Amazon SES and Postfix's no shared cipher warning
Hello, $USER! Amazon Simple Email Service (SES) is an email service which allow develops to send mail from within any application, and “supports TLS 1.2, TLS 1.1, TLS 1.0 and SSLv2Hello”, as stated in official documentation.
Problem
While registering at a few services (especially tawk[.]to and wpscan[.]com) I have observed enormous message delivery latencies (about 8 hours) and the same warning from few Amazon’s IP addresses:
warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:2283:
Full connection logs (without TLS warnings, only connection log):
Jul 31 14:29:10 hostname postfix/smtpd[973370]: connect from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:29:10 hostname postfix/smtpd[973370]: SSL_accept error from a14-42.smtp-out.amazonses.com[54.240.14.42]: -1
Jul 31 14:29:10 hostname postfix/smtpd[973370]: lost connection after STARTTLS from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:29:10 hostname postfix/smtpd[973370]: disconnect from a14-42.smtp-out.amazonses.com[54.240.14.42] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:29:10 hostname postfix/smtpd[973370]: connect from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:33:29 hostname postfix/smtpd[973474]: connect from a9-75.smtp-out.amazonses.com[54.240.9.75]
Jul 31 14:33:30 hostname postfix/smtpd[973474]: SSL_accept error from a9-75.smtp-out.amazonses.com[54.240.9.75]: -1
Jul 31 14:33:30 hostname postfix/smtpd[973474]: lost connection after STARTTLS from a9-75.smtp-out.amazonses.com[54.240.9.75]
Jul 31 14:33:30 hostname postfix/smtpd[973474]: disconnect from a9-75.smtp-out.amazonses.com[54.240.9.75] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:34:11 hostname postfix/smtpd[973370]: timeout after EHLO from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:34:11 hostname postfix/smtpd[973370]: disconnect from a14-42.smtp-out.amazonses.com[54.240.14.42] ehlo=1 commands=1
Jul 31 14:43:56 hostname postfix/smtpd[973620]: connect from a9-115.smtp-out.amazonses.com[54.240.9.115]
Jul 31 14:43:57 hostname postfix/smtpd[973620]: SSL_accept error from a9-115.smtp-out.amazonses.com[54.240.9.115]: -1
Jul 31 14:43:57 hostname postfix/smtpd[973620]: lost connection after STARTTLS from a9-115.smtp-out.amazonses.com[54.240.9.115]
Jul 31 14:43:57 hostname postfix/smtpd[973620]: disconnect from a9-115.smtp-out.amazonses.com[54.240.9.115] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:54:54 hostname postfix/smtpd[973741]: connect from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:54:54 hostname postfix/smtpd[973741]: SSL_accept error from a9-38.smtp-out.amazonses.com[54.240.9.38]: -1
Jul 31 14:54:54 hostname postfix/smtpd[973741]: lost connection after STARTTLS from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:54:54 hostname postfix/smtpd[973741]: disconnect from a9-38.smtp-out.amazonses.com[54.240.9.38] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:54:54 hostname postfix/smtpd[973741]: connect from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:54:57 hostname postfix/smtpd[973741]: 5EA8C22059E: client=a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:57:01 hostname postfix/smtpd[973787]: connect from a9-39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 14:57:01 hostname postfix/smtpd[973787]: SSL_accept error from a9-39.smtp-out.amazonses.com[54.240.9.39]: -1
Jul 31 14:57:01 hostname postfix/smtpd[973787]: lost connection after STARTTLS from a9.39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 14:57:01 hostname postfix/smtpd[973787]: disconnect from a9-39.smtp-out.amazonses.com[54.240.9.39] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:57:02 hostname postfix/smtpd[973787]: connect from a9-39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 14:59:57 hostname postfix/smtpd[973741]: timeout after RCPT from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:59:57 hostname postfix/smtpd[973741]: disconnect from a9-38.smtp-out.amazonses.com[54.240.9.38] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 15:01:59 hostname postfix/smtpd[973887]: connect from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:00 hostname postfix/smtpd[973887]: SSL_accept error from a9-67.smtp-out.amazonses.com[54.240.9.67]: -1
