Receiving mails from certain providers not working (sslv3 , gmx.net)

rwz

Since forever I can not receive mails from gmx, I never bothered since hardly anyone I know uses that service but now I caused a couple of mails to get dropped were I needed them.

Postfix-Log:

postfix-mailcow_1    | Jan 28 18:36:29 4d65c05fb9a7 postfix/postfix-script[344]: starting the Postfix mail system
postfix-mailcow_1    | Jan 28 18:36:29 4d65c05fb9a7 postfix/master[346]: daemon started -- version 3.4.14, configuration /opt/postfix/conf
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/postscreen[352]: CONNECT from [82.165.159.42]:52213 to [172.22.1.13]:25
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/postscreen[352]: WHITELISTED [82.165.159.42]:52213
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: initializing the server-side TLS engine
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: connect from mout-xforward.gmx.net[82.165.159.42]
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: setting up TLS connection from mout-xforward.gmx.net[82.165.159.42]
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: mout-xforward.gmx.net[82.165.159.42]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!ECDHE-RSA-RC4-SHA:!RC4:!aNULL:!DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA"
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:before SSL initialization
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:before SSL initialization
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: TLS SNI mail.nope.at from mout-xforward.gmx.net[82.165.159.42] not matched, using default chain
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:SSLv3/TLS read client hello
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:SSLv3/TLS write server hello
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:SSLv3/TLS write change cipher spec
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:TLSv1.3 write encrypted extensions
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:SSLv3/TLS write certificate
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:TLSv1.3 write server certificate verify
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:SSLv3/TLS write finished
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:TLSv1.3 early data
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:TLSv1.3 early data
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:SSLv3/TLS read finished
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: mout-xforward.gmx.net[82.165.159.42]: Issuing session ticket, key expiration: 1643393205
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL_accept:SSLv3/TLS write session ticket
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: Anonymous TLS connection established from mout-xforward.gmx.net[82.165.159.42]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: SSL3 alert read:fatal:insufficient security
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: warning: TLS library problem: error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient security:../ssl/record/rec_layer_s3.c:1544:SSL alert number 71:
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: lost connection after STARTTLS from mout-xforward.gmx.net[82.165.159.42]
postfix-mailcow_1    | Jan 28 18:36:46 4d65c05fb9a7 postfix/smtpd[355]: disconnect from mout-xforward.gmx.net[82.165.159.42] ehlo=1 starttls=1 commands=2

I already tinkered with the extra.conf and am already pretty desperate:

cat data/conf/postfix/extra.cf
smtp_tls_protocols = !SSLv2
smtps_smtpd_tls_mandatory_protocols = !SSLv2
submission_smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_mandatory_ciphers = medium


# smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL, DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA
smtpd_tls_loglevel = 2

# Mandatory protocols and ciphers are used when a connections is enforced to use TLS
# Does _not_ apply to enforced incoming TLS settings per mailbox
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtpd_tls_mandatory_ciphers = high
#
#smtp_tls_protocols = !SSLv2, !SSLv3
#lmtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
#smtpd_tls_protocols = !SSLv2, !SSLv3
#
#smtpd_tls_security_level = may

Here is the complete postconf:

postconf.txt

44kB

One thing I’ve read was that the root-ca-certificates for the gmx service are not up to date, but can not see how I could affect or properly check this.

Any pointers or suggestions would be helpful, as everything else works ok. 😤

rwz

I’ve just noticed, while verifying everything again, that my TLSA records did not match, so I updated them and now am waiting for the dns to refesh. 🤞

rwz

It’s fixed by updating the dns TLSA records to the correct values.