Problem using TLS: lost connection after STARTTLS

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem using TLS: lost connection after STARTTLS

Jan P. Kessler-2
Hi,

currently we are experiencing problems with an incoming SMTP/TLS
connection. Remote side is an Ironport device, we are using postfix
2.8.13 on solaris 10. The problem exists only for incoming mails
(ironport to postfix), the other direction works fine. It happens for
both opportunistic (which cisco calls "preferred") and mandatory TLS. As
soon as they switch to plaintext, the mails pass through. The problem
exists with both of their and both of our relays.

On our side we are using TLS since several years (2005/2006) with a lot
of partners (some of them have ironports too) and it is the first time
that we have such an issue. So the problem seems to be on their side,
but I'd prefer to be sure and ideally give them a hint on what's going
wrong here:

Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] connect from mail.dgverlag.de[145.253.80.6]
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] setting up TLS connection from mail.dgverlag.de[145.253.80.6]
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] certificate verification failed for
mail.dgverlag.de[145.253.80.6]: untrusted issuer
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] mail.dgverlag.de[145.253.80.6]: Untrusted:
subject_CN=DGVDEX.DGVERLAG.DE, issuer=VR IDENT SSL CA 2011,
fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:85:9A:55:6D
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] Untrusted TLS connection established from
mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits)
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731
mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown message digest
algorithm:a_verify.c:146:
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] lost connection after STARTTLS from
mail.dgverlag.de[145.253.80.6]
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] disconnect from mail.dgverlag.de[145.253.80.6]

Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] connect from mail2.dgverlag.de[145.253.80.47]
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] setting up TLS connection from mail2.dgverlag.de[145.253.80.47]
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] certificate verification failed for
mail2.dgverlag.de[145.253.80.47]: untrusted issuer
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] SSL_accept error from mail2.dgverlag.de[145.253.80.47]: -1
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 947731
mail.warning] warning: TLS library problem: 22673:error:0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown message digest
algorithm:a_verify.c:146:
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] lost connection after STARTTLS from
mail2.dgverlag.de[145.253.80.47]
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] disconnect from mail2.dgverlag.de[145.253.80.47]

Does the message

TLS library problem: 22673:error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146

indicate a problem on our side?

Please let me know if you need any further information. Below the log
output with debug_peer_list:

  Jan

Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] connect from mail.dgverlag.de[145.253.80.6]
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 127.0.0.1/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 127.0.0.1/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.37/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.37/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.38/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.38/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.13/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.13/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.14/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.14/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: mail.dgverlag.de: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: 145.253.80.6: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr request = connect
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr ident = smtp:145.253.80.6
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value: 0
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: count
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: count
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value: 1
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: rate
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: rate
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value: 1
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: (list terminator)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: (end)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 220 mail.ruv.de ESMTP
Mailservice
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] watchdog_pat: 1f7df0
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] < mail.dgverlag.de[145.253.80.6]: EHLO mail1.dgverlag.de
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-mail.ruv.de
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-PIPELINING
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-SIZE 56000000
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-ETRN
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: mail.dgverlag.de: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: 145.253.80.6: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-STARTTLS
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-ENHANCEDSTATUSCODES
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-8BITMIME
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250 DSN
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] watchdog_pat: 1f7df0
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] < mail.dgverlag.de[145.253.80.6]: STARTTLS
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 220 2.0.0 Ready to start TLS
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] setting up TLS connection from mail.dgverlag.de[145.253.80.6]
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] auto_clnt_open: connected to private/tlsmgr
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr request = seed
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr size = 32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/tlsmgr: wanted attribute: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value: 0
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/tlsmgr: wanted attribute: seed
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: seed
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value:
giSoP2fCUG+iOLAWUWNKWqftNv1pJeqK3SoJ5/eNH1c=
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/tlsmgr: wanted attribute: (list terminator)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: (end)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] certificate verification failed for
mail.dgverlag.de[145.253.80.6]: untrusted issuer
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] SSL_accept error from mail.dgverlag.de[145.253.80.6]: -1
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 947731
mail.warning] warning: TLS library problem: 16654:error:0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown message digest
algorithm:a_verify.c:146:
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 127.0.0.1/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 127.0.0.1/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.37/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.37/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.38/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.38/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.13/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.13/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.14/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.14/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: mail.dgverlag.de: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: 145.253.80.6: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr request = disconnect
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr ident = smtp:145.253.80.6
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value: 0
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: (list terminator)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: (end)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] lost connection after STARTTLS from
mail.dgverlag.de[145.253.80.6]
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] disconnect from mail.dgverlag.de[145.253.80.6]

Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Wietse Venema
Jan P. Kessler:
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731
> mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1
> encoding routines:ASN1_item_verify:unknown message digest
> algorithm:a_verify.c:146:

> Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 947731
> mail.warning] warning: TLS library problem: 22673:error:0D0C50A1:asn1
> encoding routines:ASN1_item_verify:unknown message digest
> algorithm:a_verify.c:146:

They use a message digest function that is not available (or
ir not turned on) on your side.

I'll leave it to Victor or other OpenSSL knowledgeables to
find put what message digest type is the problem.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Bastian Blank-3
In reply to this post by Jan P. Kessler-2
On Fri, Jun 14, 2013 at 12:24:39PM +0200, Jan P. Kessler wrote:
> currently we are experiencing problems with an incoming SMTP/TLS
> connection. Remote side is an Ironport device, we are using postfix
> 2.8.13 on solaris 10.

