0

I am getting this error in the /var/log/mail.log

postfix/smtp[21774]: SSL_connect error to mta5.am0.yahoodns.net[67.195.204.79]:25: Connection timed out
postfix/smtp[21774]: 1BD3462808: Cannot start TLS: handshake failure

I am able to send on Gmail and Yandex they are receiving the mail but yahoo is not receiving

I am on ubuntu 18.04, postfix SMTP server. I have set the DKIM and SPF record and set the rDNS and MX records.

Is there anything I missed? Please help to solve this.

this is the output of /usr/sbin/postconf -p|grep smtp_tls_

proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $sender_bcc_maps $recipient_bcc_maps $smtp_generic_maps $lmtp_generic_maps $alias_maps $smtpd_client_restrictions $smtpd_helo_restrictions $smtpd_sender_restrictions $smtpd_relay_restrictions $smtpd_recipient_restrictions $address_verify_sender_dependent_default_transport_maps $address_verify_sender_dependent_relayhost_maps $address_verify_transport_maps $fallback_transport_maps $lmtp_discard_lhlo_keyword_address_maps $lmtp_pix_workaround_maps $lmtp_sasl_password_maps $lmtp_tls_policy_maps $mailbox_command_maps $mailbox_transport_maps $postscreen_discard_ehlo_keyword_address_maps $rbl_reply_maps $sender_dependent_default_transport_maps $sender_dependent_relayhost_maps $smtp_discard_ehlo_keyword_address_maps $smtp_pix_workaround_maps $smtp_sasl_password_maps $smtp_tls_policy_maps $smtpd_discard_ehlo_keyword_address_maps $smtpd_milter_maps $virtual_gid_maps $virtual_uid_maps
    smtp_tls_CAfile =
    smtp_tls_CApath =
    smtp_tls_block_early_mail_reply = no
    smtp_tls_cert_file =
    smtp_tls_ciphers = medium
    smtp_tls_dane_insecure_mx_policy = dane
    smtp_tls_dcert_file =
    smtp_tls_dkey_file = $smtp_tls_dcert_file
    smtp_tls_eccert_file =
    smtp_tls_eckey_file = $smtp_tls_eccert_file
    smtp_tls_enforce_peername = yes
    smtp_tls_exclude_ciphers =
    smtp_tls_fingerprint_cert_match =
    smtp_tls_fingerprint_digest = md5
    smtp_tls_force_insecure_host_tlsa_lookup = no
    smtp_tls_key_file = $smtp_tls_cert_file
    smtp_tls_loglevel = 1
    smtp_tls_mandatory_ciphers = medium
    smtp_tls_mandatory_exclude_ciphers =
    smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_note_starttls_offer = no
    smtp_tls_per_site =
    smtp_tls_policy_maps =
    smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
    smtp_tls_scert_verifydepth = 9
    smtp_tls_secure_cert_match = nexthop, dot-nexthop
    smtp_tls_security_level = may
    smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
    smtp_tls_session_cache_timeout = 3600s
    smtp_tls_trust_anchor_file =
    smtp_tls_verify_cert_match = hostname
    smtp_tls_wrappermode = no
Akshay Rana Gujjar
  • 1
  • 1

1 Answers1

-1

Unless you are using it for another purpose, remove the smtp_tls_security_level option.

Your server is saying "I can do TLS if you want". Gmail and Yandex do not care, but Yahoo is probably saying that if you do TLS then you must provide a good certificate, which you are not.

Therefore, either turn off client TLS (as above), or alternatively debug the TLS connection and find the problem - you are disabling most protocols, so there may be no overlap with what Yahoo supports etc.

tater
  • 1,445
  • 2
  • 10
  • 12
  • TLS **client auth** for smtp clients is configured in `smtp_tls_*cert_file` or (preferably) `smtp_tls_chain_files` - and those are empty in OP. I am delivering mail **to** Yahoo just fine via TLS1.2 with `smtp_tls_security_level` set to `may` (or `encrypt`, for that matter). – anx Nov 07 '20 at 01:08