I am getting lots of SSL_accept errors when trying to receive mail from certain mail servers. I am using Let’s Encrypt SSL on Postfix and I think it may have something to do with the ciphers. I’m not sure if there is anything I can do to fix at my end or whether the issue is with the sending servers.
Any help, pointers would be much appreciated.
Feb 6 10:40:33 server postfix/smtpd[10633]: setting up TLS connection from eu2.mailsphere.mx[54.229.40.39]
Feb 6 10:40:33 server postfix/smtpd[10633]: eu2.mailsphere.mx[54.229.40.39]: TLS cipher list "ALL:+RC4:@STRENGTH:!EXP:!MEDIUM:!LOW:!DES:!3DES:!SSLv2"
Feb 6 10:40:33 server postfix/smtpd[10633]: SSL_accept error from eu2.mailsphere.mx[54.229.40.39]: -1
Feb 6 10:40:33 server postfix/smtpd[10633]: lost connection after STARTTLS from eu2.mailsphere.mx[54.229.40.39]
I also tried commenting out the tls_high_cipherlist and also using
tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
But check your server is updated for new and the most secure and so on, then look at log files, if missing mails contact the sender/ receiver that they have to contact their mailhoster to have things updated to.
That is the only way to go, in my eyes to get the web and mail more secure at all.
So everyone forget and disable old / to old protocols, and ciphers then it is more difficult for hackers and spammers.
Also force using correct DKIM, SPF, DMARC.
I hope Virtualmin is updating their docs and things soon also. ?
Sure I just wanted confirmation really that the issue was at their end as I hadn’t come across that SSL_accept error previously and was just trying to understand it.
Support for Triple DES cipher
Trigger The server supports a cipher suite containing the 3DES cipher.
Context
Three-key-3DES is a cipher with 168-bit keys but an effective key length of 112 bits because of a meet-in-the-middle attack. This is considered enough only for legacy
Support for RC4 cipher
Trigger The server doesn’t support any cipher suites containing the RC4 cipher.
i don’t understand the + rc4 out of your first post