SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

"Frank J. Dürring"
Hallo zusammen,

Ich hab inzwischen sehr viel über die SSLFehler die hier ab und an gepostet werden gelesen, verstehe es aber immer noch nicht :-/
Mein neuer Mailserver (Postfix 2.11.3) läuft eigentlich ganz gut, nur mit dem Thema SSL/TLS habe ich noch meine Probleme.

Ein Kunde hat dies vom Absender einer E-Mail bekommen:

Hi. This is the qmail-send program at post.ze.stw.de.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[hidden email]>:
TLS not available: connect failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I'm not going to try again; this message has been in the queue too long.

--- Below this line is a copy of the message.

Return-Path: <[hidden email]>
Received: (qmail 30379 invoked by uid 1004); 1 Mar 2017 12:01:02 -0000
Received: from 10.244.66.16 by post.ze.stw.de (envelope-from <[hidden email]>, uid 82) with qmail-scanner-1.25st 
(clamdscan: 0.83/1293. spamassassin: 3.0.2. perlscan: 1.25st. 
Clear:RC:1(10.244.66.16):. 
Processed in 0.222746 secs); 01 Mar 2017 12:01:02 -0000
Received: from exchange.stw.de (HELO stwmsx01.stw.local) ([10.244.66.16])
(envelope-sender <[hidden email]>)
by post.ze.stw.de (qmail-ldap-1.03) with SMTP

Das Postfix Log Logfile spuckt dazu folgendes aus. 
Ähnliche Einträge habe ich auch von anderen Systemen z.B. von .monster.comregisterportal.de, etc.

Mar  1 12:08:48 mx1 postfix/smtpd[13562]: connect from gate.stw.de[213.61.174.210]
Mar  1 12:08:48 mx1 postfix/smtpd[13562]: SSL_accept error from gate.stw.de[213.61.174.210]: -1
Mar  1 12:08:48 mx1 postfix/smtpd[13562]: warning: TLS library problem: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1440:
Mar  1 12:08:48 mx1 postfix/smtpd[13562]: lost connection after STARTTLS from gate.stw.de[213.61.174.210]
Mar  1 12:08:48 mx1 postfix/smtpd[13562]: disconnect from gate.stw.de[213.61.174.210]

Ich befürchte ich habe irgendetwas in der main.cf zu heftig eingestellt.
Hat mir einer einen Tipp wie ich vorgehen kann?

Gruß Frank.


# See /usr/share/postfix/main.cf.dist for a commented, more complete version
[…]

smtp_dns_support_level = dnssec
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtp_tls_fingerprint_digest = SHA256
smtp_tls_mandatory_ciphers= high
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane

smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_fingerprint_digest = SHA256
smtpd_tls_mandatory_ciphers= high
smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may

smtpd_tls_cert_file = /etc/ssl/certs/server.crt
smtpd_tls_key_file = /etc/ssl/private/server.key

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

smtpd_recipient_restrictions =
        permit_mynetworks,
        permit_sasl_authenticated,
        check_sender_access hash:/etc/postfix/check_sender,
        check_client_access hash:/etc/postfix/check_client,
        reject_unauth_destination,
    #  check_policy_service unix:private/policy-spf,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_recipient_domain,
        reject_invalid_hostname,
        reject_unknown_hostname,
        reject_unauth_pipelining,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client cbl.abuseat.org,
        check_policy_service inet:127.0.0.1:12525,
        permit


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Fabian Schirmer
Hallo Frank,

ich gehe mal davon aus, dass wir hier über die MX sprechen, die für deine Absenderdomain (ebenfalls?) zuständig sind.

Also für meinen persönlichen Geschmack sind das bei mx1 doch ein bisschen zu wenig Ciphers, die du da anbietest. Insbesondere beim Thema TLS auf Port 25 läuft man da (leider) sehr schnell Gefahr, dass die Gegenseite da nicht mitspielt.

 SCAN RESULTS FOR MX1.W3MAN.COM:25
 ----------------------------------------------------------------
  * TLSV1_2 Cipher Suites:
      Preferred:                       
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384           ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
      Accepted:                        
        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384           ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384           ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256           ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256           ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA              ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
  * TLSV1 Cipher Suites:
      Preferred:                       
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
      Accepted:                        
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA              ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
  * TLSV1_1 Cipher Suites:
      Preferred:                       
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
      Accepted:                        
        TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA              ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA              ECDH-256 bits  128 bits      250 2.0.0 Ok                                                

und bei mx2 wiederum ein paar zu viel (anon?? wtf!?):

