These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for SSL_accept error on the new forum.
Hi
I am getting lots of SSL_accept errors when trying to receive mail from certain mail servers. I am using Let's Encrypt SSL on Postfix and I think it may have something to do with the ciphers. I'm not sure if there is anything I can do to fix at my end or whether the issue is with the sending servers.
Any help, pointers would be much appreciated.
Feb 6 10:40:33 server postfix/smtpd[10633]: setting up TLS connection from eu2.mailsphere.mx[54.229.40.39]
Feb 6 10:40:33 server postfix/smtpd[10633]: eu2.mailsphere.mx[54.229.40.39]: TLS cipher list "ALL:+RC4:@STRENGTH:!EXP:!MEDIUM:!LOW:!DES:!3DES:!SSLv2"
Feb 6 10:40:33 server postfix/smtpd[10633]: SSL_accept error from eu2.mailsphere.mx[54.229.40.39]: -1
Feb 6 10:40:33 server postfix/smtpd[10633]: lost connection after STARTTLS from eu2.mailsphere.mx[54.229.40.39]
Please read forumguides also for posting versions you use
https://www.virtualmin.com/node/53663
BUT the docs VIRTUALMIN and more have to be updated while to old PCI Compliance setting so to old unsecure ciphers and more.
https://www.virtualmin.com/documentation/id%2Cpci_compliant
https://www.virtualmin.com/documentation/security/pci
You can though find some info here where those settings are
For the readers who have a subscription they can open ofcourse a support ticket in issues i presume?
.+RC4 way to old ...... ;)
Yours ? eu2.mailsphere.mx
eu2.mailsphere.mx is the sending server.
Mine is Postfix version 2.6.6 Centos 6.10 Postfix TLS settings are
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_cert_file = /etc/letsencrypt/live/snapto.co.uk/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/snapto.co.uk/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/snapto.co.uk/fullchain.pem
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
I also tried commenting out the tls_high_cipherlist and also using
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
eu2.mailsphere.mx is the sending server.
That one is using old things, i can't help you,
But check your server is updated for new and the most secure and so on, then look at log files, if missing mails contact the sender/ receiver that they have to contact their mailhoster to have things updated to.
That is the only way to go, in my eyes to get the web and mail more secure at all.
So everyone forget and disable old / to old protocols, and ciphers then it is more difficult for hackers and spammers.
Also force using correct DKIM, SPF, DMARC.
I hope Virtualmin is updating their docs and things soon also. ? ;)
Hi Jfro
Sure I just wanted confirmation really that the issue was at their end as I hadn't come across that SSL_accept error previously and was just trying to understand it.
Ta.
On port 465 smtp they support so you can check:
Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Not supported
Ciphers
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
Cipher order Client
Compression
NULL TLS 1.0, TLS 1.1, TLS 1.2
Support for Triple DES cipher
Trigger The server supports a cipher suite containing the 3DES cipher.
Context
Three-key-3DES is a cipher with 168-bit keys but an effective key length of 112 bits because of a meet-in-the-middle attack. This is considered enough only for legacy
Support for RC4 cipher
Trigger The server doesn't support any cipher suites containing the RC4 cipher.
i don't understand the + rc4 out of your first post
You can try start test mailserver here for example https://en.internet.nl/