Jul 31 15:02:00 hostname postfix/smtpd[973887]: lost connection after STARTTLS from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:00 hostname postfix/smtpd[973887]: disconnect from a9-67.smtp-out.amazonses.com[54.240.9.67] ehlo=1 starttls=0/1 commands=1/2
Jul 31 15:02:00 hostname postfix/smtpd[973887]: connect from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:01 hostname postfix/smtpd[973887]: 5B7E622059E: client=a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:02 hostname postfix/smtpd[973787]: timeout after CONNECT from a9-39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 15:02:02 hostname postfix/smtpd[973787]: disconnect from a9-39.smtp-out.amazonses.com[54.240.9.39] commands=0/0
Jul 31 15:07:01 hostname postfix/smtpd[973887]: timeout after RCPT from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:07:01 hostname postfix/smtpd[973887]: disconnect from a9-67.smtp-out.amazonses.com[54.240.9.67] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 15:13:26 hostname postfix/smtpd[974066]: connect from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:13:27 hostname postfix/smtpd[974066]: SSL_accept error from a14-40.smtp-out.amazonses.com[54.240.14.40]: -1
Jul 31 15:13:27 hostname postfix/smtpd[974066]: lost connection after STARTTLS from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:13:27 hostname postfix/smtpd[974066]: disconnect from a14-40.smtp-out.amazonses.com[54.240.14.40] ehlo=1 starttls=0/1 commands=1/2
Jul 31 15:13:27 hostname postfix/smtpd[974066]: connect from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:13:28 hostname postfix/smtpd[974066]: 914C422059E: client=a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:18:28 hostname postfix/smtpd[974066]: timeout after RCPT from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:18:28 hostname postfix/smtpd[974066]: disconnect from a14-40.smtp-out.amazonses.com[54.240.14.40] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 15:40:07 hostname postfix/smtpd[974378]: connect from a14-57.smtp-out.amazonses.com[54.240.14.57]
Jul 31 15:40:08 hostname postfix/smtpd[974378]: SSL_accept error from a14-57.smtp-out.amazonses.com[54.240.14.57]: -1
Jul 31 15:40:08 hostname postfix/smtpd[974378]: lost connection after STARTTLS from a14-57.smtp-out.amazonses.com[54.240.14.57]
Jul 31 15:40:08 hostname postfix/smtpd[974378]: disconnect from a14-57.smtp-out.amazonses.com[54.240.14.57] ehlo=1 starttls=0/1 commands=1/2
Jul 31 16:07:04 hostname postfix/smtpd[974699]: connect from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:07:04 hostname postfix/smtpd[974699]: SSL_accept error from a14-55.smtp-out.amazonses.com[54.240.14.55]: -1
Jul 31 16:07:04 hostname postfix/smtpd[974699]: lost connection after STARTTLS from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:07:04 hostname postfix/smtpd[974699]: disconnect from a14-55.smtp-out.amazonses.com[54.240.14.55] ehlo=1 starttls=0/1 commands=1/2
Jul 31 16:07:04 hostname postfix/smtpd[974699]: connect from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:07:06 hostname postfix/smtpd[974699]: 2D84422059E: client=a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:12:06 hostname postfix/smtpd[974699]: timeout after RCPT from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:12:06 hostname postfix/smtpd[974699]: disconnect from a14-55.smtp-out.amazonses.com[54.240.14.55] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 17:14:40 hostname postfix/smtpd[975482]: connect from a14-56.smtp-out.amazonses.com[54.240.14.56]
Jul 31 17:14:40 hostname postfix/smtpd[975482]: SSL_accept error from a14-56.smtp-out.amazonses.com[54.240.14.56]: -1
Jul 31 17:14:40 hostname postfix/smtpd[975482]: lost connection after STARTTLS from a14-56.smtp-out.amazonses.com[54.240.14.56]
Jul 31 17:14:40 hostname postfix/smtpd[975482]: disconnect from a14-56.smtp-out.amazonses.com[54.240.14.56] ehlo=1 starttls=0/1 commands=1/2
