Postfix 3.5.6 (intermediate): SSL_accept error (no shared cipher) with Amazon SES

mozilla / ssl-config-generator

Mozilla SSL Configuration Generator

https://ssl-config.mozilla.org/

Mozilla Public License 2.0

360 stars 59 forks source link

Postfix 3.5.6 (intermediate): SSL_accept error (no shared cipher) with Amazon SES #157

Open sebastianlipponer opened 2 years ago

sebastianlipponer commented 2 years ago

Using Postfix 3.5.6 (Debian Bullseye) with the intermediate configuration and a RSA certificate I see this error with mails received via Amazon SES:

SSL_accept error from a1-161.smtp-out.eu-west-1.amazonses.com[54.240.1.161]: -1
warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:

I also found this excellent blog post. According to the author adding ECDHE-RSA-AES256-SHA384 to the cipher list solves the problem.

tomato42 commented 2 years ago

That's misconfiguration on Amazon side

sebastianlipponer commented 2 years ago

Yes, indeed, I reported this also to AWS. Hopefully they will fix it soon. However, I just wonder, given the widespread use of Amazon SES, whether it is a good idea to recommend this configuration for almost all systems since I guess the transfer happens in plain text then.

polarathene commented 2 years ago

ECDHE-RSA-AES256-SHA384

To clarify, this cipher has forward secrecy and is generally fine, but the main concern for it not being part of intermediate is due to using CBC which has proven to be less reliably secure than AEAD ciphers right?

In practice, it's fine to use AFAIK, should no better ciphers be available, but without the cipher list containing all AEAD ciphers; it is then advised to require server preference in cipher choice, not client preference? (thus order in list matters)