postfix smtpd per server ssl setting

10 Dec 2016


      Hallo.
ich finde gerade die Lösung nicht im startpage.com.
Es gibt 3 Server von einem Kunden die es einfach nicht schaffen mit 
meinem Server eine SSL Verbindung aufzubauen.
Ich habe bereits wieder SSLv3 aktiviert und trotzdem bekomme ich immer 
diesen Fehler.
postfix/smtpd[27053]: SSL_accept error from <SERVER>: -1
Nun wollte ich diese Maschinen explizit aus dem SSL rausnehmen so ala 
"smtpd_tls_security_level = none" oder STARTTLS ganz deaktivieren für 
diese Server.
Geht das im
postconf mail_version
mail_version = 2.11.0
LG
Aleks
### postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
config_directory = /etc/postfix
content_filter = smtp-amavis:127.0.0.1:10024
dovecot_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
mailbox_size_limit = 0
message_size_limit = 51200000
mydestination = localhost.none.at, localhost
myhostname = smtp.none.at
myorigin = /etc/mailname
policy-spf_time_limit = 3600s
postscreen_access_list = 
permit_mynetworks,cidr:/etc/postfix/postscreen_access.cidr, 
cidr:/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_bare_newline_action = enforce
postscreen_bare_newline_enable = yes
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*2 bl.spamcop.net*1 
b.barracudacentral.org*1 ix.dnsbl.manitu.net*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
readme_directory = /usr/share/doc/postfix
recipient_delimiter = -
relayhost =
smtp_bind_address = 5.9.105.120
smtp_dns_support_level = dnssec
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = aNULL MD5 SRP PSK aKRB5 aDSS aECDH aDH SEED 
IDEA RC2 RC5
smtp_tls_loglevel = 1
smtp_tls_mandatory_exclude_ciphers = aNULL MD5
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy_maps
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_helo_required = yes
smtpd_proxy_timeout = 240s
smtpd_relay_restrictions = check_helo_access 
hash:/etc/postfix/helo_checks, check_client_access 
hash:/etc/postfix/client_checks, permit_sasl_authenticated, 
reject_invalid_hostname, reject_non_fqdn_hostname, 
reject_non_fqdn_sender, reject_non_fqdn_recipient, 
reject_unknown_sender_domain, reject_unknown_recipient_domain, 
reject_unknown_client, reject_unknown_hostname, permit_mynetworks, 
reject_unauth_destination, check_policy_service unix:private/policy-spf, 
check_recipient_access pcre:/etc/postfix/smtpd_recipient_checks.pcre, 
check_recipient_access hash:/etc/postfix/recipient_checks, 
check_sender_access hash:/etc/postfix/sender_checks, check_sender_access 
pcre:/etc/postfix/sender_checks.pcre, check_client_access 
pcre:/etc/postfix/client_checks.pcre, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/smtp.none.at.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/ssl/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/ssl/dh_512.pem
smtpd_tls_eccert_file = /etc/ssl/smtp.none.at.ecc.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL MD5 SRP PSK aKRB5 aDSS aECDH aDH SEED 
IDEA RC2 RC5
smtpd_tls_key_file = /etc/ssl/smtp.none.at.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = aNULL
smtpd_tls_mandatory_protocols = TLSv1 SSLv3
smtpd_tls_protocols = !SSLv2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
tls_export_cipherlist = aNULL:-aNULL:ALL:-RC4:@STRENGTH
tls_high_cipherlist = 
ECDHE-ECDSA-AES256-SHA:EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!MEDIUM:!RC4:!aNULL:!eNULL:!EXP:!LOW:!MD5:@STRENGTH
tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:-RC4:@STRENGTH
tls_medium_cipherlist = 
ECDHE-ECDSA-AES256-SHA:EECDH+AES:EDH+AES:-SHA1:EECDH+AES256:EDH+AES256:AES256-SHA:!RC4:!aNULL:!eNULL:!EXP:!LOW:!MD5:@STRENGTH
tls_preempt_cipherlist = yes
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = 
proxy:mysql:/etc/postfix/mysql-virtual-alias-maps.cf
virtual_mailbox_domains = 
proxy:mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_mailbox_maps = 
proxy:mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_transport = dovecot
###

Aleksandar Lazic (pf-u-de)

tags (0)

participants (1)