Postfix 3.4.9 SSL issues -- no shared cipher from servers using TLSv1

Question

Edit 1: I've narrowed it down to TLSv1 that both servers listed below (no others have failed yet) are attempting to use. I'll be contacting their webmasters requesting they stop using an insecure protocol but in the mean time would still like to figure out what cipher they're attempting to use and enable it for now. I've adjusted the title accordingly.

Edit 2: Added Postfix version to title

Edit 3: I've managed to use

smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/smtpd_discard_ehlo_keywords

with /etc/postfix/smtpd_discard_ehlo_keywords (filename unimportant) containing:

<broken-server-ip> starttls

I'm still curious as to what TLSv1 cipher these servers are using but now that I can just turn off TLS per host for these cases, I'm content. Leaving this here for anyone else who needs it.

----Original----

I started off running Debian Buster, and in trying to correct this have since moved to sid while troubleshooting this issue.

I've been fighting an issue where I'm unable to receive mail from a couple servers (mxa3.ubusinessmotion.net and ny-smtp-dmz02.dmz.priceline.com mainly)

Here are the relevant lines from my postfix log:

Mar  8 00:34:31 froxlor postfix/smtpd[67494]: setting up TLS connection from
mxa3.ubusinessmotion.net[208.27.251.227]
Mar  8 00:34:31 froxlor postfix/smtpd[67494]: mxa3.ubusinessmotion.net[208.27.251.227]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH"
Mar  8 00:34:31 froxlor postfix/smtpd[67494]: SSL_accept:before SSL initialization
Mar  8 00:34:31 froxlor postfix/smtpd[67494]: SSL_accept:before SSL initialization
Mar  8 00:34:31 froxlor postfix/smtpd[67494]: SSL3 alert write:fatal:handshake failure
Mar  8 00:34:31 froxlor postfix/smtpd[67494]: SSL_accept:error in error
Mar  8 00:34:31 froxlor postfix/smtpd[67494]: SSL_accept error from mxa3.ubusinessmotion.net[208.27.251.227]: -1
Mar  8 00:34:31 froxlor postfix/smtpd[67494]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2257:
Mar  8 00:34:31 froxlor postfix/smtpd[67494]: lost connection after STARTTLS from mxa3.ubusinessmotion.net[208.27.251.227]

and

Mar  8 00:18:31 froxlor postfix/smtpd[37732]: connect from ny-smtp-dmz02.dmz.priceline.com[64.6.20.6]
Mar  8 00:18:31 froxlor postfix/smtpd[37732]: setting up TLS connection from ny-smtp-dmz02.dmz.priceline.com[64.6.20.6]
Mar  8 00:18:31 froxlor postfix/smtpd[37732]: ny-smtp-dmz02.dmz.priceline.com[64.6.20.6]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH"
Mar  8 00:18:31 froxlor postfix/smtpd[37732]: SSL_accept:before SSL initialization
Mar  8 00:18:31 froxlor postfix/smtpd[37732]: SSL_accept:before SSL initialization
Mar  8 00:18:31 froxlor postfix/smtpd[37732]: SSL3 alert write:fatal:protocol version
Mar  8 00:18:31 froxlor postfix/smtpd[37732]: SSL_accept:error in error
Mar  8 00:18:31 froxlor postfix/smtpd[37732]: SSL_accept error from ny-smtp-dmz02.dmz.priceline.com[64.6.20.6]: -1
Mar  8 00:18:31 froxlor postfix/smtpd[37732]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:../ssl/statem/statem_srvr.c:1660:
Mar  8 00:18:31 froxlor postfix/smtpd[37732]: lost connection after STARTTLS from ny-smtp-dmz02.dmz.priceline.com[64.6.20.6]
Mar  8 00:18:31 froxlor postfix/smtpd[37732]: disconnect from ny-smtp-dmz02.dmz.priceline.com[64.6.20.6] ehlo=1 starttls=0/1 commands=1/2

and just for completeness here's one that comes through properly:

Mar  8 00:45:01 froxlor postfix/smtpd[67806]: connect from a27-96.smtp-out.us-west-2.amazonses.com[54.240.27.96]
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: setting up TLS connection from a27-96.smtp-out.us-west-2.amazonses.com[54.240.27.96]
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: a27-96.smtp-out.us-west-2.amazonses.com[54.240.27.96]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH"
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:before SSL initialization
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:before SSL initialization
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS read client hello
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS write server hello
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS write certificate
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS write key exchange
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS write server done
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS write server done
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS read client key exchange
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS read change cipher spec
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS read finished
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS write change cipher spec
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: SSL_accept:SSLv3/TLS write finished
Mar  8 00:45:01 froxlor postfix/smtpd[67806]: Anonymous TLS connection established from a27-96.smtp-out.us-west-2.amazonses.com[54.240.27.96]: TLSv1.2 with cipher ECDHE-ECDSA-AES256-SHA384 (256/256 bits)
Mar  8 00:45:02 froxlor postfix/smtpd[67806]: A1B9E1C0096: client=a27-96.smtp-out.us-west-2.amazonses.com[54.240.27.96]
Mar  8 00:45:02 froxlor postfix/cleanup[67821]: A1B9E1C0096: message-id=<01010170b951a112-269a702a-ede4-4556-849b-e61b7f433063-000000@us-west-2.amazonses.com>
Mar  8 00:45:03 froxlor postfix/qmgr[67485]: A1B9E1C0096: from=<user@theirdomain.tld>, size=81292, nrcpt=1 (queue active)
Mar  8 00:45:04 froxlor postfix/pipe[67823]: A1B9E1C0096: to=<user@mydomain.tld>, relay=dovecot, delay=2.6, delays=2.1/0.01/0/0.47, dsn=2.0.0, status=sent (delivered via dovecot service)

I started with default TLS settings in /etc/postfix/main.cf and have since tried setting smtpd_tls_ciphers = export (and low, medium, high) and enabling/disabling SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 along with tls_ssl_options = NO_COMPRESSION and a bunch of other enabling and disabling of options that I unfortunately don't remember exactly at this point.

I'm using LetsEncrypt certificates generated by tools installed and configured with Froxlor and haven't messed with any of those settings.

Testing is a bit of a pain because they only retry every half hour or so, but (I think) I've narrowed it down to either SSLv3 or TLSv1 since if I disable those the error changes from "no shared cipher" to "unsupported protocol". I also haven't found a way to see what protocol they're trying to use even with the TLS logging set to 10.

The most recent thing I've done is build libssl1.1 from source with enable-weak-ssl-ciphers thinking maybe by default the ciphers being used by these senders weren't in the default package.

I'm probably overlooking something but none of my searching has borne fruit and I'm running out of hair to pull out. If anyone can give me a clue I'd greatly appreciate it. If I've left out any information I'll be happy to provide it. Thank you all in advance for taking the time to read this!

Answer 1

I've managed to use

smtpd_discard_ehlo_keyword_address_maps = hash:/etc/postfix/smtpd_discard_ehlo_keywords

with /etc/postfix/smtpd_discard_ehlo_keywords (filename unimportant) containing:

<broken-server-ip1> starttls
<broken-server-ip2> starttls

I'm still curious as to what TLSv1 cipher these servers are using but now that I can just turn off TLS per host for these cases, I'm content. Leaving this here for anyone else who needs it.