I recently spent way too much time trying to find out why my mail server wasn't able to send mail to a system that apparently only supported TLSv1. None of the TLS options in the sendmail configuration made any difference.
Things started to click only after I noticed that connecting to the system in question via openssl s_client produced the same error message:
As it turns out,
So yeah, anything using openssl that doesn't explicitly override that configuration will not be able to make TLS connections to systems that don't support TLSv1.2...
Changing the settings to
Things started to click only after I noticed that connecting to the system in question via openssl s_client produced the same error message:
> openssl s_client -connect mail.some.domain:25 -starttls smtp CONNECTED(00000003) 139770261177664:error:1425F102:SSL routines:ssl_choose_client_version:unsupported protocol:../ssl/statem/statem_lib.c:1957:
As it turns out,
/etc/ssl/openssl.cnf
in current Debian / Devuan has the following global configuration settings:[system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=2
So yeah, anything using openssl that doesn't explicitly override that configuration will not be able to make TLS connections to systems that don't support TLSv1.2...
Changing the settings to
MinProtocol = TLSv1
made it possible to deliver my mail.