Postfix cannot start tls: handshake failure

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Postfix cannot start tls: handshake failure

oakley
This post was updated on .
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

Viktor Dukhovni

> On Mar 27, 2017, at 1:09 PM, oakley <[hidden email]> wrote:
> 
> SSL_connect error to email-smtp.eu-west-1.amazonaws.com[52.51.114.192]:25: -1
>
> localhost postfix/smtp[2100]: warning: TLS library problem:
>     error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:
>     unknown protocol:s23_clnt.c:794:93591BEF30:
>     Cannot start TLS: handshake failure
>
> relayhost = [email-smtp.eu-west-1.amazonaws.com]:25

Double check that this is the correct relay to use.  Typically,
providers operate SMTP submission services on port 587 (STARTTLS)
or 465 (SMTP inside SSL/TLS).  Port 25 is rarely used for submission,
but when it is, it operates similarly to port 587.

> smtp_sasl_auth_enable = yes
> smtp_sasl_security_options = noanonymous
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_use_tls = yes

You don't need "smtp_use_tls = yes", since you already have
the non-obsolete "smtp_tls_security_level = encrypt".

> smtp_tls_note_starttls_offer = yes

Not needed.

> smtp_tls_wrappermode = yes

This is the source of your problem, this setting implements the "SMTP
inside SSL/TLS" operating mode used on port 465, and is NOT compatible
with STARTTLS on ports 587 and 25.

> smtp_tls_security_level = encrypt
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

With this, depending on the certificate chain of the relay, you
may eventually be able to use "smtp_tls_security_level = secure",
which you should try after fixing all the other problems.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

oakley
This post was updated on .
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

Viktor Dukhovni

> On Mar 27, 2017, at 1:51 PM, oakley <[hidden email]> wrote:
>
> Appreciate the reply, Viktor. I've done everything you've suggested...

Not quite, as you're not connecting to the right relay service.  Do
check an authoritative source on what relayhost you're supposed to use.

> This is when I use:
> *smtp_tls_security_level =encrypt*

The TLS settings are irrelevant, when you can't even complete a TCP
connection:

> localhost postfix/smtp[4700]: SSL_connect error to
> email-smtp.eu-west-1.amazonaws.com[54.154.210.139]:465: Connection timed out

Your machine can't connect to port 465 on that host.

> This is when I use:
> *smtp_tls_security_level = secure*

The same of course.

> I am using port 465 as suggested by Amazon ses:
> http://docs.aws.amazon.com/ses/latest/DeveloperGuide/postfix.html

What I see in that document is:

   relayhost = [email-smtp.us-west-2.amazonaws.com]:25
   smtp_sasl_auth_enable = yes
   smtp_sasl_security_options = noanonymous
   smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
   smtp_use_tls = yes
   smtp_tls_security_level = encrypt
   smtp_tls_note_starttls_offer = yes

That is port 25 and no "wrapper mode".  The "smtp_use_tls" is
not needed since Postfix 2.3 in ~2006.  No idea where you're
getting 465 from.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

oakley
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

oakley
In reply to this post by oakley
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

Viktor Dukhovni
In reply to this post by oakley

> On Mar 27, 2017, at 3:26 PM, oakley <[hidden email]> wrote:
>
> I'm now using port 25.

Perhaps.  But logging associated failure is more useful than just noting
this claim.

> I've tested to see if my firewall or what ever was blocking it, but I can
> connect when I tested via;
>
> $ openssl s_client -connect email-smtp.eu-west-1.amazonaws.com:25 -starttls imap

Well, it may not surprise you to learn that "SMTP" is not "IMAP".
So reporting the result with "-starttls smtp" rather than
"-starttls imap" is probably more useful.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

oakley
This post was updated on .
CONTENTS DELETED
The author has deleted this message.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

Den1
In reply to this post by oakley
I was wondering is it actually advisable to use tls on smtp? When I tried it out with my self-signed certificates just to see if it's of any convenience to implement this feature I received the following response:

TLS required, but was not offered by host -or- we do not run TLS engine -or- certificate is not trusted

on

smtp_tls_security_level = encrypt -or- secure
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

when I tried the following:

smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

it simply went through without giving any "feedback" or warnings. My understanding also is that it just wasn't secure / encrypted with this 'may' so that's why it went through OK.

what about the rest of the settings of

smtp_tls_cert_file = -and-
smtp_tls_key_file =

are they not required?

Could anyone comment on the above, please? Many thanks!

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Postfix cannot start tls: handshake failure

L.P.H. van Belle
Yes is advicable to enable TLS.

Whats is your OS and Postfix version?

For example, i use Debian.
And when you want to use : ca-certificates.crt
You need to setup as debian expects and it includes your cert in the ca-certifcate.crt, so thats why i want to know the os and version of postfix.

