Whilst updating the certificate for the postfix server recently, I encountered an issue where emails from some servers were not being delivered / received. Upon further investigation I found the error relating to this problem was “error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher“. Armed with this error information I proceeded to look for a solution online but this process took an extended amount of time for me to find an answer. In hindsight this trivial task should have taken a couple of minutes to perform which is why I have made this post to help others to prevent a similar situation.

The reason why in this case I was receiving the error was due to the other servers not supporting ECDSA certificates and it turns out this is true for many mail servers as well. Knowing this it explains why “no shared cipher” was being displayed due to the lack of ECC (Elliptic Curve Cryptography) support. In order to rectify this I had to use an RSA certificate which is widely accepted. This new cert was self signed but this doesn’t cause an issue as nearly all smtp servers do not validate certificates.

To apply this change on a postfix server first open the main config file (“/etc/postfix/“). Once open navigate to “smtpd_tls_cert_file” and “smtpd_tls_key_file“, then change them respectively to point to the new location. Keep in mind both files specified must be in the .pem format.