Postfix not using TLS ciphers it is supposed to use

I can't receive emails from certain hosts because of a no shared cipher error:

postfix/smtpd[15934]: warning: TLS library problem: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1440:

I am using this postfix settings for receiving emails:

smtpd_tls_mandatory_ciphers = high
smtpd_tls_ciphers           = high

Looking up the tls_high_cipherlist yielded:

$ postconf -d | grep tls_high_cipherlist
tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH

So I looked up the ciphers this will cover for TLSv1.2

$ openssl ciphers -v 'aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH' | grep TLSv1.2
ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
...

So I thought this should also be the ones postfix is then using to accept as ciphers, but using testssl.sh to test supported ciphers I got this:

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (RFC)
------------------------------------------------------------------------------------------------------
TLS 1.2
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 256   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 xc024   ECDHE-ECDSA-AES256-SHA384         ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 256   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 xc019   AECDH-AES256-SHA                  ECDH 256   AES         256      TLS_ECDH_anon_WITH_AES_256_CBC_SHA
 xa7     ADH-AES256-GCM-SHA384             DH 4096    AESGCM      256      TLS_DH_anon_WITH_AES_256_GCM_SHA384
 x6d     ADH-AES256-SHA256                 DH 4096    AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA256
 x3a     ADH-AES256-SHA                    DH 4096    AES         256      TLS_DH_anon_WITH_AES_256_CBC_SHA
 x89     ADH-CAMELLIA256-SHA               DH 4096    Camellia    256      TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 256   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 xc023   ECDHE-ECDSA-AES128-SHA256         ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 256   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 xc018   AECDH-AES128-SHA                  ECDH 256   AES         128      TLS_ECDH_anon_WITH_AES_128_CBC_SHA
 xa6     ADH-AES128-GCM-SHA256             DH 4096    AESGCM      128      TLS_DH_anon_WITH_AES_128_GCM_SHA256
 x6c     ADH-AES128-SHA256                 DH 4096    AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA256
 x34     ADH-AES128-SHA                    DH 4096    AES         128      TLS_DH_anon_WITH_AES_128_CBC_SHA
 x9b     ADH-SEED-SHA                      DH 4096    SEED        128      TLS_DH_anon_WITH_SEED_CBC_SHA
 x46     ADH-CAMELLIA128-SHA               DH 4096    Camellia    128      TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
 xc007   ECDHE-ECDSA-RC4-SHA               ECDH 256   RC4         128      TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
 xc016   AECDH-RC4-SHA                     ECDH 256   RC4         128      TLS_ECDH_anon_WITH_RC4_128_SHA
 x18     ADH-RC4-MD5                       DH 4096    RC4         128      TLS_DH_anon_WITH_RC4_128_MD5
 xc008   ECDHE-ECDSA-DES-CBC3-SHA          ECDH 256   3DES        168      TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
 xc017   AECDH-DES-CBC3-SHA                ECDH 256   3DES        168      TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA
 x1b     ADH-DES-CBC3-SHA                  DH 4096    3DES        168      TLS_DH_anon_WITH_3DES_EDE_CBC_SHA

So for example DHE-DSS-AES256-GCM-SHA384 is missing.

Do I have to enable this ciphers also somewhere else? Also explicitly setting tls_high_cipherlist in the main.cf did not change the results.


Solution 1:

smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
# if you have authentication enabled, only offer it after STARTTLS
smtpd_tls_auth_only = yes
tls_ssl_options = NO_COMPRESSION
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_ciphers=high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

By default You are strongly encouraged to not change the setting

You can insert your own ciphersuite here, but I don't recommend that. The cipherstring chosen by the bettercrypto project has been widely tested and provides as much compatibility as reasonable while providing as much security as possible. The order of all the ciphers is very important so server and client are negotiating the best cipher possible, preferably with Forward Secrecy which is true for this one.

Solution 2:

So it turned out to be an issue of Postfix 2.11.x + Openssl 1.1.0 + a "ECDSA P-384" certificate. In TLS Forward Secrecy in Postfix is says:

With Postfix prior to 3.2 or OpenSSL prior to 1.0.2, only a single server-side curve can be configured, by specifying a suitable EECDH "grade":

So I needed to set secp384r1.

But I still got some mismatches. In the end I issued a RSA certificate and now everybody is happy. (See also https://github.com/openssl/openssl/issues/2033)

Solution 3:

Just to clarify (copied from http://www.postfix.org/FORWARD_SECRECY_README.html) you need to set/add the parameter in main.cf as described below:

"With Postfix prior to 3.2 or OpenSSL prior to 1.0.2, only a single server-side curve can be configured, by specifying a suitable EECDH "grade": smtpd_tls_eecdh_grade = strong | ultra # Underlying curves, best not changed: # tls_eecdh_strong_curve = prime256v1 # tls_eecdh_ultra_curve = secp384r1"