Cannot start TLS: handshake failure

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Cannot start TLS: handshake failure

SysAdmin EM
Hello,

When trying to send an email to a server which works with Microsoft Exchange I receive the following message: Cannot start TLS: handshake failure

Nov 30 14:43:58 smarthost04-ded postfix-out/smtpd[31559]: 0F6EE920CBC: client=localhost[127.0.0.1]
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC: warning: header Received: from smarthost04-ded.dattaweb.com (localhost [127.0.0.1])??by smarthost04-ded.dattaweb.com (Postfix) with ESMTPS id 0F6EE920CBC??for <[hidden email]>; Mon, 30 Nov 2020 14:4 from localhost[127.0.0.1]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC: warning: header Received: from sd-1465396-l.dattaweb.com (sd-1465396-l.dattaweb.com [138.219.43.209])??by smarthost04-ded.dattaweb.com (Postfix) with ESMTPS id C30CB920E6B??for <[hidden email]>; Mon from localhost[127.0.0.1]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC: warning: header Received: from [209.85.221.41] (helo=mail-wr1-f41.google.com)??by sd-1465396-l.dattaweb.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)??(Exim 4.92.2)??(envelope-from <santiago.videla@gmail. from localhost[127.0.0.1]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC: warning: header Received: by mail-wr1-f41.google.com with SMTP id i2so17320655wrs.4?        for <[hidden email]>; Mon, 30 Nov 2020 09:43:53 -0800 (PST) from localhost[127.0.0.1]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC: warning: header From: Santiago Videla <[hidden email]> from localhost[127.0.0.1]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC: message-id=<[hidden email]>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC: warning: header Subject: Re: Consulta INFOAUTO from localhost[127.0.0.1]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/cleanup[31560]: 0F6EE920CBC: warning: header X-Spam-Report: Spam detection software, running on the system "eternia14",? has NOT identified this incoming email as spam.  The original? message has been attached to this so you can view it or label from localhost[127.0.0.1]; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<smarthost04-ded.dattaweb.com>
Nov 30 14:43:58 smarthost04-ded postfix-out/qmgr[31287]: 0F6EE920CBC: from=<[hidden email]>, size=55840, nrcpt=1 (queue active)
Nov 30 14:43:58 smarthost04-ded postfix/smtp[31558]: C30CB920E6B: to=<[hidden email]>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.4, delays=0.22/0/0.04/0.14, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0F6EE920CBC)
Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC: Cannot start TLS: handshake failure
Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC: to=<[hidden email]>, relay=exet02.hostmar.com[200.58.120.69]:25, delay=0.16, delays=0.14/0/0.03/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

posttls-finger -c -Ldebug "exet02.hostmar.com
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to exet02.hostmar.com[200.58.120.69]:25
posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
posttls-finger: SSL_connect:before/connect initialization
posttls-finger: SSL_connect:SSLv2/v3 write client hello A
posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25: lost connection

# Postfix config

mail_version = 3.5.2

smtpd_use_tls=yes
smtp_use_tls=yes

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2

tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5

smtp_tls_ciphers = high
smtpd_tls_ciphers = high

Any ideas?

Regards,
Reply | Threaded
Open this post in threaded view
|

Re: Cannot start TLS: handshake failure

Viktor Dukhovni
On Mon, Nov 30, 2020 at 02:50:43PM -0300, SysAdmin EM wrote:

> Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC:
> Cannot start TLS: handshake failure
> Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC: to=<
> [hidden email]>, relay=exet02.hostmar.com[200.58.120.69]:25,
> delay=0.16, delays=0.14/0/0.03/0, dsn=4.7.5, status=deferred (Cannot start
> TLS: handshake failure)

With opportunistic TLS, after a TLS failure, Postfix will typically try
a second connection immediately without TLS once the message is "old
enough" (has been deferred and is being retried).  So this message
is likely delivered by now.