Please show "postconf -n".

> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
> mail.info] certificate verification failed for
> mail.dgverlag.de[145.253.80.6]: untrusted issuer
> /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root

Why do you check client certificates?

> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
> mail.info] Untrusted TLS connection established from
> mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits)

Why do you use RC4? This suite usually have a pretty low preference.

> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731
> mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1
> encoding routines:ASN1_item_verify:unknown message digest
> algorithm:a_verify.c:146:

And now openssl gets something it does not like at all.

> Please let me know if you need any further information. Below the log
> output with debug_peer_list:

The documentation tells you to show configs and no verbose lo.

Bastian

--
I'm frequently appalled by the low regard you Earthmen have for life.
                -- Spock, "The Galileo Seven", stardate 2822.3
Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Jan P. Kessler-2

>> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
>> mail.info] certificate verification failed for
>> mail.dgverlag.de[145.253.80.6]: untrusted issuer
>> /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
> Why do you check client certificates?

Because we authenticate/whitelist some other systems by their client
certificate.

>> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
>> mail.info] Untrusted TLS connection established from
>> mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits)
> Why do you use RC4? This suite usually have a pretty low preference.

It is the remote side, that tries RC4. If we establish a connection to
their ironport, the following is used:

Jun 14 11:48:17 rv-smtpext-101 postfix-OUT/smtp[25604]: [ID 197553
mail.info] Untrusted TLS connection established to
mail1.dgverlag.de[145.253.80.6]:25: TLSv1 with cipher ADH-AES256-SHA
(256/256 bits)

>> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731
>> mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1
>> encoding routines:ASN1_item_verify:unknown message digest
>> algorithm:a_verify.c:146:
> And now openssl gets something it does not like at all.
>
>> Please let me know if you need any further information. Below the log
>> output with debug_peer_list:
> The documentation tells you to show configs and no verbose lo.

Bastian, I really don't want to argue here. It is absolutely clear, that
(as you and others also have noticed) openssl "does not like sth at all"
here. And I doubt that "postconf -n" will help with this, but for the
sake of clarity you'll find the information below.

What I really wanted to know is, what exactly "openssl does not like at
all" (means what kind of message digest is failing here and how we might
circumvent/exclude the problem).


postconf -n | sed 's/mydomain/EXAMPLE.COM/g'

address_verify_map = btree:$data_directory/VERIFY_ADDRESS
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 3h
address_verify_poll_count = 3
address_verify_poll_delay = 6
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_sender = [hidden email]
address_verify_transport_maps = btree:/etc/postfix/verify_transport
alias_database = hash:/etc/postfix/aliases
alias_maps = $alias_database
alternate_config_directories = /etc/postfix/OUT, /etc/postfix/TLSONLY
body_checks = pcre:/etc/postfix/body_checks
body_checks_size_limit = 512000
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.cf
command_directory = /opt/vrnetze/postfix/sbin
config_directory = /etc/postfix
daemon_directory = /opt/vrnetze/postfix/libexec
data_directory = /var/spool/postfix/DATA
debug_peer_level = 2
default_privs = nobody
delay_warning_time = 12h
disable_vrfy_command = yes
fast_flush_domains = $relay_domains
header_checks = pcre:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
luser_relay = [hidden email]
mail_name = Mailservice
mail_owner = postfix
mailbox_size_limit = 56000001
mailq_path = /usr/bin/mailq
manpage_directory = /opt/vrnetze/postfix/man
maximal_queue_lifetime = 3d
message_size_limit = 56000000
mime_header_checks = pcre:/etc/postfix/mime_header_checks
mydestination = $myhostname, localhost.$mydomain
mydomain = EXAMPLE.COM
myhostname = mail.EXAMPLE.COM
mynetworks = /etc/postfix/relay_from_networks
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
plaintext_reject_code = 554
proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9
queue_directory = /var/spool/postfix
readme_directory = /opt/vrnetze/postfix/doc
receive_override_options = no_address_mappings
relay_domains = $config_directory/relay_to_domains
remote_header_rewrite_domain = domain.invalid
sample_directory = /etc/postfix
sender_canonical_maps = btree:/etc/postfix/sender_canonical
sendmail_path = /usr/lib/sendmail
setgid_group = postdrop
smtp_enforce_tls = no
smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem
smtp_tls_key_file = /etc/postfix/CERTS/key.pem
smtp_tls_loglevel = 1
smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER
smtp_tls_scert_verifydepth = 8
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP Mailservice
smtpd_data_restrictions = reject_unauth_pipelining,    
reject_multi_recipient_bounce
smtpd_end_of_data_restrictions = check_recipient_access
btree:/etc/postfix/GROESSENBESCHRAENKUNG
smtpd_enforce_tls = no
smtpd_helo_required = yes
smtpd_policy_service_max_idle = 700s
smtpd_policy_service_max_ttl = 1800s
smtpd_policy_service_timeout = 600s
smtpd_proxy_timeout = 600s
smtpd_recipient_restrictions = reject_non_fqdn_recipient,      
permit_mynetworks,      reject_unauth_destination,      
check_client_access pcre:/etc/postfix/TLS_VERSENDER_CLIENTS,      
check_sender_access btree:/etc/postfix/TLS_VERSENDER,    
check_ccert_access btree:/etc/postfix/tls_ccerts,      
check_client_access cidr:/etc/postfix/CLIENT_WHITELIST,      
check_sender_access btree:/etc/postfix/ABSENDER_WHITELIST,      
check_client_access pcre:/etc/postfix/CLIENT_BLACKLIST,
check_recipient_access pcre:/etc/postfix/EMPFAENGER_BLACKLIST,
check_helo_access pcre:/etc/postfix/HELOCHECK,  check_sender_access
btree:/etc/postfix/INTERNE_DOMAINS, check_sender_access
pcre:/etc/postfix/ABSENDER_BLACKLIST,      
reject_invalid_helo_hostname,   reject_non_fqdn_sender,
reject_unknown_sender_domain,   check_sender_mx_access
cidr:/etc/postfix/PRIVATE_NETZE, reject_rbl_client zen.spamhaus.org,    
check_recipient_access btree:/etc/postfix/POLICYCHECK,
check_recipient_access btree:/etc/postfix/VERIFY_EMPFAENGER,    permit
smtpd_restriction_classes = hapolicycheck, hagroessencheck,
hagreylistcheck, pfwpolicycheck, greylistcheck, absenderverifizierung,
empfaengerverifizierung, groessencheck
smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_ccert_verifydepth = 8
smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA
smtpd_tls_key_file = /etc/postfix/CERTS/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_protocols = SSLv3, TLSv1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
transport_maps = btree:/etc/postfix/fehlerdomains,
btree:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550
unverified_recipient_reject_reason = User unknown -- Empfaenger nicht
gefunden

Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Viktor Dukhovni
In reply to this post by Jan P. Kessler-2
On Fri, Jun 14, 2013 at 12:24:39PM +0200, Jan P. Kessler wrote:

> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
> mail.info] mail.dgverlag.de[145.253.80.6]: Untrusted:
> subject_CN=DGVDEX.DGVERLAG.DE, issuer=VR IDENT SSL CA 2011,
> fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:85:9A:55:6D

Certificate details:

$ openssl x509 -md5 -fingerprint -text -in cert.pem
MD5 Fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:85:9A:55:6D
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 162 (0xa2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=DE, O=GAD EG, OU=VR IDENT, CN=VR IDENT SSL CA 2011
        Validity
            Not Before: Jul 13 11:18:43 2012 GMT
            Not After : Aug 13 21:59:59 2013 GMT
        Subject: C=DE, ST=HESSEN, L=WIESBADEN, O=DEUTSCHER GENOSSENSCHAFTS-VERLAG EG, OU=ORGANISATION, CN=DGVDEX.DGVERLAG.DE
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f8:88:4e:bc:7d:3d:73:a7:72:a2:5b:5c:bc:0a:
                    cf:44:10:15:d8:3d:93:1a:35:0d:5f:33:e8:11:53:
                    d0:98:ff:65:89:76:bc:18:d9:0a:62:cb:a5:46:c6:
                    70:43:aa:6e:11:1a:e8:85:93:51:1f:49:68:c3:72:
                    a8:cd:2f:b3:2d:63:ce:63:67:65:e5:00:5d:4e:8f:
                    75:56:f3:83:df:ec:84:05:1e:3b:1c:fd:49:97:a7:
                    22:a9:59:65:f1:74:e3:d5:ce:90:ef:f2:c4:ea:25:
                    6b:a7:e8:9e:2c:9a:a8:76:a7:b4:9a:54:e8:b3:56:
                    15:ab:8c:7a:c3:33:62:f2:9c:98:16:35:62:ff:c5:
                    00:19:06:bd:a2:59:41:40:69:6b:26:e8:c3:86:d0:
                    c0:ed:b0:4e:06:8e:d2:64:7e:2e:cf:03:6b:a9:62:
                    c1:01:fd:7b:d9:1c:48:03:87:35:10:17:9b:0b:f4:
                    33:98:6d:fe:ea:02:1d:f0:74:1d:e4:b9:be:6d:14:
                    be:61:f0:5f:82:ea:e8:f8:fe:90:84:ed:ac:a3:a3:
                    b9:5c:26:07:e5:68:64:5f:63:69:43:99:9d:ab:cd:
                    a8:26:f6:af:46:32:0a:76:10:2e:b3:a8:e1:bd:63:
                    9c:56:a5:84:b4:05:cb:11:83:78:73:30:bf:b6:8d:
                    23:a3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Authority Information Access:
                OCSP - URI:http://ocsp.vr-ident.de/gtnocsp/OCSPResponder/VR%20Ident%20SSL%20CA%202011

            X509v3 Authority Key Identifier:
                keyid:50:52:4F:44:2E:47:54:4E:2E:45:58:53:53:4C:43:41:2E:53:49:47:47:45:4E:52:53:2E:30:30:30:30:32:32:30:30
                DirName:/C=DE/O=GAD EG/OU=VR IDENT/CN=VR IDENT EXTERNAL ROOT CA 2011
                serial:04

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://www.vr-ident.de/gtncrl/CRLResponder/VR%20Ident%20SSL%20CA%202011

