Postfix sendet RST nach TLS handshake

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Postfix sendet RST nach TLS handshake

Alexander Busam
Hallo zusammen!

... nochmal,  ohne Zeilenumbruch :-)

Seit einigen Tagen habe ich Probleme mit Mailservern, die ihr Zertifikat umgestellt haben. So wie es aussieht, kennt Postfix (Version 2.4.5) das signierte digest des Zertifikats nicht und bricht die Verbindung ab.

Kennt jemand eine "schnelle" Möglichkeit, Postfix/OpenSSL (Version 0.9.8) dazu zu bringen, die Verbindung nicht abzubrechen, ohne auf eine aktuelle Version upzugraden?

Vielen Dank & Gruß
Alex


PacketCapture-Protokoll eines erfolglosen Connects:

No.     Time        Source                Destination           Protocol Length Info
      1 0.000000    10.74.0.127           195.145.2.90          TCP      62     59830→25 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1
      2 0.021089    195.145.2.90          10.74.0.127           TCP      62     25→59830 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
      3 0.021101    10.74.0.127           195.145.2.90          TCP      54     59830→25 [ACK] Seq=1 Ack=1 Win=14600 Len=0
      4 0.046547    195.145.2.90          10.74.0.127           SMTP     101    S: 220 mail.xyz-intern.de ESMTP Postfix
      5 0.046562    10.74.0.127           195.145.2.90          TCP      54     59830→25 [ACK] Seq=1 Ack=48 Win=14600 Len=0
      6 0.046596    10.74.0.127           195.145.2.90          SMTP     79     C: EHLO openssl.client.net
      7 0.066974    195.145.2.90          10.74.0.127           TCP      60     25→59830 [ACK] Seq=48 Ack=26 Win=5840 Len=0
      8 0.067128    195.145.2.90          10.74.0.127           SMTP     236    S: 250 mail.xyz-intern.de | 250 PIPELINING | 250 SIZE 50000000 | 250 VRFY | 250 ETRN | 250 STARTTLS | 250 AUTH PLAIN | 250 AUTH=PLAIN | 250 ENHANCEDSTATUSCODES | 250 8BITMIME | 250 DSN
      9 0.067165    10.74.0.127           195.145.2.90          SMTP     64     C: STARTTLS
     10 0.087733    195.145.2.90          10.74.0.127           SMTP     84     S: 220 2.0.0 Ready to start TLS
     11 0.088795    10.74.0.127           195.145.2.90          TLSv1    317    Client Hello
     12 0.124981    195.145.2.90          10.74.0.127           TLSv1    1514   Server Hello
     13 0.126416    195.145.2.90          10.74.0.127           TLSv1    1514   Certificate
     14 0.126451    10.74.0.127           195.145.2.90          TCP      54     59830→25 [ACK] Seq=299 Ack=3180 Win=20440 Len=0
     15 0.147559    195.145.2.90          10.74.0.127           TLSv1    585    Server Key Exchange
     16 0.152381    10.74.0.127           195.145.2.90          TCP      2974   [TCP segment of a reassembled PDU]
     17 0.152396    10.74.0.127           195.145.2.90          TLSv1    1157   Certificate
     18 0.176325    195.145.2.90          10.74.0.127           TCP      60     25→59830 [ACK] Seq=3711 Ack=3219 Win=11680 Len=0
     19 0.179139    195.145.2.90          10.74.0.127           TCP      60     25→59830 [RST, ACK] Seq=3711 Ack=4322 Win=14600 Len=0


Erfolgloser Connect:

Nov 27 15:45:00 hmmailsrv postfix/smtpd[16667]: connect from cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:00 hmmailsrv postfix/smtpd[16667]: setting up TLS connection from cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification failed for cluster-d.mailcontrol.com: num=19:self signed certificate in certificate chain
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification failed for cluster-d.mailcontrol.com: num=7:certificate signature failure
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification failed for cluster-d.mailcontrol.com: num=7:certificate signature failure
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: SSL_accept error from cluster-d.mailcontrol.com[85.115.60.190]: -1
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: warning: TLS library problem: 16667:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:141:
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: warning: TLS library problem: 16667:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:141:
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: lost connection after STARTTLS from cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: disconnect from cluster-d.mailcontrol.com[85.115.60.190]


Letzter erfolgreicher Connect:

Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: connect from cluster-j.mailcontrol.com[85.115.54.190]
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: setting up TLS connection from cluster-j.mailcontrol.com[85.115.54.190]
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: certificate verification failed for cluster-j.mailcontrol.com: num=19:self signed certificate in certificate chain
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: fingerprint=0F:D2:95:D8:D8:F8:B0:6C:07:7B:4C:9B:9F:22:A3:E0
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: Unverified: subject_CN=*.mailcontrol.com, issuer=DigiCert High Assurance CA-3
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: TLS connection established from cluster-j.mailcontrol.com[85.115.54.190]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Nov 13 07:26:50 hmmailsrv postgrey[4818]: action=pass, reason=client AWL, client_name=cluster-j.mailcontrol.com, client_address=85.115.54.190, sender=[hidden email], recipient=[hidden email]
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: NOQUEUE: client=cluster-j.mailcontrol.com[85.115.54.190]


main.cf:

alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
allow_min_user = yes
biff = no
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.de-DE.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
delay_warning_time = 4h
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix24/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_queue_lifetime = 3d
message_size_limit = 50000000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = mail.xyz.de
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix24/README_FILES
relay_domains = hash:/etc/postfix/relay_domains,
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix24/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_helo_name = mail.xyz.com
smtp_sasl_auth_enable = no
smtp_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtp_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_enforce_tls = no
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/access_recipient_roleaccounts,  check_sender_access
hash:/etc/postfix/access_sender_ok,               check_sender_access
hash:/etc/postfix/access_sender_allow_exe,  check_recipient_access
hash:/etc/postfix/access_recipient_ok,   check_recipient_access
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access_recipient_roleaccounts,  check_sender_access hash:/etc/postfix/access_sender_ok,               check_sender_access hash:/etc/postfix/access_sender_allow_exe,  check_recipient_access hash:/etc/postfix/access_recipient_ok,   check_recipient_access hash:/etc/postfix/access_recipient_reject,     reject_unknown_recipient_domain,        permit_sasl_authenticated,      permit_mynetworks,      reject_rbl_client zen.spamhaus.org,   reject_rbl_client ix.dnsbl.manitu.net,  reject_rbl_client bl.spamcop.net,       check_policy_service unix:public/postgrey    reject_unauth_destination,       permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
strict_8bitmime = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport,
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains,
hash:/etc/postfix/virtual_mailinglisten
virtual_alias_maps = hash:/etc/postfix/virtual,
hash:/etc/postfix/virtual_mailinglisten,
proxy:ldap:/etc/postfix/virtual.ldap,
proxy:ldap:/etc/postfix/virtual_mailverteiler.ldap
--
_______________________________________________
Postfixbuch-users -- http://www.postfixbuch.de
Heinlein Professional Linux Support GmbH

[hidden email]
https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users
Reply | Threaded
Open this post in threaded view
|

Re: Postfix sendet RST nach TLS handshake

Jens Adam
Fri, 28 Nov 2014 12:27:21 +0100
Alexander Busam <[hidden email]>:

> Kennt jemand eine "schnelle" Möglichkeit, Postfix/OpenSSL (Version
> 0.9.8) dazu zu bringen, die Verbindung nicht abzubrechen, ohne auf eine
> aktuelle Version upzugraden?

Nein.

Siehe https://www.openssl.org/news/changelog.html, Abschnitt "Changes
between 0.9.8n and 0.9.8o [01 Jun 2010]":

*) Add SHA2 algorithms to SSL_library_init(). SHA2 is becoming far more
   common in certificates and some applications which only call
   SSL_library_init and not OpenSSL_add_all_algorithms() will fail.
   [Steve Henson]

Mit 'nem ~5 Jahre alten OpenSSL und ~7 Jahre alten Postfix würde ich eher
mal ein komplettes Systemupdate einplanen.

--byte

--
_______________________________________________
Postfixbuch-users -- http://www.postfixbuch.de
Heinlein Professional Linux Support GmbH

[hidden email]
https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users

attachment0 (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Postfix sendet RST nach TLS handshake

Andreas Schulze
Am 28.11.2014 13:29 schrieb Jens Adam:
> > Kennt jemand eine "schnelle" Möglichkeit
Du kannst versuchen, ausgehende Verbindungen zu den problematischen Servern (oder alle)
auf Plaintext zu zwingen

für alle:
        smtp_tls_security_level = none

für einige ZielDOMAINS:
        smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
          example.com none


--
Andreas Schulze
Internetdienste | P252

DATEV eG
90329 Nürnberg | Telefon +49 911 319-0 | Telefax +49 911 319-3196
E-Mail [hidden email] | Internet www.datev.de
Sitz: 90429 Nürnberg, Paumgartnerstr. 6-14 | Registergericht Nürnberg, GenReg Nr.70

Vorstand
Prof. Dieter Kempf (Vorsitzender)
Dr. Robert Mayr (stellv. Vorsitzender)
Eckhard Schwarzer (stellv. Vorsitzender)
Dr. Peter Krug
Jörg Rabe von Pappenheim

Vorsitzender des Aufsichtsrates: Dirk Schmale
--
_______________________________________________
Postfixbuch-users -- http://www.postfixbuch.de
Heinlein Professional Linux Support GmbH

[hidden email]
https://listi.jpberlin.de/mailman/listinfo/postfixbuch-users