( debian/ubuntu setup ) Read:  
https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ 

Next to read postfix tls:
http://www.postfix.org/TLS_README.html 

The setup for TLS can differ a bit compaired to versions 2.x and 3.x

But this should be sufficient to start with.

## TLS
smtpd_use_tls = yes
smtpd_tls_key_file = /etc/postfix/newreq.pem
smtpd_tls_cert_file = /etc/postfix/newcert.pem
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

And a test site for you.
https://ssl-tools.net/mailservers 

and a nice site with stronger settings.
https://cipherli.st/ 

Hope that this helps you a bit further.


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: [hidden email] [mailto:[hidden email]]
> Namens Den1
> Verzonden: woensdag 29 maart 2017 14:04
> Aan: [hidden email]
> Onderwerp: Re: Postfix cannot start tls: handshake failure
>
> I was wondering is it actually advisable to use tls on smtp? When I tried
> it
> out with my self-signed certificates just to see if it's of any
> convenience
> to implement this feature I received the following response:
>
> TLS required, but was not offered by host -or- we do not run TLS engine -
> or-
> certificate is not trusted
>
> on
>
> smtp_tls_security_level = encrypt -or- secure
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
>
> when I tried the following:
>
> smtp_tls_security_level = may
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
>
> it simply went through without giving any "feedback" or warnings. My
> understanding also is that it just wasn't secure / encrypted with this
> 'may'
> so that's why it went through OK.
>
> what about the rest of the settings of
>
> smtp_tls_cert_file = -and-
> smtp_tls_key_file =
>
> are they not required?
>
> Could anyone comment on the above, please? Many thanks!
>
>
>
>
>
> --
> View this message in context:
> http://postfix.1071664.n5.nabble.com/Postfix-cannot-start-tls-handshake-
> failure-tp89684p89727.html
> Sent from the Postfix Users mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Postfix cannot start tls: handshake failure

Den1
Hi Louis,

Thank you for your input, I appreciate. I have smtpd running OK with all the key_file, cert_file and so on. I was asking about smtp. These two are different :-)

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Postfix cannot start tls: handshake failure

L.P.H. van Belle
Sorry about that, i was thinking your talking about the remote connecting to you. So, it's you to remote ( so the smtp_tls settings )

I did setup also for client myself, but that more how official you need to have some things.

Its about the same, for the client setup im using :
# TLS Client (outgoing)
smtp_tls_key_file = /etc/postfix/newreq.pem
smtp_tls_cert_file = /etc/postfix/newcert.pem
smtp_tls_CAfile = /etc/postfix/cacert.pem
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
smtp_tls_security_level = may
smtp_tls_loglevel = 1

but i do use official certificates and i then i do get the
Trusted TLS connection established

Maybe a tip, setup lets encrypt certificates, and test with that.
Then you can see if you get the needed trusted connections.


Greetz,

Louis



> -----Oorspronkelijk bericht-----
> Van: [hidden email] [mailto:[hidden email]]
> Namens Den1
> Verzonden: woensdag 29 maart 2017 14:50
> Aan: [hidden email]
> Onderwerp: RE: Postfix cannot start tls: handshake failure
>
> Hi Louis,
>
> Thank you for your input, I appreciate. I have smtpd running OK with all
> the
> key_file, cert_file and so on. I was asking about smtp. These two are
> different :-)
>
>
>
>
>
> --
> View this message in context:
> http://postfix.1071664.n5.nabble.com/Postfix-cannot-start-tls-handshake-
> failure-tp89684p89731.html
> Sent from the Postfix Users mailing list archive at Nabble.com.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Postfix cannot start tls: handshake failure

Den1
Well, Viktor was talking about those:

smtp_tls_security_level = encrypt -or- secure
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

and my question was about those as well. You may read it once again since you have this one set:

smtp_tls_security_level = may

and I think it's not the same for smtp as it works for me with 'may', but it's quite different with encrypt or secure.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

Viktor Dukhovni
In reply to this post by oakley
On Wed, Mar 29, 2017 at 04:14:35AM -0700, oakley wrote:

> *openssl s_client -connect (mydomain.com):443 -servername (mydomain.com)*
>

Why on earth are you wasting our time showing results of connections
to an HTTPS service.  In every message you post, show the current
*Postfix* configuration, *logs* from *Postfix* that show the problem
you're still having, and any *relevant* diagnostic information you're
able to obtain with other tools, e.g. (when relevant) from:

    openssl s_client -starttls smtp -connect <relay>:<port>

where <relay> and <port> match the "relay=" field from the problem
log entry and perhaps also your Postfix "relayhost=[relay]:port"
setting.

