Postfix not using TLS ciphers it is supposed to use
I can't receive emails from certain hosts because of a no shared cipher error:
postfix/smtpd[15934]: warning: TLS library problem: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1440:
I am using this postfix settings for receiving emails:
smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
Looking up the tls_high_cipherlist yielded:
$ postconf -d | grep tls_high_cipherlist
tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
So I looked up the ciphers this will cover for TLSv1.2
$ openssl ciphers -v 'aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH' | grep TLSv1.2
ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
...
So I thought this should also be the ones postfix is then using to accept as ciphers, but using testssl.sh to test supported ciphers I got this:
Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC)
------------------------------------------------------------------------------------------------------
TLS 1.2
xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
xc024 ECDHE-ECDSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
xc00a ECDHE-ECDSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
xc019 AECDH-AES256-SHA ECDH 256 AES 256 TLS_ECDH_anon_WITH_AES_256_CBC_SHA
xa7 ADH-AES256-GCM-SHA384 DH 4096 AESGCM 256 TLS_DH_anon_WITH_AES_256_GCM_SHA384
x6d ADH-AES256-SHA256 DH 4096 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA256
x3a ADH-AES256-SHA DH 4096 AES 256 TLS_DH_anon_WITH_AES_256_CBC_SHA
x89 ADH-CAMELLIA256-SHA DH 4096 Camellia 256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
xc023 ECDHE-ECDSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
xc009 ECDHE-ECDSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
xc018 AECDH-AES128-SHA ECDH 256 AES 128 TLS_ECDH_anon_WITH_AES_128_CBC_SHA
xa6 ADH-AES128-GCM-SHA256 DH 4096 AESGCM 128 TLS_DH_anon_WITH_AES_128_GCM_SHA256
x6c ADH-AES128-SHA256 DH 4096 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA256
x34 ADH-AES128-SHA DH 4096 AES 128 TLS_DH_anon_WITH_AES_128_CBC_SHA
x9b ADH-SEED-SHA DH 4096 SEED 128 TLS_DH_anon_WITH_SEED_CBC_SHA
x46 ADH-CAMELLIA128-SHA DH 4096 Camellia 128 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
xc007 ECDHE-ECDSA-RC4-SHA ECDH 256 RC4 128 TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
xc016 AECDH-RC4-SHA ECDH 256 RC4 128 TLS_ECDH_anon_WITH_RC4_128_SHA
x18 ADH-RC4-MD5 DH 4096 RC4 128 TLS_DH_anon_WITH_RC4_128_MD5
xc008 ECDHE-ECDSA-DES-CBC3-SHA ECDH 256 3DES 168 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
xc017 AECDH-DES-CBC3-SHA ECDH 256 3DES 168 TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
x1b ADH-DES-CBC3-SHA DH 4096 3DES 168 TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
So for example DHE-DSS-AES256-GCM-SHA384 is missing.
Do I have to enable this ciphers also somewhere else? Also explicitly setting tls_high_cipherlist in the main.cf did not change the results.
Solution 1:
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
By default You are strongly encouraged to not change the setting
You can insert your own ciphersuite here, but I don't recommend that. The cipherstring chosen by the bettercrypto project has been widely tested and provides as much compatibility as reasonable while providing as much security as possible. The order of all the ciphers is very important so server and client are negotiating the best cipher possible, preferably with Forward Secrecy which is true for this one.
Solution 2:
So it turned out to be an issue of Postfix 2.11.x + Openssl 1.1.0 + a "ECDSA P-384" certificate. In TLS Forward Secrecy in Postfix is says:
With Postfix prior to 3.2 or OpenSSL prior to 1.0.2, only a single server-side curve can be configured, by specifying a suitable EECDH "grade":
So I needed to set secp384r1.
But I still got some mismatches. In the end I issued a RSA certificate and now everybody is happy. (See also https://github.com/openssl/openssl/issues/2033)
Solution 3:
Just to clarify (copied from http://www.postfix.org/FORWARD_SECRECY_README.html) you need to set/add the parameter in main.cf as described below:
"With Postfix prior to 3.2 or OpenSSL prior to 1.0.2, only a single server-side curve can be configured, by specifying a suitable EECDH "grade": smtpd_tls_eecdh_grade = strong | ultra # Underlying curves, best not changed: # tls_eecdh_strong_curve = prime256v1 # tls_eecdh_ultra_curve = secp384r1"