SSL_connect error to 127.0.0.1[127.0.0.1]:10025: -1

General
1

Ciphermail Version 5.5.3.0

Hello,
our provider only accepts smtp connections on port 465. Postfix then tells us:

ciphermail postfix/smtp[11396]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)

But when we add these two parameters, Postfix cannot connect to Ciphermail anymore:

Aug 31 07:35:29 ciphermail postfix/qmgr[11267]: 4RbtHP2bcGz7S0M: from=<s.guenther@in-put.de>, size=445, nrcpt=1 (queue active)
Aug 31 07:35:29 ciphermail postfix/smtp[11280]: SSL_connect error to 127.0.0.1[127.0.0.1]:10025: -1
Aug 31 07:35:29 ciphermail postfix/smtp[11280]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:332:
Aug 31 07:35:29 ciphermail postfix/smtp[11280]: 4RbtHP2bcGz7S0M: to=<praxis@xxxx>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.05, delays=0.02/0.03/0/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Removing the two parameters again, allows internal connections but no external connections. Can I solve this by further changes in the Postfix configuration or does it require a change to the Ciphermail configuration?

Thanks for your help and best wishes,

Stefan

1 Like
2

Hi,

Postfix is responsible for the SMTP part, i.e., sending and receiving to/from other SMTP servers.

Your TLS problem is therefore something that should be “fixed” in Postfix.

It could be that your Postfix only supports newer TLS versions which are not supported by the receiving mail server?

What is the value of smtp_tls_exclude_ciphers and smtpd_tls_exclude_ciphers

3

Hi,
but doesn’t the error occur when Postfix tries to connect to port 10025 where Ciphermail is listening?
This is a fresh Ciphermail installation, therefore the values for the ciphers are:

smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
smtpd_tls_exclude_ciphers = AESCCM8, aNULL, ARIA, DES, DSS, eNULL, EXPORT, IDEA, MD5, PSK, RC4, SEED

Best wishes,

Stefan

4

Ah yes you are correct.

Because you changed the global postfix setting for smtp_tls_security_level and smtp_tls_wrappermode it means that it will be used for all smtp connections. What you should do it to only configure this for the smtp service used for outgoing email but not for the smtp connector which sends to the local back-end.

in /etc/postfix/master.cf:

smtp      unix  -       -       n       -       -       smtp
        -o smtp_tls_security_level = encrypt
        -o smtp_tls_wrappermode = yes

Now email sent via smtp to external should be forced to encrypt but email sent to the back-end (via the djigzo service) should not be TLS encrypted.