On Wed, Sep 23, 2020 at 02:11:50PM -0700, PGNet Dev wrote: > /etc/pki/tls/openssl.cnf > openssl_conf = default_conf > > [default_conf] > ssl_conf = ssl_sect > > [ssl_sect] > system_default = system_default_sect > > [system_default_sect] > MinProtocol = TLSv1.2 > CipherString = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256 > Ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 > > Options = PrioritizeChaCha Distros have gotten rather enthusiastic of late to turn up the crypto to 11. This does not always yield good results. :-( I'd be tempted to drop most if not all of those settings, they're not email-friendly. > OTOH, if, as mentioned above, I simply change > > - Options = PrioritizeChaCha > + Options = ServerPreference,PrioritizeChaCha > > , then otherwise-identical submission to dovecot:60465 fails, > > and in postfix logs, > > Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: connect from internal.mx.example.com[10.0.1.50] > Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: setting up TLS connection from internal.mx.example.com[10.0.1.50] > Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: internal.mx.example.com[10.0.1.50]: TLS cipher list "TTLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:!aNULL" > Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept:before SSL initialization > Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept:error in error > Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: SSL_accept error from internal.mx.example.com[10.0.1.50]: -1 > Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:331: > Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: lost connection after CONNECT from internal.mx.example.com[10.0.1.50] > Sep 23 13:45:42 mx postfix/submit-from-dovecot-proxy/smtpd[27011]: disconnect from internal.mx.example.com[10.0.1.50] commands=0/0 That's rather more verbose than default Postfix TLS logging, I hope it is temporary. Are you sure the third line is copied correctly into your post? > Sep 23 13:45:42 mx > postfix/submit-from-dovecot-proxy/smtpd[27011]: > internal.mx.example.com[10.0.1.50]: TLS cipher list > "TTLS13-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:!aNULL" That cipherlist, has an extra "T" in front of the TLS 1.3 ChaCha cipher, that should not be there... Also, Postfix has no knowledge of TLS 1.3 cipher suites, Postfix has only cipher configuration knobs only for the TLS <= 1.2 ciphers, so I don't know how that particular string ended up in your logs. Is there something in your Postfix configuration that resembles that particular blob? If so, it should not be there... -- Viktor.