We use Postfix 2.9.4 and OpenSSL 0.9.8j-fips 07 Jan 2009 (SLES11 SP4).
We get this error message while sending mail to a specific recipient:
error:1408D13A:SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters:s3_clnt.c:1336
Reading the code in s3_clnt.c for our OpenSSL version it says in a comment
For now we only support named (not generic) curve and the ECParameters
in this case is just three bytes.
Analyzing the code this is either not a named curve type or the parameter is out of range.
My question is: How do I teach our SMTP client (or else the receiving server) to omit this cipher/cipher suite or parameter set?
Best Answer
TLS Policy Per Domain
You can use the Postfix TLS Policy Map to create a list of domains and what TLS policies apply to them.
You can also change your global
smtp
andsmtpd
options in postfix to limit what ciphers may or must be used.Another option in this case would be to specify what ciphers to use as seen in TLS Forward Secrecy in Postfix and perhaqps just use strong.
Here is an example
/etc/postfix/tls_policy
Then create the map with:
In
/etc/postfix/main.cf
you would need:In
/etc/postfix/main.cf
you might try excluding ciphers withsmtpd_tls_exclude_ciphers
andsmtpd_tls_mandatory_exclude_ciphers
and/or setsmtpd_tls_eecdh_grade = strong
If adjusting the cipher exclusions or setting a tls_policy does not help, then you may want to consider updating openssl and postfix.