SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

"Frank J. Dürring" frank.duerring at condero.com
Do Mär 2 17:25:43 CET 2017 

Hallo zusammen,

Ich hab inzwischen sehr viel über die SSLFehler die hier ab und an gepostet werden gelesen, verstehe es aber immer noch nicht :-/
Mein neuer Mailserver (Postfix 2.11.3) läuft eigentlich ganz gut, nur mit dem Thema SSL/TLS habe ich noch meine Probleme.

Ein Kunde hat dies vom Absender einer E-Mail bekommen:

> Hi. This is the qmail-send program at post.ze.stw.de.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.
> 
> <x.xxxxxxxx at heilbronn-xyz.de>:
> TLS not available: connect failed: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
> I'm not going to try again; this message has been in the queue too long.
> 
> --- Below this line is a copy of the message.
> 
> Return-Path: <xxx.xxxxxxxx at stw.de>
> Received: (qmail 30379 invoked by uid 1004); 1 Mar 2017 12:01:02 -0000
> Received: from 10.244.66.16 by post.ze.stw.de (envelope-from <xxx.xxxxxxxx at stw.de>, uid 82) with qmail-scanner-1.25st 
> (clamdscan: 0.83/1293. spamassassin: 3.0.2. perlscan: 1.25st. 
> Clear:RC:1(10.244.66.16):. 
> Processed in 0.222746 secs); 01 Mar 2017 12:01:02 -0000
> Received: from exchange.stw.de (HELO stwmsx01.stw.local) ([10.244.66.16])
> (envelope-sender <xxx.xxxxxxxx at stw.de>)
> by post.ze.stw.de (qmail-ldap-1.03) with SMTP

Das Postfix Log Logfile spuckt dazu folgendes aus. 
Ähnliche Einträge habe ich auch von anderen Systemen z.B. von .monster.com <http://monster.com/>, registerportal.de <http://registerportal.de/>, etc.

> Mar  1 12:08:48 mx1 postfix/smtpd[13562]: connect from gate.stw.de[213.61.174.210]
> Mar  1 12:08:48 mx1 postfix/smtpd[13562]: SSL_accept error from gate.stw.de[213.61.174.210]: -1
> Mar  1 12:08:48 mx1 postfix/smtpd[13562]: warning: TLS library problem: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1440:
> Mar  1 12:08:48 mx1 postfix/smtpd[13562]: lost connection after STARTTLS from gate.stw.de[213.61.174.210]
> Mar  1 12:08:48 mx1 postfix/smtpd[13562]: disconnect from gate.stw.de[213.61.174.210]

Ich befürchte ich habe irgendetwas in der main.cf zu heftig eingestellt.
Hat mir einer einen Tipp wie ich vorgehen kann?

Gruß Frank.


> # See /usr/share/postfix/main.cf.dist for a commented, more complete version
> […]

> smtp_dns_support_level = dnssec
> smtp_tls_ciphers = high
> smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
> smtp_tls_fingerprint_digest = SHA256
> smtp_tls_mandatory_ciphers= high
> smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtp_tls_note_starttls_offer = yes
> smtp_tls_protocols = !SSLv2, !SSLv3
> smtp_tls_security_level = dane
> 
> smtpd_tls_ciphers = high
> smtpd_tls_dh1024_param_file = ${config_directory}/dh4096.pem
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
> smtpd_tls_fingerprint_digest = SHA256
> smtpd_tls_mandatory_ciphers= high
> smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
> smtpd_tls_protocols = !SSLv2,!SSLv3
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may
> 
> smtpd_tls_cert_file = /etc/ssl/certs/server.crt
> smtpd_tls_key_file = /etc/ssl/private/server.key
> 
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_sasl_auth_enable = yes
> 
> smtpd_recipient_restrictions =
>         permit_mynetworks,
>         permit_sasl_authenticated,
>         check_sender_access hash:/etc/postfix/check_sender,
>         check_client_access hash:/etc/postfix/check_client,
>         reject_unauth_destination,
>     #  check_policy_service unix:private/policy-spf,
>         reject_non_fqdn_sender,
>         reject_non_fqdn_recipient,
>         reject_unknown_recipient_domain,
>         reject_invalid_hostname,
>         reject_unknown_hostname,
>         reject_unauth_pipelining,
>         reject_rbl_client bl.spamcop.net,
>         reject_rbl_client zen.spamhaus.org,
>         reject_rbl_client cbl.abuseat.org,
>         check_policy_service inet:127.0.0.1:12525,
>         permit


-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20170302/dd254a25/attachment.html>

Mehr Informationen über die Mailingliste Postfixbuch-users