• 6
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

A PCI scan told me to stop using TLS 1.0 for e-mail. I'm using postfix, so I disabled TLS 1.0, and all traffic for 1.0 stopped. Then the next day I looked at the logs and I see a lot of this...

connect from 66-220-155-139.outmail.facebook.com[66.220.155.139]
SSL_accept error from 66-220-155-139.outmail.facebook.com[66.220.155.139]: -1
warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
lost connection after STARTTLS from 66-220-155-139.outmail.facebook.com[66.220.155.139]
disconnect from 66-220-155-139.outmail.facebook.com[66.220.155.139]

I contacted a few of the admin of the servers. Turns our we are both using opportunistic TLS, but we don't have a common TLS protocal, they support 1.0 and I support 1.2. After a bit of googleing I think the problem is a failure to fail back to unencrypted after trying to negotiate TLS unsuccessfully.

So my question is. How do you configure postfix to only try unencrypted email with a fix list of IP address/domains?

Well I got it working, with a 2nd server.

server1 {only TLS 1.2}  DNS of MX value 30
server2 {TLS 1.0, 1.1, 1.2} DNS of MX value 35

Internet -->  Firewall(allow list of DNS email servers to server2) 
    --TLS(1.0)-> server2 --(with TLS1.2)-> server1

Check logs of server1 to get list of servers that need a firewall rule.

This method will hopefully allow me to control PCI junk better in the future.

===EDIT===

After about a mouth I can tell you trying to disable TLS 1.0 is difficult. I have been writing about 4 to 5 exceptions a day. Most are for banks, and financial related e-mail server. Also yahoo.com and paypal.com will not work with this solution they only try the first MX never the 2nd. I going to ask for an exception and look into running my spam filter in the cloud, so my e-mail server only had to accept mail from that cloud spam filter.

  • 1
Reply Report

For outgoing email, you can configure the TLS policy table in /etc/postfix/main.cf. Check this official documentation for more details and some examples.

For inbound email, please use combination of smtpd_sender_restriction and reject_plaintext_session as explained in these answer.

  • 0
Reply Report

Trending Tags