> I've been playing with OpenSSL to try and locate the issue, and I think it
> has something to do with my certificate. I noticed the certificate was
> updated on the date this all went down hill, too.
>
> Do you think this has a possibility?

I think it is a possibility that you're wasting our time with
useless speculative digressions.  Your Postfix logs will show
precisely why you're having problems delivering mail.  If you post
no logs, any answer you get is no better than rolling dice.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

Viktor Dukhovni
In reply to this post by Den1
On Wed, Mar 29, 2017 at 05:03:51AM -0700, Den1 wrote:

> I was wondering is it actually advisable to use tls on smtp? When I tried it
> out with my self-signed certificates just to see if it's of any convenience
> to implement this feature I received the following response:
>
> TLS required, but was not offered by host -or- we do not run TLS engine -or-
> certificate is not trusted

This is not a Postfix log message.  For fact-based answers, please post
verbatim Postfix logs.  For alternative-fact-based answers, by all means
please elide the logs and post an anecdotal re-interpretation of what
Postfix reported.

> smtp_tls_security_level = encrypt -or- secure
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

Are you sending all email via a single "relayhost" (a.k.a. a
smarthost)?  If not, and you're sending to MX hosts of all
possible destination domains, then opportunistic TLS with
"may" or opportunistic DANE TLS with "dane" are the only
practical TLS settings.

These two lines are unlikely to be your entire "postconf -n" output.
Which was it, "encrypt" or "secure"?  It best to resolve problems
with one setting at a time, ideally first the more permissive
"encrypt" if that's appropriate.


> smtp_tls_security_level = may
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
>
> it simply went through without giving any "feedback" or warnings.

Try:

    smtp_tls_loglevel = 1

> smtp_tls_cert_file = -and-
> smtp_tls_key_file =
>
> are they not required?

    http://www.postfix.org/postconf.5.html#smtp_tls_cert_file

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Postfix cannot start tls: handshake failure

Den1
In reply to this post by L.P.H. van Belle
L.P.H. van Belle wrote
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4

Greetz,
Louis
Why would you exclude these ciphers and make them medium, Louis?


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

Viktor Dukhovni

> On Mar 30, 2017, at 12:03 AM, Den1 <[hidden email]> wrote:
>
>> smtp_tls_ciphers = medium
>> smtp_tls_exclude_ciphers =
>> MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
>
> Why would you exclude these ciphers

Because:

  * MD5 is weak, obsolete and unnecessary
  * SRP and PSK require special code to use, and excluding these
    is actually a NOOP, but makes clearer that they'll never be used.
  * DSS is weak, obsolete and unnecessary
  * The kECDH and kDH "fixed DH" algorithms should never have been added
    to OpenSSL and were removed in OpenSSL 1.1.0.  They are not needed.
  * SEED, IDEA, RC2, and RC5 are are never used and are not needed.
  * RC4 is weak and no longer needed.
         
Shorter cipherlists avoid some interoperability issues.  Especially
with older Windows systems, but to interoperate with those you'd need
to leave RC4 enabled.  Such systems have largely been replaced, you're
not likely to run into them.

> and make them medium, Louis?

The cipher grade in Postfix sets a "floor" on the ciphers used, that
is only medium or better.  Nobody is "making them medium":

    http://www.postfix.org/postconf.5.html#smtp_tls_ciphers

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Postfix cannot start tls: handshake failure

Den1
Viktor Dukhovni wrote
> On Mar 30, 2017, at 12:03 AM, Den1 <[hidden email]> wrote:
>
>> smtp_tls_ciphers = medium
>> smtp_tls_exclude_ciphers =
>> MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4
>
> Why would you exclude these ciphers

Because:

  * MD5 is weak, obsolete and unnecessary
  * SRP and PSK require special code to use, and excluding these
    is actually a NOOP, but makes clearer that they'll never be used.
  * DSS is weak, obsolete and unnecessary
  * The kECDH and kDH "fixed DH" algorithms should never have been added
    to OpenSSL and were removed in OpenSSL 1.1.0.  They are not needed.
  * SEED, IDEA, RC2, and RC5 are are never used and are not needed.
  * RC4 is weak and no longer needed.
         
Shorter cipherlists avoid some interoperability issues.  Especially
with older Windows systems, but to interoperate with those you'd need
to leave RC4 enabled.  Such systems have largely been replaced, you're
not likely to run into them.

> and make them medium, Louis?

The cipher grade in Postfix sets a "floor" on the ciphers used, that
is only medium or better.  Nobody is "making them medium":

    http://www.postfix.org/postconf.5.html#smtp_tls_ciphers

--
        Viktor.
Appreciate your input, Viktor. Than you.
Loading...