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                60:1E:93:11:E3:BA:7D:19:A6:88:FB:DD:8E:90:73:50:47:E7:CB:20
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
        9b:c5:33:88:de:38:6b:4f:5c:0f:97:af:d7:18:60:f6:7c:03:
        23:2b:38:cf:d7:14:fb:31:25:91:61:63:48:cc:52:26:6e:a9:
        3a:a0:8f:a7:98:e8:4a:17:8a:e0:fd:a0:d1:56:92:bd:b6:85:
        21:02:0f:1c:95:e0:e7:7a:ad:a5:31:21:e9:4b:5f:4a:e3:bd:
        e7:04:64:54:69:fc:6e:c8:9d:28:ef:53:12:ff:57:c0:71:1e:
        b7:e8:5a:0a:9d:65:a4:91:2c:1a:d9:36:46:75:c4:56:47:5a:
        b3:5c:38:7d:4d:ea:12:64:58:8a:3c:02:07:21:53:cc:10:66:
        87:5c:63:99:67:04:c0:70:3e:41:62:3f:6a:c0:93:1e:e5:f3:
        53:f2:4c:43:b7:b4:83:8f:81:18:a9:42:f2:76:2e:d0:cc:71:
        bc:ca:66:7b:df:75:73:f1:13:0b:ac:98:ae:92:84:a3:b4:52:
        53:b2:00:87:de:1e:cf:cb:d5:a3:32:3c:81:5c:fd:54:e9:c8:
        70:b4:b8:d0:64:96:8d:d7:4a:46:f7:2b:b4:df:f7:ad:0c:7d:
        a6:71:3f:08:7c:7a:a6:9b:c0:38:6c:9b:e6:00:cd:14:4a:bd:
        71:6f:c3:a9:87:b9:70:6d:ba:04:59:f1:d8:c7:1d:17:de:6f:
        29:e5:3f:1d
-----BEGIN CERTIFICATE-----
MIIFAjCCA+qgAwIBAgICAKIwDQYJKoZIhvcNAQELBQAwUDELMAkGA1UEBhMCREUx
DzANBgNVBAoMBkdBRCBFRzERMA8GA1UECwwIVlIgSURFTlQxHTAbBgNVBAMMFFZS
IElERU5UIFNTTCBDQSAyMDExMB4XDTEyMDcxMzExMTg0M1oXDTEzMDgxMzIxNTk1
OVowgZQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIRVNTRU4xEjAQBgNVBAcMCVdJ
RVNCQURFTjEsMCoGA1UECgwjREVVVFNDSEVSIEdFTk9TU0VOU0NIQUZUUy1WRVJM
QUcgRUcxFTATBgNVBAsMDE9SR0FOSVNBVElPTjEbMBkGA1UEAwwSREdWREVYLkRH
VkVSTEFHLkRFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+IhOvH09
c6dyoltcvArPRBAV2D2TGjUNXzPoEVPQmP9liXa8GNkKYsulRsZwQ6puERrohZNR
H0low3KozS+zLWPOY2dl5QBdTo91VvOD3+yEBR47HP1Jl6ciqVll8XTj1c6Q7/LE
6iVrp+ieLJqodqe0mlTos1YVq4x6wzNi8pyYFjVi/8UAGQa9ollBQGlrJujDhtDA
7bBOBo7SZH4uzwNrqWLBAf172RxIA4c1EBebC/QzmG3+6gId8HQd5Lm+bRS+YfBf
guro+P6QhO2so6O5XCYH5WhkX2NpQ5mdq82oJvavRjIKdhAus6jhvWOcVqWEtAXL
EYN4czC/to0jowIDAQABo4IBnzCCAZswZgYIKwYBBQUHAQEEWjBYMFYGCCsGAQUF
BzABhkpodHRwOi8vb2NzcC52ci1pZGVudC5kZS9ndG5vY3NwL09DU1BSZXNwb25k
ZXIvVlIlMjBJZGVudCUyMFNTTCUyMENBJTIwMjAxMTCBkgYDVR0jBIGKMIGHgCJQ
Uk9ELkdUTi5FWFNTTENBLlNJR0dFTlJTLjAwMDAyMjAwoV6kXDBaMQswCQYDVQQG
EwJERTEPMA0GA1UECgwGR0FEIEVHMREwDwYDVQQLDAhWUiBJREVOVDEnMCUGA1UE
AwweVlIgSURFTlQgRVhURVJOQUwgUk9PVCBDQSAyMDExggEEMFgGA1UdHwRRME8w
TaBLoEmGR2h0dHA6Ly93d3cudnItaWRlbnQuZGUvZ3RuY3JsL0NSTFJlc3BvbmRl
ci9WUiUyMElkZW50JTIwU1NMJTIwQ0ElMjAyMDExMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHQ4EFgQUYB6TEeO6fRmmiPvdjpBzUEfnyyAwEwYDVR0lBAwwCgYIKwYBBQUH
AwEwDQYJKoZIhvcNAQELBQADggEBAJvFM4jeOGtPXA+Xr9cYYPZ8AyMrOM/XFPsx
JZFhY0jMUiZuqTqgj6eY6EoXiuD9oNFWkr22hSECDxyV4Od6raUxIelLX0rjvecE
ZFRp/G7InSjvUxL/V8BxHrfoWgqdZaSRLBrZNkZ1xFZHWrNcOH1N6hJkWIo8Agch
U8wQZodcY5lnBMBwPkFiP2rAkx7l81PyTEO3tIOPgRipQvJ2LtDMcbzKZnvfdXPx
EwusmK6ShKO0UlOyAIfeHs/L1aMyPIFc/VTpyHC0uNBklo3XSkb3K7Tf960MfaZx
Pwh8eqabwDhsm+YAzRRKvXFvw6mHuXBtugRZ8djHHRfebynlPx0=
-----END CERTIFICATE-----

> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
> mail.info] Untrusted TLS connection established from
> mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits)
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731
> mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1
> encoding routines:ASN1_item_verify:unknown message digest
> algorithm:a_verify.c:146:

From above:

    Signature Algorithm: sha256WithRSAEncryption

It looks your OpenSSL library does not enable this via
OpenSSL_add_ssl_algorithms().

