Hello. I have been running an Arch Linux Postfix mail server for about 3 years now and have had quite a good experience with it. However, I have been keeping up with current security news and have seen that TLSv1.0 is broken and should be disabled (indeed, the "PCI DSS" standards disallow it.) So I have added the following in /etc/postfix/main.cf:
Code:
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
However, since doing that I see a fair amount of the following in the server logs:
Code:
Feb 11 20:22:32 MailServer postfix/smtpd[23118]: connect from ec2-54-183-213-26.us-west-1.compute.amazonaws.com[54.183.213.26]
Feb 11 20:22:32 MailServer postfix/smtpd[23118]: SSL_accept error from ec2-54-183-213-26.us-west-1.compute.amazonaws.com[54.183.213.26]: -1
Feb 11 20:22:32 MailServer postfix/smtpd[23118]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
Feb 11 20:22:32 MailServer postfix/smtpd[23118]: lost connection after STARTTLS from ec2-54-183-213-26.us-west-1.compute.amazonaws.com[54.183.213.26]
Feb 11 20:22:32 MailServer postfix/smtpd[23118]: disconnect from ec2-54-183-213-26.us-west-1.compute.amazonaws.com[54.183.213.26] ehlo=1 starttls=0/1 commands=1/2
And the mail (in this case from Amazon) is not received. Many other sending domains have this problem, primarily Yahoo, Comcast, and several other big names. If I re-enable TLSv1, the messages come through.
Is this because the sending servers only support TLSv1? (Kind of hard to believe that Amazon and Yahoo still operate that way...). Or could it be due to misconfiguration on my part?