Resolved Postfix Warning: SSL alert number 40

lordnikkon · Jun 17, 2020

Hello,

I detect the following warning in the maillog. Not sure what it means:

Code:

postfix/smtp[7211]: 137D4B9B50: Cannot start TLS: handshake failure
postfix/smtp[7211]: SSL_connect error to xxx.xxx.de[xx.x.x.xx]:25: -1
postfix/smtp[7211]: warning: TLS library problem: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40:

Any Ideas?

IgorG · Jun 17, 2020

Have you configured custom cypher list in /etc/postfix/main.cf ? Try to set default.

lordnikkon · Jun 17, 2020

No, I haven't configured anything. This is how it looks like:

Code:

smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
smtpd_tls_mandatory_protocols = TLSv1.2
smtpd_tls_protocols = TLSv1.2

IgorG · Jun 17, 2020

Try to fix it with

# plesk repair mail

lordnikkon · Jun 17, 2020

OK, I did it. Nothing has changed.

IgorG · Jun 17, 2020

lordnikkon said:
tls_medium_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

On my test Plesk server I see:

tls_medium_cipherlist = EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK:!KRB5:!aECDH

Try it.

lordnikkon · Jun 18, 2020

OK, looks good! No more Warnings.

Thanks for your help!

Resolved Postfix Warning: SSL alert number 40

lordnikkon

New Pleskian

IgorG

Plesk addicted!

lordnikkon

New Pleskian

IgorG

Plesk addicted!

lordnikkon

New Pleskian

IgorG

Plesk addicted!

lordnikkon

New Pleskian

Similar threads