The use of certificates with signature algorithms other than MD5
and SHA-1 is supposed to be negotiated via TLSv1.2, plain SSLv3/TLSv1
do not have a way to negotiate these, and clients or servers that
use SHA-2 signatures will run into interoperability problems.

> Does the message
>
> TLS library problem: 22673:error:0D0C50A1:asn1 encoding
> routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146
>
> indicate a problem on our side?

A misconfiguration on their side, and lack of support for SHA-2
signatures on your side.

> Please let me know if you need any further information. Below the log
> output with debug_peer_list:

Can you report the output of "ldd /usr/libexec/postfix/smtpd" (smtpd
is in $daemon_directory, adjust as necessary).  That will help nail
down the exact OpenSSL version in use.  Also report the O/S
distribution and version of the package that contains the libssl
that smtpd depends on.

I would have expected SHA-2 support as of OpenSSL 1.0.0a.

$ git diff OpenSSL_1_0_0..OpenSSL_1_0_0a ssl/ssl_algs.c
diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c
index a26ae43..0967b2d 100644
--- a/ssl/ssl_algs.c
+++ b/ssl/ssl_algs.c
@@ -105,6 +105,14 @@ int SSL_library_init(void)
        EVP_add_digest_alias(SN_sha1,"ssl3-sha1");
        EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA);
 #endif
+#ifndef OPENSSL_NO_SHA256
+       EVP_add_digest(EVP_sha224());
+       EVP_add_digest(EVP_sha256());
+#endif
+#ifndef OPENSSL_NO_SHA512
+       EVP_add_digest(EVP_sha384());
+       EVP_add_digest(EVP_sha512());
+#endif
 #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA)
        EVP_add_digest(EVP_dss1()); /* DSA with sha1 */
        EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2);

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Jan P. Kessler-2

>      Signature Algorithm: sha256WithRSAEncryption
>
> It looks your OpenSSL library does not enable this via
> OpenSSL_add_ssl_algorithms().
>
> The use of certificates with signature algorithms other than MD5
> and SHA-1 is supposed to be negotiated via TLSv1.2, plain SSLv3/TLSv1
> do not have a way to negotiate these, and clients or servers that
> use SHA-2 signatures will run into interoperability problems.
> Can you report the output of "ldd /usr/libexec/postfix/smtpd" (smtpd
> is in $daemon_directory, adjust as necessary).  That will help nail
> down the exact OpenSSL version in use.  Also report the O/S
> distribution and version of the package that contains the libssl
> that smtpd depends on.
>
> I would have expected SHA-2 support as of OpenSSL 1.0.0a.

Ok, so the problem seems to be clear. The system uses an ancient openssl
version (sunfreeware package):

# uname -a
SunOS rv-smtpext-201 5.10 Generic_148888-03 sun4v sparc SUNW,T5140

# ldd /opt/vrnetze/postfix/libexec/smtpd
         libdb-4.7.so => /usr/local/BerkeleyDB.4.7/lib/libdb-4.7.so
         libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8
         libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8
         libpcre.so.0 =>  /usr/local/lib/libpcre.so.0
         libresolv.so.2 =>        /lib/libresolv.so.2
         libsocket.so.1 =>        /lib/libsocket.so.1
         libnsl.so.1 =>   /lib/libnsl.so.1
         libc.so.1 =>     /lib/libc.so.1
         librt.so.1 =>    /usr/lib/librt.so.1
         libpthread.so.1 =>       /usr/lib/libpthread.so.1
         libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
         libdl.so.1 =>    /lib/libdl.so.1
         libdevinfo.so.1 =>       /usr/lib/libdevinfo.so.1
         libmp.so.2 =>    /lib/libmp.so.2
         libmd.so.1 =>    /lib/libmd.so.1
         libscf.so.1 =>   /lib/libscf.so.1
         libaio.so.1 =>   /lib/libaio.so.1
         libnvpair.so.1 =>        /lib/libnvpair.so.1
         libsec.so.1 =>   /lib/libsec.so.1
         libgen.so.1 =>   /lib/libgen.so.1
         libdoor.so.1 =>  /lib/libdoor.so.1
         libuutil.so.1 =>         /lib/libuutil.so.1
         libavl.so.1 =>   /lib/libavl.so.1
         libm.so.2 =>     /lib/libm.so.2
         /platform/SUNW,T5140/lib/libc_psr.so.1
         /platform/SUNW,T5140/lib/libmd_psr.so.1

# /usr/local/ssl/bin/openssl version
OpenSSL 0.9.8k 25 Mar 2009

Thank you very much for your help! Is it possible to deactivate the
"smtpd_tls_ask_ccert = yes" setting for this special target? Ideally
without deactivating the complete STARTTLS extension completely?

