Amazon SES and Postfix's no shared cipher warning

Hello, $USER! Amazon Simple Email Service (SES) is an email service which allow develops to send mail from within any application, and “supports TLS 1.2, TLS 1.1, TLS 1.0 and SSLv2Hello”, as stated in official documentation.

Problem

While registering at a few services (especially tawk[.]to and wpscan[.]com) I have observed enormous message delivery latencies (about 8 hours) and the same warning from few Amazon’s IP addresses:

warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:2283:

Full connection logs (without TLS warnings, only connection log):

Jul 31 14:29:10 hostname postfix/smtpd[973370]: connect from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:29:10 hostname postfix/smtpd[973370]: SSL_accept error from a14-42.smtp-out.amazonses.com[54.240.14.42]: -1
Jul 31 14:29:10 hostname postfix/smtpd[973370]: lost connection after STARTTLS from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:29:10 hostname postfix/smtpd[973370]: disconnect from a14-42.smtp-out.amazonses.com[54.240.14.42] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:29:10 hostname postfix/smtpd[973370]: connect from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:33:29 hostname postfix/smtpd[973474]: connect from a9-75.smtp-out.amazonses.com[54.240.9.75]
Jul 31 14:33:30 hostname postfix/smtpd[973474]: SSL_accept error from a9-75.smtp-out.amazonses.com[54.240.9.75]: -1
Jul 31 14:33:30 hostname postfix/smtpd[973474]: lost connection after STARTTLS from a9-75.smtp-out.amazonses.com[54.240.9.75]
Jul 31 14:33:30 hostname postfix/smtpd[973474]: disconnect from a9-75.smtp-out.amazonses.com[54.240.9.75] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:34:11 hostname postfix/smtpd[973370]: timeout after EHLO from a14-42.smtp-out.amazonses.com[54.240.14.42]
Jul 31 14:34:11 hostname postfix/smtpd[973370]: disconnect from a14-42.smtp-out.amazonses.com[54.240.14.42] ehlo=1 commands=1
Jul 31 14:43:56 hostname postfix/smtpd[973620]: connect from a9-115.smtp-out.amazonses.com[54.240.9.115]
Jul 31 14:43:57 hostname postfix/smtpd[973620]: SSL_accept error from a9-115.smtp-out.amazonses.com[54.240.9.115]: -1
Jul 31 14:43:57 hostname postfix/smtpd[973620]: lost connection after STARTTLS from a9-115.smtp-out.amazonses.com[54.240.9.115]
Jul 31 14:43:57 hostname postfix/smtpd[973620]: disconnect from a9-115.smtp-out.amazonses.com[54.240.9.115] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:54:54 hostname postfix/smtpd[973741]: connect from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:54:54 hostname postfix/smtpd[973741]: SSL_accept error from a9-38.smtp-out.amazonses.com[54.240.9.38]: -1
Jul 31 14:54:54 hostname postfix/smtpd[973741]: lost connection after STARTTLS from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:54:54 hostname postfix/smtpd[973741]: disconnect from a9-38.smtp-out.amazonses.com[54.240.9.38] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:54:54 hostname postfix/smtpd[973741]: connect from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:54:57 hostname postfix/smtpd[973741]: 5EA8C22059E: client=a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:57:01 hostname postfix/smtpd[973787]: connect from a9-39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 14:57:01 hostname postfix/smtpd[973787]: SSL_accept error from a9-39.smtp-out.amazonses.com[54.240.9.39]: -1
Jul 31 14:57:01 hostname postfix/smtpd[973787]: lost connection after STARTTLS from a9.39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 14:57:01 hostname postfix/smtpd[973787]: disconnect from a9-39.smtp-out.amazonses.com[54.240.9.39] ehlo=1 starttls=0/1 commands=1/2
