Issue with an older app after upgrade

sander-schippers · February 17, 2020, 6:57am

Hello,

Yesterday, I ran the upgrade to V0.44 and it works perfect.

After a couple of hours, I got one user with some custom softsware, who has problems sending email.
After some investigation, it seems the software is using “older” TLS authentication.

There are two solutions in this case.
1 (the right one) - fix the software
2. temporary allow less secure TLS.

On the last part, is my question.

Can I just replace these strings for the “old ones”

tls_medium_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA

smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1

smtpd_tls_mandatory_ciphers=high

tls_high_cipherlist=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

smtpd_tls_mandatory_exclude_ciphers=aNULL,DES,3DES,MD5,DES+MD5,RC4

tls_preempt_cipherlist=no

smtp_tls_mandatory_ciphers=high

and restart postfix or do I forget something

sander-schippers · February 17, 2020, 9:10am

Item can be closed.

After having contact with the author of the specific application, he fixed the application to support TLS 1.2

Problem solved

alento · February 17, 2020, 3:29pm

This is absolutely the best outcome.

sander-schippers · February 17, 2020, 7:47pm

It was a .net application. 4.6 should support TLS1.2 out of the box; 4.5 with an extra setting did the trick. It seems, there is a .net 4.6.1, but I’m unfamiliar with .net at all

Just direct contact with the developer; provided him a test-account, some testing on both sides and it was fixed within 15 minutes

JoshData · February 18, 2020, 11:27am

Thanks for reporting the issue. TLS compatibility is probably the hardest thing for us to figure out because we have no way to know what other devices/applications users are using. So the fact that you had something break but that it was easy to fix is a good data point for us to keep in mind.

alento · February 18, 2020, 2:56pm

@JoshData I am working with someone in Slack with the same issue (or similar) … actually the difference is that he’s not yet upgraded to v 0.44.

Maybe you’d like to join us there? Honestly, this issue is a little bit above my pay grade, but I am at the stage of just trying to troubleshoot with him.