I understand that the correct solution is an openssl upgrade on our side
(due to other security related reasons), but I need a maintenance window
for this.

Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Viktor Dukhovni
On Fri, Jun 14, 2013 at 05:53:03PM +0200, Jan P. Kessler wrote:

> >I would have expected SHA-2 support as of OpenSSL 1.0.0a.
>
> Ok, so the problem seems to be clear. The system uses an ancient
> openssl version (sunfreeware package):
>
>         libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8
>         libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8
>
> # /usr/local/ssl/bin/openssl version
> OpenSSL 0.9.8k 25 Mar 2009
>
> Thank you very much for your help! Is it possible to deactivate the
> "smtpd_tls_ask_ccert = yes" setting for this special target? Ideally
> without deactivating the complete STARTTLS extension completely?

Only via NAT, if you can divert traffic from this client IP to a
different SMTP listener in which the feature is disabled via
master.cf.

The sender should replace their certificate, it is not compliant
with TLSv1.  This too may take time.

I never enabled ask_ccert on port 25, I had used 587 for that (on
a machine that nevertheless was not an MSA), and clients with special
access configured via ccerts had to use a transport table or similar
to send to a non-default port to get that access.

> I understand that the correct solution is an openssl upgrade on our
> side (due to other security related reasons), but I need a
> maintenance window for this.

Build OpenSSL 1.0.1e from source without shared libraries, just
".a" files (default via OpenSSL's Configure).  Then link Postfix
against that, and deploy.  For example with OpenSSL built in
/var/tmp/openssl (libcrypto.a and libssl.a in that directory, and
include files in /var/tmp/openssl/include) build as follows (adjusting
paths as required):

#! /bin/sh

DEST=/usr/local
CCARGS='-DUSE_TLS -I/var/tmp/openssl/include ...'
AUXLIBS='-L/var/tmp/openssl -lssl -lcrypto ...'

while read -r name val
do
    CCARGS="$CCARGS $(printf -- '-D%s=\\"%s\\"' $name $val)"
done <<EOF
    DEF_COMMAND_DIR         $DEST/sbin
    DEF_CONFIG_DIR          $DEST/etc
    DEF_DAEMON_DIR          $DEST/libexec
    DEF_MAILQ_PATH          /usr/bin/mailq
    DEF_HTML_DIR            $DEST/html
    DEF_MANPAGE_DIR         $DEST/man
    DEF_NEWALIAS_PATH       /usr/bin/newaliases
    DEF_README_DIR          $DEST/readme
    DEF_SENDMAIL_PATH       /usr/sbin/sendmail
EOF
make -f Makefile.init "CCARGS=$CCARGS" "AUXLIBS=$AUXLIBS" makefiles
make

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Jan P. Kessler-2

> The sender should replace their certificate, it is not compliant with
> TLSv1. This too may take time.
>
> I never enabled ask_ccert on port 25, I had used 587 for that (on a
> machine that nevertheless was not an MSA), and clients with special
> access configured via ccerts had to use a transport table or similar
> to send to a non-default port to get that access.

Thank you for the detailed analysis. I will give them a hint. Although
the chance might be small that they will have other partners using old
ssl versions and asking for their ccert, they should know about that.
The interesting part for me is, that smtp (means when we sent mails to
them using tls) had no problems with their sha2 cert.

I will consider switching to submission port for our
ccert-whitelisted/authenticated partners, too. It was the first time we
encounter problems with that setting since several years (I was aware of
the warning note in the docs, but it always worked for us).

>> I understand that the correct solution is an openssl upgrade on
>> our side (due to other security related reasons), but I need a
>> maintenance window for this.
>
> Build OpenSSL 1.0.1e from source without shared libraries, just ".a"
> files (default via OpenSSL's Configure). Then link Postfix against
> that, and deploy. For example with OpenSSL built in /var/tmp/openssl
> (libcrypto.a and libssl.a in that directory, and include files in
> /var/tmp/openssl/include) build as follows (adjusting paths as
> required):

Fortunately I was able to get a change window for one of the nodes last
night. After the prodecure below everything seems to be fine now on this
machine. I'll wait some days and update the other nodes, too. Thanks
again for your assistance!

# self compiled things here
BASE=/opt/vrnetze
# sunstudio compiler
CC=/opt/SUNWspro/bin/cc
CXX=/opt/SUNWspro/bin/cc

# openssl
./Configure \
    --prefix=${BASE}/openssl \
    --openssldir=${BASE}/openssl \
    solaris-sparcv9-cc
make; make install

# postfix
MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
-R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
-L/usr/local/lib"
MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
-I/usr/local/include"

make tidy; make makefiles \
    CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
    AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
make; make upgrade


Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Viktor Dukhovni
On Sat, Jun 15, 2013 at 12:07:26PM +0200, Jan P. Kessler wrote:

> # openssl
> ./Configure \
>     --prefix=${BASE}/openssl \
>     --openssldir=${BASE}/openssl \
>     solaris-sparcv9-cc
> make; make install
>
> # postfix
> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
> -L/usr/local/lib"
> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
> -I/usr/local/include"
>
> make tidy; make makefiles \
>     CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
>     AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
> make; make upgrade

If you're interested, I now have another option for you, a Postfix
patch that will likely enable support for SHA-2 digests even when
Postfix is compiled and linked with OpenSSL 0.9.8.