Jul 31 14:57:02 hostname postfix/smtpd[973787]: connect from a9-39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 14:59:57 hostname postfix/smtpd[973741]: timeout after RCPT from a9-38.smtp-out.amazonses.com[54.240.9.38]
Jul 31 14:59:57 hostname postfix/smtpd[973741]: disconnect from a9-38.smtp-out.amazonses.com[54.240.9.38] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 15:01:59 hostname postfix/smtpd[973887]: connect from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:00 hostname postfix/smtpd[973887]: SSL_accept error from a9-67.smtp-out.amazonses.com[54.240.9.67]: -1
Jul 31 15:02:00 hostname postfix/smtpd[973887]: lost connection after STARTTLS from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:00 hostname postfix/smtpd[973887]: disconnect from a9-67.smtp-out.amazonses.com[54.240.9.67] ehlo=1 starttls=0/1 commands=1/2
Jul 31 15:02:00 hostname postfix/smtpd[973887]: connect from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:01 hostname postfix/smtpd[973887]: 5B7E622059E: client=a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:02:02 hostname postfix/smtpd[973787]: timeout after CONNECT from a9-39.smtp-out.amazonses.com[54.240.9.39]
Jul 31 15:02:02 hostname postfix/smtpd[973787]: disconnect from a9-39.smtp-out.amazonses.com[54.240.9.39] commands=0/0
Jul 31 15:07:01 hostname postfix/smtpd[973887]: timeout after RCPT from a9-67.smtp-out.amazonses.com[54.240.9.67]
Jul 31 15:07:01 hostname postfix/smtpd[973887]: disconnect from a9-67.smtp-out.amazonses.com[54.240.9.67] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 15:13:26 hostname postfix/smtpd[974066]: connect from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:13:27 hostname postfix/smtpd[974066]: SSL_accept error from a14-40.smtp-out.amazonses.com[54.240.14.40]: -1
Jul 31 15:13:27 hostname postfix/smtpd[974066]: lost connection after STARTTLS from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:13:27 hostname postfix/smtpd[974066]: disconnect from a14-40.smtp-out.amazonses.com[54.240.14.40] ehlo=1 starttls=0/1 commands=1/2
Jul 31 15:13:27 hostname postfix/smtpd[974066]: connect from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:13:28 hostname postfix/smtpd[974066]: 914C422059E: client=a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:18:28 hostname postfix/smtpd[974066]: timeout after RCPT from a14-40.smtp-out.amazonses.com[54.240.14.40]
Jul 31 15:18:28 hostname postfix/smtpd[974066]: disconnect from a14-40.smtp-out.amazonses.com[54.240.14.40] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 15:40:07 hostname postfix/smtpd[974378]: connect from a14-57.smtp-out.amazonses.com[54.240.14.57]
Jul 31 15:40:08 hostname postfix/smtpd[974378]: SSL_accept error from a14-57.smtp-out.amazonses.com[54.240.14.57]: -1
Jul 31 15:40:08 hostname postfix/smtpd[974378]: lost connection after STARTTLS from a14-57.smtp-out.amazonses.com[54.240.14.57]
Jul 31 15:40:08 hostname postfix/smtpd[974378]: disconnect from a14-57.smtp-out.amazonses.com[54.240.14.57] ehlo=1 starttls=0/1 commands=1/2
Jul 31 16:07:04 hostname postfix/smtpd[974699]: connect from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:07:04 hostname postfix/smtpd[974699]: SSL_accept error from a14-55.smtp-out.amazonses.com[54.240.14.55]: -1
Jul 31 16:07:04 hostname postfix/smtpd[974699]: lost connection after STARTTLS from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:07:04 hostname postfix/smtpd[974699]: disconnect from a14-55.smtp-out.amazonses.com[54.240.14.55] ehlo=1 starttls=0/1 commands=1/2
Jul 31 16:07:04 hostname postfix/smtpd[974699]: connect from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:07:06 hostname postfix/smtpd[974699]: 2D84422059E: client=a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:12:06 hostname postfix/smtpd[974699]: timeout after RCPT from a14-55.smtp-out.amazonses.com[54.240.14.55]
