smtp_tls_wrappermode

11 Nov 2021


      Hi,
I've been debugging this problem for some hours w/o any result and w/o 
understanding what postfix does.
PROBLEM: postfix 3.3.0 (ubuntu server) complains:
2021-11-11T08:05:56.523648+01:00 srv-mx-001 postfix/smtp[128867]: SMTPS 
wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = 
yes", and "smtp_tls_security_level = encrypt" (or stronger)
An extract of the relevant main.cf config is:
smtp_use_tls                    = yes
smtp_tls_security_level         = encrypt
smtp_tls_note_starttls_offer    = yes
smtp_tls_loglevel               = 0
smtp_tls_session_cache_timeout  = 7200s
smtp_tls_session_cache_database = 
btree:${data_directory}/smtp_tls_session_cache
smtp_tls_CAfile                 = /etc/ssl/certs/ca-certificates.crt
relayhost = [smtpa.zhaw.ch]:465   # Exchange Server
SITUATION:
Mails are sent fine, but the warning is disturbing. tcpdump verifies 
that a TLSv1.1 connection is established with the exchange server.
After adding "smtp_tls_wrappermode = yes" to main.cf mails are stuck in 
the queue and the maillog notes:
2021-11-10T15:35:58.486907+01:00 srv-mx-001 postfix/smtp[77257]: 
SSL_connect:before SSL initialization
2021-11-10T15:35:58.487233+01:00 srv-mx-001 postfix/smtp[77257]: 
SSL_connect:SSLv3/TLS write client hello
2021-11-10T15:35:58.488035+01:00 srv-mx-001 postfix/smtp[77257]: 
SSL_connect:error in error
2021-11-10T15:35:58.488197+01:00 srv-mx-001 postfix/smtp[77257]: 
SSL_connect error to smtpa.zhaw.ch[160.85.196.22]:465: -1
2021-11-10T15:35:58.488403+01:00 srv-mx-001 postfix/smtp[77257]: 
warning: TLS library problem: error:1408F10B:SSL 
routines:ssl3_get_record:wrong version 
number:../ssl/record/ssl3_record.c:332:
2021-11-10T15:35:58.488573+01:00 srv-mx-001 postfix/smtp[77257]: remove 
session 
smtp&[smtpa.zhaw.ch]:465&smtpa.zhaw.ch&160.85.196.22&&C446696C381BB4783617E247C83E64CA02BCF13BDDA1472FA70290A9E56E2965 
from client cache
2021-11-10T15:35:58.488790+01:00 srv-mx-001 postfix/tlsmgr[77254]: 
delete smtp session 
id=smtp&[smtpa.zhaw.ch]:465&smtpa.zhaw.ch&160.85.196.22&&C446696C381BB4783617E247C83E64CA02BCF13BDDA1472FA70290A9E56E2965
2021-11-10T15:35:58.497053+01:00 srv-mx-001 postfix/smtp[77257]: 
7156C3FAA3: to=luri@zhaw.ch, relay=smtpa.zhaw.ch[160.85.196.22]:465, 
delay=0.03, delays=0.01/0.01/0/0, dsn=4.7.5, status=deferred (Cannot 
start TLS: handshake failure)
tcpdump shows that postfix tried to connect with TLSv1 and this will 
expectedly fail
Why does postfix change from TLSv1.1 to TLSv1? How can I fix this?
Thank you and kind regards,
Uri Liebeskind
-- 
------------------------------------
Zurich University of Applied Sciences
Information and Communication Technology

Uri Liebeskind
System Administrator
Gertrudstrasse 15
Postfach 805
CH-8401 Winterthur

Tel. +41 58 934 72 63

http://www.zhaw.ch/en/
-------------------------------------

smtp_tls_wrappermode

Liebeskind Uri (luri)