=0.29/0.01/0.22/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Mar 30 06:47:41 mail postfix/submission/smtpd[24351]: disconnect from lfbn-nan-xxx.abo.wanadoo.fr[xx.yy.zz.xx] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8

 

After a few minutes, without doing anything, I get this :

 

Mar 30 06:56:16 mail postfix/qmgr[18959]: 29D0248A23DC: from=[hidden email], size=93541, nrcpt=1 (queue active)

Mar 30 06:56:17 mail postfix/smtp[24509]: SSL_connect error to smtp-in.orange.fr[193.252.22.65]:25: -1

Mar 30 06:56:17 mail postfix/smtp[24509]: warning: TLS library problem: error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1929:

Mar 30 06:56:17 mail postfix/smtp[24509]: 29D0248A23DC: Cannot start TLS: handshake failure

Mar 30 06:56:17 mail postfix/smtp[24509]: 29D0248A23DC: to=[hidden email], relay=smtp-in.orange.fr[193.252.22.65]:25, delay=518, delays=518/0.02/0.12/0.35, dsn=2.0.0, status=sent (250 2.0.0 mUwH240075Jsp0m01UwHze mail accepted for delivery)

Mar 30 06:56:17 mail postfix/qmgr[18959]: 29D0248A23DC: removed

 

The TLS part in main.cf :

 

### Outbound SMTP connections (Postfix as sender)

smtp_tls_security_level = dane

smtp_dns_support_level = dnssec

smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtp_tls_protocols = !SSLv2, !SLv3 TLSv1.1, TLSv1.2

smtp_tls_ciphers = high

smtp_tls_CAfile = /etc/letsencrypt/live/mymailserver.domain.dom/chain.pem

 

 

Any clue about this error ? Which cert do I use and that orange does not want ? Why is the email sent after a few attempts ?

 

Regards,

 

Gaetan

Reply | Threaded
Open this post in threaded view
|

RE: Problem with starttls / orange.fr

Nick Tait

-------- Original message --------
 > smtp_tls_protocols = !SSLv2, !SLv3 TLSv1.1, TLSv1.2

You have several issues in the line above. I suggest removing this line and using the default setting?

Nick.

Reply | Threaded
Open this post in threaded view
|

Re: Problem with starttls / orange.fr

Christian Kivalo
In reply to this post by DEPRÉ Gaëtan - NGServers.com


On March 30, 2021 7:08:39 AM GMT+02:00, "DEPRÉ Gaëtan - NGServers.com" <[hidden email]> wrote:

>Hi !
>
>
>
>While trying to send an email to [hidden email]
><mailto:[hidden email]> , I get this error log :
>
>
>
>Mar 30 06:47:39 mail postfix/qmgr[18959]: 29D0248A23DC:
>from=[hidden email]
><mailto:[hidden email]> , size=93541, nrcpt=1 (queue active)
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: SSL_connect error to
>smtp-in.orange.fr[80.12.242.9]:25: -1
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: warning: TLS library problem:
>error:1425F102:SSL routines:ssl_choose_client_version:unsupported
>protocol:../ssl/statem/statem_lib.c:1929:
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: 29D0248A23DC: Cannot start
>TLS:
>handshake failure
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: SSL_connect error to
>smtp-in.orange.fr[193.252.22.65]:25: -1
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: warning: TLS library problem:
>error:1425F102:SSL routines:ssl_choose_client_version:unsupported
>protocol:../ssl/statem/statem_lib.c:1929:
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: 29D0248A23DC:
>to=[hidden email],
>relay=smtp-in.orange.fr[193.252.22.65]:25, delay=0.52,
>delays=0.29/0.01/0.22/0, dsn=4.7.5, status=deferred (Cannot start TLS:
>handshake failure)
>
>Mar 30 06:47:41 mail postfix/submission/smtpd[24351]: disconnect from
>lfbn-nan-xxx.abo.wanadoo.fr[xx.yy.zz.xx] ehlo=2 starttls=1 auth=1
>mail=1
>rcpt=1 data=1 quit=1 commands=8
>
>
>
>After a few minutes, without doing anything, I get this :
>
>
>
>Mar 30 06:56:16 mail postfix/qmgr[18959]: 29D0248A23DC:
>from=[hidden email],
>size=93541, nrcpt=1 (queue active)
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: SSL_connect error to
>smtp-in.orange.fr[193.252.22.65]:25: -1
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: warning: TLS library problem:
>error:1425F102:SSL routines:ssl_choose_client_version:unsupported
>protocol:../ssl/statem/statem_lib.c:1929:
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: 29D0248A23DC: Cannot start
>TLS:
>handshake failure
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: 29D0248A23DC:
>to=[hidden email]
><mailto:[hidden email]> , relay=smtp-in.orange.fr[193.252.22.65]:25,
>delay=518, delays=518/0.02/0.12/0.35, dsn=2.0.0, status=sent (250 2.0.0
>mUwH240075Jsp0m01UwHze mail accepted for delivery)
>
>Mar 30 06:56:17 mail postfix/qmgr[18959]: 29D0248A23DC: removed
>
>
>
>The TLS part in main.cf :
>
>
>
>### Outbound SMTP connections (Postfix as sender)
>
>smtp_tls_security_level = dane
>
>smtp_dns_support_level = dnssec
>
>smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
>
>smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
>smtp_tls_protocols = !SSLv2, !SLv3 TLSv1.1, TLSv1.2
You have a missing "," after !SLv3 which also misses an "S"
And you exclude TLSv1 with which I can establish an encrypted connection to orange.fr
>
>smtp_tls_ciphers = high
>
>smtp_tls_CAfile =
>/etc/letsencrypt/live/mymailserver.domain.dom/chain.pem
You probably don't need client certificates.
>
>
>
>
>
>Any clue about this error ? Which cert do I use and that orange does
>not
>want ? Why is the email sent after a few attempts ?
Eventually the email is sent in plaintext without encryption.
>
>
>Regards,
>
>
>
>Gaetan

--
Christian Kivalo
Reply | Threaded
Open this post in threaded view
|

Re: Problem with starttls / orange.fr

Christophe Wolfhugel
In reply to this post by Nick Tait
On 30/03/2021 07:35, Nick Tait wrote:
>   > smtp_tls_protocols = !SSLv2, !SLv3 TLSv1.1, TLSv1.2
>
> You have several issues in the line above. I suggest removing this line and using the default setting?

In addition to the configuration error, it is well known (at least here)
that smtp-in.orange.fr at best talks TLS 1.0.
--
Christophe Wolfhugel