> posttls-finger -c -Ldebug "exet02.hostmar.com"
> posttls-finger: initializing the client-side TLS engine
> posttls-finger: setting up TLS connection to exet02.hostmar.com[200.58.120.69]:25
>
> posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list
> "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
> posttls-finger: SSL_connect:before/connect initialization
> posttls-finger: SSL_connect:SSLv2/v3 write client hello A
> posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25: lost connection

> # Postfix config
>
> mail_version = 3.5.2
>
> smtpd_use_tls=yes
> smtp_use_tls=yes
>
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

You'd generally have better luck by not disabling TLSv1 and TLSv1.1,
these are the best available TLS versions for some email servers, and
are not weaker than falling back to cleartext.

> smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
> smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
>
> tls_high_cipherlist =
>   kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5

This looks unwise.  The default value is better.

> smtp_tls_ciphers = high
> smtpd_tls_ciphers = high

This can be too restrictive for some peer systems that only do (medium)
RC4.  But in this case the server drops the connection immediately after
accepting the STARTTLS command, and before receiving the client TLS
HELLO.  The outbound transmission of the client HELLO fails (presumably
a TCP RST arrived right after the STARTTLS ok):

    posttls-finger: initializing the client-side TLS engine
    posttls-finger: Connected to exet02.hostmar.com[200.58.120.69]:25
    posttls-finger: < 220 HMEXCAS01.host.hm.local Microsoft ESMTP MAIL Service ready at Mon, 30 Nov 2020 16:13:58 -0300
    posttls-finger: > EHLO [...]
    posttls-finger: < 250-HMEXCAS01.host.hm.local Hello [...]
    posttls-finger: < 250-SIZE
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-DSN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250-X-ANONYMOUSTLS
    posttls-finger: < 250-AUTH NTLM LOGIN
    posttls-finger: < 250-X-EXPS GSSAPI NTLM
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-BINARYMIME
    posttls-finger: < 250-CHUNKING
    posttls-finger: < 250-XEXCH50
    posttls-finger: < 250 XRDST
    posttls-finger: > STARTTLS
    posttls-finger: < 220 2.0.0 SMTP server ready
    posttls-finger: setting up TLS connection to exet02.hostmar.com[200.58.120.69]:25
    posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH:+RC4:+3DES:!eNULL"
    posttls-finger: SSL_connect:before SSL initialization
    posttls-finger: SSL_connect:SSLv3/TLS write client hello
    posttls-finger: SSL_connect:error in SSLv3/TLS write client hello
    posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25: lost connection

So there's no use trying to get TLS to work for this server, it's not
going to happen.

--
    VIktor.
Reply | Threaded
Open this post in threaded view
|

Re: Cannot start TLS: handshake failure

SysAdmin EM
Thanks for the reply.

The configuration I am currently using is the following:

smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_protocols = !SSLv2:!SSLv3
smtpd_tls_cert_file = /etc/pki/tls/certs/linux.ferozo.com.pem
smtpd_tls_key_file = /etc/pki/tls/private/linux.ferozo.com.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtpd_ssl_cache
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtp_ssl_cache

Since I don't know how to solve the problem, I started to test configurations and wrote so fast that it didn't explain everything correctly.

It seems strange to me because the connection was working correctly and no changes have been made to the settings.

Here the configuration of the Exchange Server: https://freeimage.host/i/FNElne

Any ideas?? 

El lun, 30 de nov. de 2020 a la(s) 16:20, Viktor Dukhovni ([hidden email]) escribió:
On Mon, Nov 30, 2020 at 02:50:43PM -0300, SysAdmin EM wrote:

> Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC:
> Cannot start TLS: handshake failure
> Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC: to=<
> [hidden email]>, relay=exet02.hostmar.com[200.58.120.69]:25,
> delay=0.16, delays=0.14/0/0.03/0, dsn=4.7.5, status=deferred (Cannot start
> TLS: handshake failure)

With opportunistic TLS, after a TLS failure, Postfix will typically try
a second connection immediately without TLS once the message is "old
enough" (has been deferred and is being retried).  So this message
is likely delivered by now.