Jul 31 16:12:06 hostname postfix/smtpd[974699]: disconnect from a14-55.smtp-out.amazonses.com[54.240.14.55] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 17:14:40 hostname postfix/smtpd[975482]: connect from a14-56.smtp-out.amazonses.com[54.240.14.56]
Jul 31 17:14:40 hostname postfix/smtpd[975482]: SSL_accept error from a14-56.smtp-out.amazonses.com[54.240.14.56]: -1
Jul 31 17:14:40 hostname postfix/smtpd[975482]: lost connection after STARTTLS from a14-56.smtp-out.amazonses.com[54.240.14.56]
Jul 31 17:14:40 hostname postfix/smtpd[975482]: disconnect from a14-56.smtp-out.amazonses.com[54.240.14.56] ehlo=1 starttls=0/1 commands=1/2
Jul 31 17:32:08 hostname postfix/smtpd[975779]: connect from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:32:09 hostname postfix/smtpd[975779]: SSL_accept error from a9-156.smtp-out.amazonses.com[54.240.9.156]: -1
Jul 31 17:32:09 hostname postfix/smtpd[975779]: lost connection after STARTTLS from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:32:09 hostname postfix/smtpd[975779]: disconnect from a9-156.smtp-out.amazonses.com[54.240.9.156] ehlo=1 starttls=0/1 commands=1/2
Jul 31 17:32:09 hostname postfix/smtpd[975779]: connect from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:32:12 hostname postfix/smtpd[975779]: 746E022059E: client=a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:37:12 hostname postfix/smtpd[975779]: timeout after RCPT from a9-156.smtp-out.amazonses.com[54.240.9.156]
Jul 31 17:37:12 hostname postfix/smtpd[975779]: disconnect from a9-156.smtp-out.amazonses.com[54.240.9.156] ehlo=1 mail=1 rcpt=1 commands=3
Jul 31 20:00:24 hostname postfix/smtpd[977858]: connect from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:00:24 hostname postfix/smtpd[977858]: SSL_accept error from a14-44.smtp-out.amazonses.com[54.240.14.44]: -1
Jul 31 20:00:24 hostname postfix/smtpd[977858]: lost connection after STARTTLS from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:00:24 hostname postfix/smtpd[977858]: disconnect from a14-44.smtp-out.amazonses.com[54.240.14.44] ehlo=1 starttls=0/1 commands=1/2
Jul 31 20:00:24 hostname postfix/smtpd[977858]: connect from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:05:24 hostname postfix/smtpd[977858]: timeout after EHLO from a14-44.smtp-out.amazonses.com[54.240.14.44]
Jul 31 20:05:24 hostname postfix/smtpd[977858]: disconnect from a14-44.smtp-out.amazonses.com[54.240.14.44] ehlo=1 commands=1
Jul 31 20:39:17 hostname postfix/smtpd[978615]: connect from a14-43.smtp-out.amazonses.com[54.240.14.43]
Jul 31 20:39:17 hostname postfix/smtpd[978615]: SSL_accept error from a14-43.smtp-out.amazonses.com[54.240.14.43]: -1
Jul 31 20:39:17 hostname postfix/smtpd[978615]: lost connection after STARTTLS from a14-43.smtp-out.amazonses.com[54.240.14.43]
Jul 31 20:39:17 hostname postfix/smtpd[978615]: disconnect from a14-43.smtp-out.amazonses.com[54.240.14.43] ehlo=1 starttls=0/1 commands=1/2
Jul 31 22:48:27 hostname postfix/smtpd[989112]: connect from a14-58.smtp-out.amazonses.com[54.240.14.58]
Jul 31 22:48:29 hostname postfix/smtpd[989112]: 303BD2204A4: client=a14-58.smtp-out.amazonses.com[54.240.14.58]
Jul 31 22:48:54 hostname postfix/smtpd[989112]: disconnect from a14-58.smtp-out.amazonses.com[54.240.14.58] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

Self-host is innocent!

My postfix configuration is (working) intermediate, which means that it supports TLS 1.2+, but with medium cipherlist. According to Mozilla:

Conclusion

Unfortunately, there are big tech companies in 2021 that ignore best-practices and can’t even support well-known TLS 1.2 ciphersuits.

2021-09-02 update

I found possible solution to fix Amazon SES behaviour by adding ECDHE-RSA-AES256-SHA384 to the cipher list.