Cannot start TLS: handshake failure

[poetry]

Hello,

In the tracking center we are noticing Cannot start TLS: handshake failure errors for one domain only (mx records for this domain are pointed to our mail filter that filters mail and delivers mail to end mail server. Below examples from the log with removed customer info

postfix/smtp[13413]: A82601E02CC: to=<customer info>, relay=mail.server.com[1.1.1.1]:25, delay=0.15, delays=0/0/0.14/0, dsn=4.7.5, status=undeliverable (Cannot start TLS: handshake failure)

postfix/smtpd[13350]: connect from mail1.server.com[1.1.1.2]
postfix/smtpd[13350]: Anonymous TLS connection established from mail1.server.com[1.1.1.2]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
postfix/smtpd[13350]: NOQUEUE: reject: RCPT from mail1.server.com[1.1.1.2]: 450 4.1.1 <customer info>: Recipient address rejected: unverified address: Cannot start TLS: handshake failure; from=<customer info> to=<customer info> proto=ESMTP helo=<mail1.server.com>
postfix/smtpd[13350]: disconnect from mail1.server.com[1.1.1.2] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

Any advice how to resolve this?

We would like to keep TLS enabled is possible. This is only happening for one domain others have no problems.


Thank you!

 

[Stoiko Ivanov]

and delivers mail to end mail server

on a hunch - is the end mail server maybe an older installation (and maybe even Exchange)?
Some older server use outdated and broken SSL ciphers, and it's not possible to get a TLS session started with a somewhat recent TLS implementation

Could you try to disable TLS for this domain?
-> create a TLS Destination Policy for the domain and one for the transport entry - see https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration (4.6.9)
the transport entry is the literal line from /etc/pmg/transport for this domain
use 'none' as policy

If delivery works you can check if there's a particular configuration for postfix to make it compatible with the downstream server


I hope this helps!

 

[poetry]

@Stoiko Ivanov Thank you for this. You are right it's an exchange server.

I tired to add the domain to the TLS destination policy set to none but it's still the same.
We already have the domain added in transports so everything sent to this domain in forwarded to their mail server.
Tried to restart postfix service and it's the same. Will try to restart the whole server later as now it's too much traffic to do so.

This is how it's added:


Should be ok right?

 

[Stoiko Ivanov]

Should be ok right?

not quite - as written above - for downstream servers you need to add a 'next-hop-destination' entry in the tlspolicy table - not only the domain

for example if the domain is 'test.com':

# grep test.com /etc/pmg/transport
test.com smtp:[192.168.0.20]:25

then you need to enter 'smtp:[192.168.0.20]:25' as Destination in the tls policy edit window

from your example i guess (but please grep in the transport file as shown above) the entry should be
`smtp:mail.example.com:25`

This should be reflected directly (if not you can try to restart postfix: `systemctl restart postfix`) in the mail logs (no more TLS connection established to mail.example.com)

There is no need to restart the whole PMG

I hope this helps!

 

[poetry]

@Stoiko Ivanov thank you for the clarification. I have done the grep the result is
example.com smtp:[mail.example.com]:25

I have added this


This should work but it does not for some reason. Tried restarting postfix service and tried adding different variation of destination without [ and with different policy setting without success.

EDIT: Also tried to change mail.example.com to IP address of the server and tried also to restart the whole proxmox without any success...

 

[Stoiko Ivanov]

Sorry - my mistake - the smtp: prefix is wrong ..(had to play around with the syntax myself

try:

[mail.example.com]:25

* restart postfix afterwards
and if this does not work in that order:
* drop the square-brackets around mail.example.com
* drop the :25 in the end
* both of those ...
(restarting postfix after each step)


I hope this helps!

 

[poetry]

@Stoiko Ivanov it kind of works if you use [mail.example.com]:25. The first type of errors dsn=4.7.5, status=undeliverable (Cannot start TLS: handshake failure) are gone.

I still see this kind of errors:

postfix/smtpd[1071]: connect from sender.server.com[1.2.3.4]
postfix/smtpd[1071]: Anonymous TLS connection established from sender.server.com[1.2.3.4]: TLSv1 with cipher AES128-SHA (128/128 bits)
postfix/smtpd[1071]: NOQUEUE: reject: RCPT from sender.server.com[1.2.3.4]: 450 4.1.1 <receiver@example.com>: Recipient address rejected: unverified address: Cannot start TLS: handshake failure; from=<sender@sender.server.com> to=<receiver@example.com> proto=ESMTP helo=<sender.server.com>
postfix/smtpd[1071]: disconnect from sender.server.com[1.2.3.4] ehlo=2 starttls=1 mail=1 rcpt=0/1 quit=1 commands=5/6

Should this not completely disable TLS for this domain? Make no sense why there are still errors...

 

[Stoiko Ivanov]

Should this not completely disable TLS for this domain? Make no sense why there are still errors...

no this disables the outbound TLS connection to the server
inbound is (currently) not configurable - you'd need to fix the Exchange config (so that it does not try to initiate a TLS session - alternatively - maybe try to search the web for the particular Exchange version and postfix interoperability - maybe you can configure the postfix instances so that it accepts connections from Exchange
(configuration needs to happen via the templateing system on PMG:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine)

I hope this helps!