Docker-mailserver: en.internet.nl suggests enforcing Cipher Order
We check if your receiving mail servers (MX) enforce their own cipher preference ('I'), and offer ciphers in accordance with the prescribed ordering ('II').
If your mail servers support 'Good' ciphers only, this test is not applicable as the ordering has no significant security advantage.
I haven't manually changed any Cipher Ordering.
Relevant configuration:
PERMIT_DOCKER=
# empty => modern
# modern => Enables TLSv1.2 and modern ciphers only. (default)
# intermediate => Enables TLSv1, TLSv1.1 and TLSv1.2 and broad compatibility ciphers.
# old => NOT implemented. If you really need it, then customize the TLS ciphers overriding postfix and dovecot settings
# (https://github.com/tomav/docker-mailserver/wiki/)
TLS_LEVEL=
# Please read [the SSL page in the wiki](https://github.com/tomav/docker-mailserver/wiki/Configure-SSL) for more information.
#
# empty => SSL disabled
# letsencrypt => Enables Let's Encrypt certificates
# custom => Enables custom certificates
# manual => Let's you manually specify locations of your SSL certificates for non-standard cases
# self-signed => Enables self-signed certificates
SSL_TYPE=letsencrypt
Image in use:
tvial/docker-mailserver latest 4b4724934af6 3 weeks ago 544MB
Rillke
All 7 comments
What image are you running and what are your settings for SSL/TLS?
erik-wramner
on 29 Feb 2020
What image are you running and what are your settings for SSL/TLS?
Added that. Also, TLS works (for instance with Google sending me TLS reports), it might be just not bullet-proof.
Rillke
on 29 Feb 2020
According to https://tribut.de/blog/secure-your-services-using-sane-cipher-ordering we should set this for Postfix:
tls_preempt_cipherlist = yes
And this for Dovecot:
ssl_prefer_server_ciphers = yes
Perhaps you could add the options as overrides in the config/xxx files and see if it helps? If it does help we can add it to the real image.
erik-wramner
on 2 Mar 2020
👍3
Thanks for digging this out. For Postfix I had to set:
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
tls_preempt_cipherlist and smtpd_tls_mandatory_ciphers alone didn't fix it.
Resulting in passing this test (Cipher Order) _and_ the DH-KEX test (#1412)
Running this configuration now and see if there are any interop issues (which I am going to report here). For me, security first matters. It should never happen that a MITM can eavesdrop e-Mail communication when it is pretended to be encrypted (allowing that would be a violation of EU-GDPR I think.).
Here is the log during the test (fail):
Mar 3 11:39:14 mail postfix/master[1030]: daemon started -- version 3.1.12, configuration /etc/postfix
Mar 3 11:39:28 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7166 to [192.168.80.3]:25
Mar 3 11:39:28 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7166
Mar 3 11:39:28 mail postfix/smtpd[1073]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:28 mail postfix/smtpd[1073]: lost connection after CONNECT from internet.nl[62.204.66.10]
Mar 3 11:39:28 mail postfix/smtpd[1073]: disconnect from internet.nl[62.204.66.10] commands=0/0
Mar 3 11:39:33 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7192 to [192.168.80.3]:25
Mar 3 11:39:33 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7192
Mar 3 11:39:33 mail postfix/smtpd[1073]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:33 mail postfix/smtpd[1073]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:39:33 mail postfix/smtpd[1073]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1419:
Mar 3 11:39:33 mail postfix/smtpd[1073]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:33 mail postfix/smtpd[1073]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:39:33 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7194 to [192.168.80.3]:25
Mar 3 11:39:33 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7194
Mar 3 11:39:33 mail postfix/smtpd[1073]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1073]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:39:34 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7196 to [192.168.80.3]:25
Mar 3 11:39:34 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7196
Mar 3 11:39:34 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1096]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:39:34 mail postfix/smtpd[1096]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=1 commands=2
Mar 3 11:39:34 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7198 to [192.168.80.3]:25
Mar 3 11:39:34 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7198
Mar 3 11:39:34 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1096]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:39:34 mail postfix/smtpd[1096]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=1 commands=2
Mar 3 11:39:34 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7200 to [192.168.80.3]:25
Mar 3 11:39:34 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7200
Mar 3 11:39:34 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1096]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:39:34 mail postfix/smtpd[1096]: warning: TLS library problem: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:989:
Mar 3 11:39:34 mail postfix/smtpd[1096]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:39:34 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7204 to [192.168.80.3]:25
Mar 3 11:39:34 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7204
Mar 3 11:39:34 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1096]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:39:34 mail postfix/smtpd[1096]: warning: TLS library problem: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:989:
Mar 3 11:39:34 mail postfix/smtpd[1096]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:39:34 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7210 to [192.168.80.3]:25
Mar 3 11:39:34 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7210
Mar 3 11:39:34 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1096]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:39:34 mail postfix/smtpd[1096]: warning: TLS library problem: error:1417D18C:SSL routines:tls_process_client_hello:version too low:../ssl/statem/statem_srvr.c:989:
Mar 3 11:39:34 mail postfix/smtpd[1096]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:34 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:39:34 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7212 to [192.168.80.3]:25
Mar 3 11:39:34 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7212
Mar 3 11:39:35 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:35 mail postfix/smtpd[1096]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:39:35 mail postfix/smtpd[1096]: warning: TLS library problem: error:1417D0FC:SSL routines:tls_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:953:
Mar 3 11:39:35 mail postfix/smtpd[1096]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:35 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:39:35 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7216 to [192.168.80.3]:25
Mar 3 11:39:35 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7216
Mar 3 11:39:35 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:35 mail postfix/smtpd[1096]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:39:35 mail postfix/smtpd[1096]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:35 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=1 commands=2
Mar 3 11:39:35 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7218 to [192.168.80.3]:25
Mar 3 11:39:35 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7218
Mar 3 11:39:35 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:35 mail postfix/smtpd[1096]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:39:35 mail postfix/smtpd[1096]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:35 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=1 commands=2
Mar 3 11:39:35 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7220 to [192.168.80.3]:25
Mar 3 11:39:35 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7220
Mar 3 11:39:35 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:35 mail postfix/smtpd[1096]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:39:35 mail postfix/smtpd[1096]: lost connection after EHLO from internet.nl[62.204.66.10]
Mar 3 11:39:35 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=2 starttls=1 commands=3
Mar 3 11:39:35 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7222 to [192.168.80.3]:25
Mar 3 11:39:35 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7222
Mar 3 11:39:35 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:35 mail postfix/smtpd[1096]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:39:35 mail postfix/smtpd[1096]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:35 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=1 commands=2
Mar 3 11:39:35 mail postfix/postscreen[1063]: CONNECT from [62.204.66.10]:7224 to [192.168.80.3]:25
Mar 3 11:39:35 mail postfix/postscreen[1063]: PASS OLD [62.204.66.10]:7224
Mar 3 11:39:35 mail postfix/smtpd[1096]: connect from internet.nl[62.204.66.10]
Mar 3 11:39:36 mail postfix/smtpd[1096]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:39:36 mail postfix/smtpd[1096]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:36 mail postfix/smtpd[1096]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=1 commands=2
Mar 3 11:39:36 mail postfix/smtpd[1073]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:39:36 mail postfix/smtpd[1073]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=1 commands=2
And pass:
Mar 3 11:45:32 mail postfix/master[1031]: daemon started -- version 3.1.12, configuration /etc/postfix
Mar 3 11:45:41 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8854 to [192.168.80.3]:25
Mar 3 11:45:42 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8854
Mar 3 11:45:42 mail postfix/smtpd[1058]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:42 mail postfix/smtpd[1058]: lost connection after CONNECT from internet.nl[62.204.66.10]
Mar 3 11:45:42 mail postfix/smtpd[1058]: disconnect from internet.nl[62.204.66.10] commands=0/0
Mar 3 11:45:47 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8874 to [192.168.80.3]:25
Mar 3 11:45:47 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8874
Mar 3 11:45:47 mail postfix/smtpd[1058]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:47 mail postfix/smtpd[1058]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:47 mail postfix/smtpd[1058]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1419:
Mar 3 11:45:47 mail postfix/smtpd[1058]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:47 mail postfix/smtpd[1058]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:47 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8876 to [192.168.80.3]:25
Mar 3 11:45:47 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8876
Mar 3 11:45:47 mail postfix/smtpd[1058]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:47 mail postfix/smtpd[1058]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:47 mail postfix/smtpd[1058]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1419:
Mar 3 11:45:47 mail postfix/smtpd[1058]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:47 mail postfix/smtpd[1058]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:47 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8878 to [192.168.80.3]:25
Mar 3 11:45:47 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8878
Mar 3 11:45:47 mail postfix/smtpd[1058]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:47 mail postfix/smtpd[1058]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:45:47 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8880 to [192.168.80.3]:25
Mar 3 11:45:47 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8880
Mar 3 11:45:48 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:48 mail postfix/smtpd[1086]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1419:
Mar 3 11:45:48 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:48 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8884 to [192.168.80.3]:25
Mar 3 11:45:48 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8884
Mar 3 11:45:48 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:48 mail postfix/smtpd[1086]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1419:
Mar 3 11:45:48 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:48 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8886 to [192.168.80.3]:25
Mar 3 11:45:48 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8886
Mar 3 11:45:48 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:48 mail postfix/smtpd[1086]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1419:
Mar 3 11:45:48 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:48 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8888 to [192.168.80.3]:25
Mar 3 11:45:48 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8888
Mar 3 11:45:48 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:48 mail postfix/smtpd[1086]: warning: TLS library problem: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:989:
Mar 3 11:45:48 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:48 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8890 to [192.168.80.3]:25
Mar 3 11:45:48 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8890
Mar 3 11:45:48 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:48 mail postfix/smtpd[1086]: warning: TLS library problem: error:1417D102:SSL routines:tls_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:989:
Mar 3 11:45:48 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:48 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8892 to [192.168.80.3]:25
Mar 3 11:45:48 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8892
Mar 3 11:45:48 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:48 mail postfix/smtpd[1086]: warning: TLS library problem: error:1417D18C:SSL routines:tls_process_client_hello:version too low:../ssl/statem/statem_srvr.c:989:
Mar 3 11:45:48 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:48 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8894 to [192.168.80.3]:25
Mar 3 11:45:48 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8894
Mar 3 11:45:48 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:48 mail postfix/smtpd[1086]: warning: TLS library problem: error:1417D0FC:SSL routines:tls_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:953:
Mar 3 11:45:48 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:48 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8896 to [192.168.80.3]:25
Mar 3 11:45:48 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8896
Mar 3 11:45:48 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:48 mail postfix/smtpd[1086]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1419:
Mar 3 11:45:48 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:48 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8898 to [192.168.80.3]:25
Mar 3 11:45:48 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8898
Mar 3 11:45:48 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:45:48 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:48 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=1 commands=2
Mar 3 11:45:48 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8900 to [192.168.80.3]:25
Mar 3 11:45:48 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8900
Mar 3 11:45:48 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1086]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Mar 3 11:45:49 mail postfix/smtpd[1086]: lost connection after EHLO from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=2 starttls=1 commands=3
Mar 3 11:45:49 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8902 to [192.168.80.3]:25
Mar 3 11:45:49 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8902
Mar 3 11:45:49 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1086]: Anonymous TLS connection established from internet.nl[62.204.66.10]: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Mar 3 11:45:49 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=1 commands=2
Mar 3 11:45:49 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8904 to [192.168.80.3]:25
Mar 3 11:45:49 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8904
Mar 3 11:45:49 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: -1
Mar 3 11:45:49 mail postfix/smtpd[1086]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1419:
Mar 3 11:45:49 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:49 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8906 to [192.168.80.3]:25
Mar 3 11:45:49 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8906
Mar 3 11:45:49 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: lost connection
Mar 3 11:45:49 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:49 mail postfix/postscreen[1050]: CONNECT from [62.204.66.10]:8908 to [192.168.80.3]:25
Mar 3 11:45:49 mail postfix/postscreen[1050]: PASS OLD [62.204.66.10]:8908
Mar 3 11:45:49 mail postfix/smtpd[1086]: connect from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1086]: SSL_accept error from internet.nl[62.204.66.10]: lost connection
Mar 3 11:45:49 mail postfix/smtpd[1086]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1086]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Mar 3 11:45:49 mail postfix/smtpd[1058]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Mar 3 11:45:49 mail postfix/smtpd[1058]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=1 commands=2
👍1
Good work. I think we should get that in when TLS_LEVEL=modern (which is the default). Did you check Dovecot as well?
erik-wramner
on 6 Mar 2020
👍1
This looks to be a great enhancement @Rillke, nice work! Can you submit this work? Or have you already?
aendeavor
on 8 Sep 2020
This is going to be fixed with #1475. Because only hardened cipher suits will be used, the ordering does not matter.
Nevertheless, thanks for pointing this out early!
See https://github.com/tomav/docker-mailserver/pull/1475#issuecomment-621056552
aendeavor
on 15 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
InsOpDe
路
4Comments
nekrondev
路
3Comments
Mathieu-R
路
4Comments
42wim
路
4Comments
rwarren
路
4Comments
Most helpful comment
According to https://tribut.de/blog/secure-your-services-using-sane-cipher-ordering we should set this for Postfix:
tls_preempt_cipherlist = yesAnd this for Dovecot:
ssl_prefer_server_ciphers = yesPerhaps you could add the options as overrides in the config/xxx files and see if it helps? If it does help we can add it to the real image.