i've got two servers communicating over ssl. comms between them work if /etc/pki/tls/openssl.cnf includes Options = PrioritizeChaCha but fail if 'ServerPreference' (cref: Undocumented openssl.cnf options and PrioritizeChaCha https://blog.germancoding.com/2020/05/30/undocumented-openssl-cnf-options-and-prioritizechacha/ man SSL_CONF_cmd ServerPreference: use server and not client preference order when determining which cipher suite, signature algorithm or elliptic curve to use for an incoming connection. Equivalent to SSL_OP_CIPHER_SERVER_PREFERENCE. Only used by servers. ) is added, Options = ServerPreference,PrioritizeChaCha i'm trying to understand expected behavior, and troubleshoot the 2 servers are postconf mail_version mail_version = 3.5.7 dovecot --version 2.3.10.1 (a3d0e1171) they're on the same machine, which runs grep PRETTY /etc/os-release PRETTY_NAME="Fedora 32 (Server Edition)" openssl version OpenSSL 1.1.1g FIPS 21 Apr 2020 dovecot's configured to listen for SMTP submissions on its own submission proxy port 60465 dovecot then re-submits the message to postfix, on submission port 465. the openssl cnf containts /etc/pki/tls/openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 Options = PrioritizeChaCha with that^^ config, message submit cat ~/test.eml | msmtp -a internal testrecipient@xxxxxxxxxxx to dovecot:60465 succeeds. postfix logs report no probs, Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: connect from internal.mx.example.com[10.0.1.50] Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: Trusted TLS connection established from internal.mx.example.com[10.0.1.50]: TLSv1.3 with cipher TLS_CHACHA20_POLY1305_SHA256 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384 Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: 4BxVWX41svzWf7g: client=internal.mx.example.com[10.0.1.50] Sep 23 13:43:36 mx postfix/qmgr[27295]: 4BxVWX41svzWf7g: from=<testsender@xxxxxxxxxxx>, size=583, nrcpt=1 (queue active) Sep 23 13:43:36 mx postfix/submit-from-dovecot-proxy/smtpd[27325]: disconnect from internal.mx.example.com[10.0.1.50] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 Sep 23 13:43:36 mx postfix/lmtp[27329]: 4BxVWX41svzWf7g: to=<testrecipient@xxxxxxxxxxx>, relay=mx.example.com[private/dovecot-lmtp], delay=0.03, delays=0.01/0.01/0/0.01, dsn=2.0.0, status=sent (250 2.0.0 <testrecipient@xxxxxxxxxxx> kPB/Iniza1/YaQAA+IOfAw Saved) Sep 23 13:43:36 mx postfix/qmgr[27295]: 4BxVWX41svzWf7g: removed and the message _is_ delivered to final destination without error. mail flows -- in- & out-bound -- without interruption. OTOH, if, as mentioned above, I simply change - Options = PrioritizeChaCha + Options = ServerPreference,PrioritizeChaCha , then otherwise-identical submission to dovecot:60465 fails, cat ~/test.eml | msmtp -a internal testrecipient@xxxxxxxxxxx msmtp: envelope from address testsender@xxxxxxxxxxx not accepted by the server msmtp: server message: 421 4.4.0 internal.mx.example.com Failed to establish relay connection msmtp: could not send mail (account internal from /etc/msmtprc) and in postfix logs, Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: connect from internal.mx.example.com[10.0.1.50] Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: setting up TLS connection from internal.mx.example.com[10.0.1.50] Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: internal.mx.example.com[10.0.1.50]: TLS cipher list "TTLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:!aNULL" Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept:before SSL initialization Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept:error in error Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept error from internal.mx.example.com[10.0.1.50]: -1 Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331: Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: lost connection after CONNECT from internal.mx.example.com[10.0.1.50] Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: disconnect from internal.mx.example.com[10.0.1.50] commands=0/0 iiuc (?) that^^ _is_ an ssl error, reported by postfix, and preventing the send 'tween dovecot & postfix. 1st, is there any reason to expect that use of "Options = ServerPreference" should _not_ work here? If not, then what's a likely cause of the problem? At this point, I'm not clear if this is postfix, dovecot, openssl, or some combo. &/or, what additional info's required to determine further?