Keep in mind that that latest OpenSSL 0.9.8 patch level is now
0.9.8y, and I seem to recall that you had 0.9.8k which likely
various unpatched bugs.  So you should probably upgrade the system's
OpenSSL 0.9.8 libraries to 0.9.8y.

The patch is for DANE support with OpenSSL 1.0.0 (first release
before 1.0.0a) and some systems with older 1.1.0-dev snapshots,
but should also address your problem.

--- src/tls/tls_misc.c
+++ src/tls/tls_misc.c
@@ -1129,6 +1129,24 @@ int     tls_validate_digest(const char *dgst)
     unsigned int md_len;
 
     /*
+     * Register SHA-2 digests, if implemented and not already registered.
+     * Improves interoperability with clients and servers that prematurely
+     * deploy SHA-2 certificates.  Also facilitates DANE and TA support.
+     */
+#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
+    if (!EVP_get_digestbyname(LN_sha224))
+ EVP_add_digest(EVP_sha224());
+    if (!EVP_get_digestbyname(LN_sha256))
+ EVP_add_digest(EVP_sha256());
+#endif
+#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
+    if (!EVP_get_digestbyname(LN_sha384))
+ EVP_add_digest(EVP_sha384());
+    if (!EVP_get_digestbyname(LN_sha512))
+ EVP_add_digest(EVP_sha512());
+#endif
+
+    /*
      * If the administrator specifies an unsupported digest algorithm, fail
      * now, rather than in the middle of a TLS handshake.
      */

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Jan P. Kessler-2

>> # openssl
>> ./Configure \
>>     --prefix=${BASE}/openssl \
>>     --openssldir=${BASE}/openssl \
>>     solaris-sparcv9-cc
>> make; make install
>>
>> # postfix
>> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
>> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
>> -L/usr/local/lib"
>> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
>> -I/usr/local/include"
>>
>> make tidy; make makefiles \
>>     CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
>>     AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
>> make; make upgrade

The openssl update from 0.9.8k to 1.0.1e solved the client certificate
issue. Unfortunately now we see another problem with the outgoing
instance, trying to send to another partner with mandatory TLS:

Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] 704A35DD5: Cannot start TLS: handshake failure
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.21] said: 403
4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] 704A35DD5: Cannot start TLS: handshake failure
Jun 16 00:28:55 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] 704A35DD5: to=<[hidden email]>,
relay=mxtls.allianz.com[194.127.3.22]:25, delay=62663,
delays=62662/0/0.54/0.01, dsn=4.7.0, status=deferred (host
mxtls.allianz.com[194.127.3.22] said: 403 4.7.0 encryption too weak 0
less than 256 (in reply to MAIL FROM command))

BEFORE UPGRADE:
Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
mail.info] certificate verification failed for
mxtls.allianz.com[194.127.3.21]:25: untrusted issuer /C=US/O=VeriSign,
Inc./OU=Class 3 Public Primary Certification Authority
Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
mail.info] Untrusted TLS connection established to
mxtls.allianz.com[194.127.3.21]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
Jun 14 11:43:42 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
mail.info] 19688599D: to=<[hidden email]>,
relay=mxtls.allianz.com[194.127.3.21]:25, delay=0.94,
delays=0.03/0/0.48/0.43, dsn=2.0.0, status=sent (250 2.0.0
r5E9hfN2006147 Message accepted for delivery)

Other outgoing TLS connections seem to work fine:

Jun 16 00:29:52 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] setting up TLS connection to
gmail-smtp-in.l.google.com[173.194.70.26]:25
Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] Trusted TLS connection established to
gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher
ECDHE-RSA-RC4-SHA (128/128 bits)
Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] CBF8256AD: to=<[hidden email]>,
relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.85,
delays=0.01/0/0.18/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1371335393
b5si7050738eew.190 - gsmtp)

Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
setting up TLS connection to smail2-neu.mailintern.local[10.221.24.22]:25
Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
Trusted TLS connection established to
smail2-neu.mailintern.local[10.221.24.22]:25: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Jun 16 00:29:55 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
6195A56F4: to=<[hidden email]>,
relay=smail2-neu.mailintern.local[10.221.24.22]:25, delay=11,
delays=11/0/0.14/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
98BABC6DA0)

Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
mail.info] setting up TLS connection to smtpcl3.fiducia.de[195.200.34.38]:25
Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
mail.info] smtpcl3.fiducia.de[195.200.34.38]:25: re-using session with
untrusted certificate, look for details earlier in the log
Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
mail.info] Untrusted TLS connection established to
smtpcl3.fiducia.de[195.200.34.38]:25: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Jun 16 00:29:58 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
mail.info] 932B356AF: to=<[hidden email]>,
relay=smtpcl3.fiducia.de[195.200.34.38]:25, delay=2.1,
delays=0.58/0.07/0.26/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as 7C5731C8C89)

I have already tried to wipe the smtp_scache.db without success. Could
you give me another hint? Verbose logs and configuration follow at the
end of this mail.

> If you're interested, I now have another option for you, a Postfix
> patch that will likely enable support for SHA-2 digests even when
> Postfix is compiled and linked with OpenSSL 0.9.8.

May I ask if this would have a chance to be included in future postfix
releases? Just to know if postfix has to be patched again with updates.