Jul 31 17:32:08 hostname postfix/smtpd[975779]: connect from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:32:09 hostname postfix/smtpd[975779]: SSL_accept error from a9-156.smtp-out.amazonses.com[54.240.9.156]: -1
Jul 31 17:32:09 hostname postfix/smtpd[975779]: lost connection after STARTTLS from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:32:09 hostname postfix/smtpd[975779]: disconnect from a9-156.smtp-out.amazonses.com[54.240.9.156] ehlo=1 starttls=0/1 commands=1/2
Jul 31 17:32:09 hostname postfix/smtpd[975779]: connect from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:32:12 hostname postfix/smtpd[975779]: 746E022059E: client=a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:37:12 hostname postfix/smtpd[975779]: timeout after RCPT from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:37:12 hostname postfix/smtpd[975779]: disconnect from a9-156.smtp-out.amazonses.com[54.240.9.156] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 20:00:24 hostname postfix/smtpd[977858]: connect from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:00:24 hostname postfix/smtpd[977858]: SSL_accept error from a14-44.smtp-out.amazonses.com[54.240.14.44]: -1
Jul 31 20:00:24 hostname postfix/smtpd[977858]: lost connection after STARTTLS from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:00:24 hostname postfix/smtpd[977858]: disconnect from a14-44.smtp-out.amazonses.com[54.240.14.44] ehlo=1 starttls=0/1 commands=1/2
Jul 31 20:00:24 hostname postfix/smtpd[977858]: connect from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:05:24 hostname postfix/smtpd[977858]: timeout after EHLO from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:05:24 hostname postfix/smtpd[977858]: disconnect from a14-44.smtp-out.amazonses.com[54.240.14.44] ehlo=1 commands=1
Jul 31 20:39:17 hostname postfix/smtpd[978615]: connect from a14-43.smtp-out.amazonses.com[54.240.14.43]
Jul 31 20:39:17 hostname postfix/smtpd[978615]: SSL_accept error from a14-43.smtp-out.amazonses.com[54.240.14.43]: -1
Jul 31 20:39:17 hostname postfix/smtpd[978615]: lost connection after STARTTLS from a14-43.smtp-out.amazonses.com[54.240.14.43]
Jul 31 20:39:17 hostname postfix/smtpd[978615]: disconnect from a14-43.smtp-out.amazonses.com[54.240.14.43] ehlo=1 starttls=0/1 commands=1/2
Jul 31 22:48:27 hostname postfix/smtpd[989112]: connect from a14-58.smtp-out.amazonses.com[54.240.14.58]
Jul 31 22:48:29 hostname postfix/smtpd[989112]: 303BD2204A4: client=a14-58.smtp-out.amazonses.com[54.240.14.58]
Jul 31 22:48:54 hostname postfix/smtpd[989112]: disconnect from a14-58.smtp-out.amazonses.com[54.240.14.58] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Self-host is innocent!
My postfix configuration is (working) intermediate, which means that it supports TLS 1.2+, but with medium cipherlist. According to Mozilla:
- All cipher suites are forward secret and authenticated
- TLS 1.2 is the minimum supported protocol, as recommended by RFC 7525, PCI DSS, and others
- ECDSA certificates are recommended over RSA certificates, as they allow the use of ECDHE with Windows 7 clients using Internet Explorer 11, as well as allow connections from IE11 on Windows Server 2008 R2
- The cipher suites are all strong and so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
- Windows XP (including all embedded versions) are no longer supported by Microsoft, eliminating the need for many older protocols and ciphers
- Administrators needing to provide access to IE 11 on Windows Server 2008
R2 and who are unable to switch to or add ECDSA certificates can add
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- While the goal is to support a broad range of clients, we reasonably disable a number of ciphers that have little support (such as ARIA, Camellia, 3DES, and SEED)
- 90 days is the recommended maximum certificate lifespan, to encourage certificate issuance automation
Conclusion
Unfortunately, there are big tech companies in 2021 that ignore best-practices and can’t even support well-known TLS 1.2 ciphersuits.
2021-09-02 update
I found possible solution to fix Amazon SES behaviour by adding
ECDHE-RSA-AES256-SHA384
to the cipher list.