> posttls-finger -c -Ldebug "exet02.hostmar.com"
> posttls-finger: initializing the client-side TLS engine
> posttls-finger: setting up TLS connection to exet02.hostmar.com[200.58.120.69]:25
>
> posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list
> "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
> posttls-finger: SSL_connect:before/connect initialization
> posttls-finger: SSL_connect:SSLv2/v3 write client hello A
> posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25: lost connection

> # Postfix config
>
> mail_version = 3.5.2
>
> smtpd_use_tls=yes
> smtp_use_tls=yes
>
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

You'd generally have better luck by not disabling TLSv1 and TLSv1.1,
these are the best available TLS versions for some email servers, and
are not weaker than falling back to cleartext.

> smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
> smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
>
> tls_high_cipherlist =
>   kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5

This looks unwise.  The default value is better.

> smtp_tls_ciphers = high
> smtpd_tls_ciphers = high

This can be too restrictive for some peer systems that only do (medium)
RC4.  But in this case the server drops the connection immediately after
accepting the STARTTLS command, and before receiving the client TLS
HELLO.  The outbound transmission of the client HELLO fails (presumably
a TCP RST arrived right after the STARTTLS ok):

    posttls-finger: initializing the client-side TLS engine
    posttls-finger: Connected to exet02.hostmar.com[200.58.120.69]:25
    posttls-finger: < 220 HMEXCAS01.host.hm.local Microsoft ESMTP MAIL Service ready at Mon, 30 Nov 2020 16:13:58 -0300
    posttls-finger: > EHLO [...]
    posttls-finger: < 250-HMEXCAS01.host.hm.local Hello [...]
    posttls-finger: < 250-SIZE
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-DSN
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250-X-ANONYMOUSTLS
    posttls-finger: < 250-AUTH NTLM LOGIN
    posttls-finger: < 250-X-EXPS GSSAPI NTLM
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-BINARYMIME
    posttls-finger: < 250-CHUNKING
    posttls-finger: < 250-XEXCH50
    posttls-finger: < 250 XRDST
    posttls-finger: > STARTTLS
    posttls-finger: < 220 2.0.0 SMTP server ready
    posttls-finger: setting up TLS connection to exet02.hostmar.com[200.58.120.69]:25
    posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH:+RC4:+3DES:!eNULL"
    posttls-finger: SSL_connect:before SSL initialization
    posttls-finger: SSL_connect:SSLv3/TLS write client hello
    posttls-finger: SSL_connect:error in SSLv3/TLS write client hello
    posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25: lost connection

So there's no use trying to get TLS to work for this server, it's not
going to happen.

--
    VIktor.
Reply | Threaded
Open this post in threaded view
|

Re: Cannot start TLS: handshake failure

Viktor Dukhovni
On Mon, Nov 30, 2020 at 04:44:17PM -0300, SysAdmin EM wrote:

> It seems strange to me because the connection was working correctly and no
> changes have been made to the settings.

The *remote* server is malfunctioning, so your settings are largely irrelevant.

> Here the configuration of the Exchange Server:
> https://freeimage.host/i/FNElne

For help with Exchange this is not the right list.

> > But in this case the server drops the connection immediately after
> > accepting the STARTTLS command, and before receiving the client TLS
> > HELLO.  The outbound transmission of the client HELLO fails
> > (presumably a TCP RST arrived right after the STARTTLS ok):
> >
> >     posttls-finger: initializing the client-side TLS engine
> >     posttls-finger: Connected to exet02.hostmar.com[200.58.120.69]:25
> >     posttls-finger: < 220 HMEXCAS01.host.hm.local Microsoft ESMTP MAIL Service ready at Mon, 30 Nov 2020 16:13:58 -0300
> >     [...]
> >     posttls-finger: > STARTTLS
> >     posttls-finger: < 220 2.0.0 SMTP server ready
> >     posttls-finger: setting up TLS connection to exet02.hostmar.com [200.58.120.69]:25
> >     posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH:+RC4:+3DES:!eNULL"
> >     posttls-finger: SSL_connect:before SSL initialization
> >     posttls-finger: SSL_connect:SSLv3/TLS write client hello
> >     posttls-finger: SSL_connect:error in SSLv3/TLS write client hello
> >     posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25: lost connection
> >
> > So there's no use trying to get TLS to work for this server, it's not
> > going to happen.

See above, there's nothing you can do on the Postfix side, you have
to fix the TLS support on the Exchange side.

--
    VIktor.