Getting a dump of a TLS session

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Getting a dump of a TLS session

Alex Bligh
I have one client talking to my (relatively busy) mail server that appears
to occasionally send bogus SMTP data. I want to get a dump of the SMTP
session (and store it to file). tcpdump (filtered by the client IP
address) would be just fine, but unfortunately it's using STARTTLS. Is
there an easy way to get a look at the unencrypted stream for a
single client address? Dumping all data for every client is not
practical.

Alex
Reply | Threaded
Open this post in threaded view
|

Re: Getting a dump of a TLS session

Victor Duchovni
On Sun, Jun 22, 2008 at 01:29:22PM +0100, Alex Bligh wrote:

> I have one client talking to my (relatively busy) mail server that appears
> to occasionally send bogus SMTP data. I want to get a dump of the SMTP
> session (and store it to file). tcpdump (filtered by the client IP
> address) would be just fine, but unfortunately it's using STARTTLS. Is
> there an easy way to get a look at the unencrypted stream for a
> single client address? Dumping all data for every client is not
> practical.

SMTP commands are logged when you use "debug_peer_list". What do you mean
by "bogus SMTP data"? Message content is placed in the queue file, and
can be inspected by placing mail from the client in question on hold,
arranging an automatic bcc, ...

Decryption of captured TLS traffic is only possible if you disable
forward-secrecy (EDH key agreement), and given "ssldump" or "wireshark"
access to the server's RSA private key.

        smtpd_tls_exclude_ciphers = kEDH

This makes all of your TLS traffic vulnerable to later decryption if
the key ever disclosed.

--
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:[hidden email]?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Reply | Threaded
Open this post in threaded view
|

Re: Getting a dump of a TLS session

Alex Bligh
Victor,

--On 22 June 2008 13:12:25 -0400 Victor Duchovni
<[hidden email]> wrote:

> SMTP commands are logged when you use "debug_peer_list". What do you mean
> by "bogus SMTP data"?

I mean something odd is happening on occasion with the AUTH handshake. But
it could be anything (AUTH being pretty early on). I figured the easiest
way was to see the session in the plain.

I'll read up on debug_peer_list.

> Message content is placed in the queue file, and
> can be inspected by placing mail from the client in question on hold,
> arranging an automatic bcc, ...
>
> Decryption of captured TLS traffic is only possible if you disable
> forward-secrecy (EDH key agreement), and given "ssldump" or "wireshark"
> access to the server's RSA private key.
>
> smtpd_tls_exclude_ciphers = kEDH
>
> This makes all of your TLS traffic vulnerable to later decryption if
> the key ever disclosed.

That presumably disables smtpd ciphers on ALL clients. Ideally I'd
rather not turn off the cipher as for all I know that may be part
of the issue. If I'm goint to do that, is there a way simply not to
offer 'STARTTLS' to a given (inbound) peer?

Alex
Reply | Threaded
Open this post in threaded view
|

Re: Getting a dump of a TLS session

Noel Jones-2
Alex Bligh wrote:
  If I'm goint to do that, is there a way simply not to
> offer 'STARTTLS' to a given (inbound) peer?
>
> Alex

http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps

# main.cf
smtpd_discard_ehlo_keyword_address_maps =
   hash:/etc/postfix/discard_keyword_map

# discard_keyword_map
ip.of.bad.client  starttls silent-discard


Remember to run "postfix reload" after editing main.cf, and to
run "postmap discard_keyword_map" after editing that file.

--
Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: Getting a dump of a TLS session

Alex Bligh


--On 22 June 2008 14:30:17 -0500 Noel Jones <[hidden email]> wrote:

> http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address
> _maps

Thanks all. debug_peer_list gave sufficient information in the end.

Alex