2

Now or then I see postfix logs like this:

Mar 18 13:19:19 ... smtpd[1217240]: SSL_accept error from mx0b-002b8002.pphosted.com[148.163.140.242]: -1
Mar 18 13:19:19 ... smtpd[1217240]: warning: TLS library problem: error:0A0000C1:SSL routines::no shared cipher:../ssl/statem/statem_srvr.c:2220:

I do block ancient ciphers:

smtpd_tls_mandatory_ciphers = high                                                             
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA                                        
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3                                                 
smtpd_tls_protocols = >=TLSv1

So now I would like to see which ciphers the client is offering when it tries to connect to my server, but I can't see that in the logs. Is there a way to get this information?

Markus Grunwald
  • 135

1 Answers1

4

Debugging the offered cipher suites

You can add the client's IP address to the debug_peer_list as suggested in Postfix Debugging Howto.

Optional list of nexthop destination, remote client or server name or network address patterns that, if matched, cause the verbose logging level to increase by the amount specified in $debug_peer_level.

The default debug_peer_level = 2 logs:

  • The full SMTP conversation with commands and responses.
  • Any errors or unusual responses from the remote server.
  • The negotiation of protocols and any attempted TLS handshakes.
postfix/smtpd[123]: connect from mail.example.com[192.0.2.1]
postfix/smtpd[123]: 1A2B3C4D5E: client=mail.example.com[192.0.2.1]
postfix/smtpd[123]: 1A2B3C4D5E: SSL/TLS session started
postfix/smtpd[123]: 1A2B3C4D5E: SSL/TLS handshake failed: no shared cipher suites
postfix/smtpd[123]: 1A2B3C4D5E: warning: no common cipher suites found for TLS negotiation
postfix/smtpd[123]: 1A2B3C4D5E: disconnect from mail.example.com[192.0.2.1] ehlo=1 starttls=0/1

As you want to see the ciphers the client is offering, you need to increase the debug level by one.

debug_peer_level = 3

This would output something like this:

postfix/smtpd[123]: connect from mail.example.com[192.0.2.1]
postfix/smtpd[123]: 1A2B3C4D5E: client=mail.example.com[192.0.2.1]
postfix/smtpd[123]: 1A2B3C4D5E: SSL/TLS session started
postfix/smtpd[123]: 1A2B3C4D5E: cipher suites offered by mail.example.com: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES128-SHA256
postfix/smtpd[123]: 1A2B3C4D5E: cipher suites offered by server: ECDHE-RSA-AES256-GCM-SHA384, AES128-SHA256, AES128-GCM-SHA256
postfix/smtpd[123]: 1A2B3C4D5E: SSL/TLS handshake failed: no common cipher suites
postfix/smtpd[123]: 1A2B3C4D5E: warning: no common cipher suites found for TLS negotiation
postfix/smtpd[123]: 1A2B3C4D5E: disconnect from mail.example.com[192.0.2.1] ehlo=1 starttls=0/1

What else could be wrong? Incompatible certificate!

The error:0A0000C1:SSL routines::no shared cipher could also be caused by the different types of certificates. In that case, you would see that there are common cipher suites on the lists, but they are not used.

For example, your server could only have ECC certificate available and the client only supports RSA certificates. That would give exactly the error you got, and your debugging attempt would be very confusing, showing something like this:

postfix/smtpd[123]: 1A2B3C4D5E: cipher suites offered by mail.example.com: ECDHE-RSA-AES256-GCM-SHA384, ECDHE-RSA-AES128-GCM-SHA256, DHE-RSA-AES256-GCM-SHA384
postfix/smtpd[123]: 1A2B3C4D5E: cipher suites offered by server: ECDHE-RSA-AES256-GCM-SHA384, AES128-SHA256, AES128-GCM-SHA256, ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256
postfix/smtpd[123]: 1A2B3C4D5E: warning: TLS library problem: error:0A0000C1:SSL routines::no shared cipher:../ssl/statem/statem_srvr.c:2220:

This has happened a lot after Let's Encrypt started issuing ECC sertificates by default:

Esa Jokinen
  • 52,963
  • 3
  • 95
  • 151