 SCAN RESULTS FOR MX2.W3MAN.COM:25
 ---------------------------------------------------
  * TLSV1 Cipher Suites:
      Preferred:                       
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
      Accepted:                        
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-1024 bits   256 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_AES_256_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   256 bits      250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_AES_256_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_SEED_CBC_SHA                     DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_AES_128_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_AES_128_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_SEED_CBC_SHA                     DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_SEED_CBC_SHA                         -              128 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_RC4_128_SHA                    ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_RC4_128_SHA                    ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_RC4_128_MD5                      DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_RC4_128_SHA                          -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_RC4_128_MD5                          -              128 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  112 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   112 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      250 2.0.0 Ok                                                
  * TLSV1_1 Cipher Suites:
      Preferred:                       
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
      Accepted:                        
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-1024 bits   256 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   256 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_AES_256_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_AES_256_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_SEED_CBC_SHA                     DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_AES_128_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_AES_128_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_SEED_CBC_SHA                     DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_SEED_CBC_SHA                         -              128 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_RC4_128_SHA                    ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_RC4_128_SHA                    ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_RC4_128_MD5                      DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_RC4_128_SHA                          -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_RC4_128_MD5                          -              128 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  112 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   112 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      250 2.0.0 Ok                                                
  * TLSV1_2 Cipher Suites:
      Preferred:                       
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
      Accepted:                        
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384             ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384             ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                ECDH-256 bits  256 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_AES_256_GCM_SHA384               DH-1024 bits   256 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA256               DH-1024 bits   256 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_AES_256_CBC_SHA                  DH-1024 bits   256 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   256 bits      250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_AES_256_GCM_SHA384               DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_AES_256_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_AES_256_CBC_SHA256               DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_AES_256_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_AES_256_CBC_SHA256                   -              256 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_AES_256_CBC_SHA                      -              256 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_AES_256_GCM_SHA384                   -              256 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_CAMELLIA_256_CBC_SHA                 -              256 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256             ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA256               DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_AES_128_GCM_SHA256               DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_AES_128_CBC_SHA                  DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_SEED_CBC_SHA                     DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   128 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_AES_128_CBC_SHA                ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_AES_128_GCM_SHA256               DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_AES_128_CBC_SHA256               DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_AES_128_CBC_SHA                  DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_SEED_CBC_SHA                     DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA             DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_AES_128_GCM_SHA256                   -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_AES_128_CBC_SHA256                   -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_AES_128_CBC_SHA                      -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_CAMELLIA_128_CBC_SHA                 -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_SEED_CBC_SHA                         -              128 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_RC4_128_SHA                    ECDH-256 bits  128 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_RC4_128_SHA                    ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_RC4_128_MD5                      DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_RC4_128_SHA                          -              128 bits      250 2.0.0 Ok                                                
        TLS_RSA_WITH_RC4_128_MD5                          -              128 bits      250 2.0.0 Ok                                                
        TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  112 bits      250 2.0.0 Ok                                                
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   112 bits      250 2.0.0 Ok                                                
        TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA               ECDH-256 bits  ANONYMOUS     250 2.0.0 Ok                                                
        TLS_DH_anon_WITH_3DES_EDE_CBC_SHA                 DH-1024 bits   ANONYMOUS     250 2.0.0 Ok                                                
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      250 2.0.0 Ok                                                


Du solltest beachten, dass es eine schlechte Idee ist, den Backup-MX in Sachen config zu vernachlässigen. Weil dann das beste Konzept als Ganzes nutzlos bzw umsonst ist.

Prüfe am besten auch mal, ob deine DH-Param-Datei "${config_directory}/dh4096.pem" OK ist (vorhanden und für postfix erreichbar). Denn die DHE-Ciphers fehlen. Es sei denn dies ist Absicht.

Ich habe bei mir folgendes bei tls_exclude_ciphers zu stehen:

= aNULL, eNULL, 3DES, RC4, kRSA, kSRP, kPSK

Ich bin der Meinung, dass die daraus resultierenden Ciphers ein guter Kompromiss sind aus (relativ noch) hoher SIcherheit und mit dennoch ein wenig Legacy-Support.

Man muss jedoch bedenken, dass die allgemeine Sichtweise zum Thema SSL-Support und Mail-Transit ist, dass man lieber alte, unsichere Ciphers anbietet anstatt Gefahr zu laufen, dass das sendende System dann auf Plaintext umschaltet und somit ja das eigentlich gewünschte TLS "umgeht". (Lustiger- und Ironischerweise sieht man das beim Thema HTTPS ganz anders - da muss das alles am besten schon gestern der neueste Shit von morgen sein.)

Muss jeder für sich selbst abwägen, was da das Beste ist.

Grüsse, Fabian
Loading...