TLS handshake fails ("SSL_accept:error in error") for server->server connection (smtp submit dovecot->postfix) if /etc/pki/tls/openssl.cnf "Options=" includes 'ServerPreference' ?

[PGNet Dev]

On 9/25/20 12:18 AM, Viktor Dukhovni wrote:
> On Thu, Sep 24, 2020 at 09:26:26PM -0700, PGNet Dev wrote:
> I must lodge a complaint on wasting my time here

seems your're done, then.


thx anyway.

> you intimated that just changing openssl.cnf makes the difference.

i didn't 'intimate'.

i stated so. as that is exactly/only what's changed.
and the change it causes has been documented.

> But that is clearly not the case, because you're testing different server endpoints, with port
> 60465 for the "working" case, and "465" for the non-working case.

that's simply not the case

as stated

 60465 is the dovecot submission port
 465 it the postfix submission port

the mua submits to dovecot at port 60465
dovecot resubmits to postfix at port 465

that same configuration is used in each/every test.

again, the ONLY thing that changed between the 'working' and 'failed' cases is the setting in openssl.cnf

I never directly submit to 465

> It seems likely that you don't have TLS wrapper mode on port 60465.

port 60465 is, and always has been, configured for implicit SSL -- not starttls usage.