> Keep in mind that that latest OpenSSL 0.9.8 patch level is now
> 0.9.8y, and I seem to recall that you had 0.9.8k which likely
> various unpatched bugs.  So you should probably upgrade the system's
> OpenSSL 0.9.8 libraries to 0.9.8y.

Thanks, but the 0.9.8k openssl lib is anyway not the solaris 10 default.
It was installed separately some time ago from a different source
(sunfreeware) to compile postfix. I'd prefer to drop it completely. It
is not used by other software on these systems.

# postconf -c /etc/postfix/OUT mail_version
mail_version = 2.8.13
# /opt/vrnetze/openssl/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

# postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
# postqueue -c /etc/postfix/OUT -i 704A35DD5
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] mxtls.allianz.com[194.127.3.22]:25: TLS cipher list
"aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] looking for session
smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
in smtp cache
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
mail.info] lookup smtp session
id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:before/connect initialization
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B))
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 b7
....f... b..Q....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0010 a5 91 88 61 35 5b 04 b0|16 00 7a 15 84 3c b5 0b
...a5[.. ..z..<..
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0020 59 23 37 d6 e4 7d 6f 15|82 8f c6 00 00 ca c0 19
Y#7..}o. ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28  .
...m.: ...0.,.(
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b
.$....." .!.....k
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
.j.9.8.. ...2...*
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17
.&...... .=.5....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34
........ .....l.4
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09
...F./.+ .'.#....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32
........ .g.@.3.2
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25
.....E.D .1.-.).%
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07
.......< ./...A..
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04
........ ...o....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19
.......4 .2......
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00
........ .....#..
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02  ...".
.. ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01                
........ ...
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:SSLv2/v3 write client hello A
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:error in SSLv2/v3 read server hello A
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] remove session
smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
from client cache
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
mail.info] delete smtp session
id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 704A35DD5: Cannot start TLS: handshake failure
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.22] said: 403
4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] mxtls.allianz.com[194.127.3.21]:25: TLS cipher list
"aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] looking for session
smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
in smtp cache
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
mail.info] lookup smtp session
id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:before/connect initialization
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] write to 000A3418 [000F6020] (363 bytes => 363 (0x16B))
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 70
....f... b..Q...p
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0010 e9 dc 5b a9 11 c3 47 1e|77 5b 4a a8 81 81 26 40
..[...G. w[J...&@
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0020 e2 0a 41 b0 2e b9 96 2c|2e 63 e4 00 00 ca c0 19
..A...., .c......
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28  .
...m.: ...0.,.(
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b
.$....." .!.....k
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
.j.9.8.. ...2...*
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17
.&...... .=.5....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34
........ .....l.4
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09
...F./.+ .'.#....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32
........ .g.@.3.2
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25
.....E.D .1.-.).%
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07
.......< ./...A..
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04
........ ...o....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19
.......4 .2......
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00
........ .....#..
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02  ...".
.. ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01                
........ ...
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:SSLv2/v3 write client hello A
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] read from 000A3418 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:error in SSLv2/v3 read server hello A
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] remove session
smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
from client cache
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
mail.info] delete smtp session
id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 704A35DD5: Cannot start TLS: handshake failure
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 704A35DD5: to=<[hidden email]>,
relay=mxtls.allianz.com[194.127.3.21]:25, delay=64211,
delays=64211/0/0.54/0.01, dsn=4.7.0, status=deferred (host
mxtls.allianz.com[194.127.3.21] said: 403 4.7.0 encryption too weak 0
less than 256 (in reply to MAIL FROM command))


# egrep -v "^#" /etc/postfix/OUT/master.cf
smtp26  inet    n       -       n       -       200     smtpd
  -o smtpd_client_connection_count_limit=100
cryptosmtp      unix    -       -       n       -       50      smtp
  -o smtp_data_done_timeout=1200
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient

# postconf -c /etc/postfix/OUT -n
alias_database = hash:/etc/postfix/aliases
alias_maps = $alias_database
body_checks = pcre:/etc/postfix/OUT/body_checks
body_checks_size_limit = 512000
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.cf
command_directory = /opt/vrnetze/postfix/sbin
config_directory = /etc/postfix/OUT
daemon_directory = /opt/vrnetze/postfix/libexec
data_directory = /var/spool/postfix-OUT/DATA
debug_peer_level = 2
default_privs = nobody
default_process_limit = 200
disable_vrfy_command = yes
fast_flush_domains = $relay_domains
header_checks = pcre:/etc/postfix/OUT/header_checks
html_directory = no
inet_interfaces = all
luser_relay = [hidden email]
mail_name = Mailservice
mail_owner = postfix
mailbox_size_limit = 56000001
mailq_path = /usr/bin/mailq
manpage_directory = /opt/vrnetze/postfix/man
maximal_queue_lifetime = 3d
message_size_limit = 56000000
mime_header_checks = pcre:/etc/postfix/OUT/mime_header_checks
mydestination = $myhostname, localhost.$mydomain
mydomain = EXAMPLE.COM
myhostname = mail.EXAMPLE.COM
mynetworks = /etc/postfix/relay_from_networks
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9
queue_directory = /var/spool/postfix-OUT
readme_directory = /opt/vrnetze/postfix/doc
receive_override_options = no_address_mappings
relay_domains = /etc/postfix/relay_to_domains
sample_directory = /etc/postfix
sender_canonical_maps = btree:/etc/postfix/sender_canonical
sendmail_path = /usr/lib/sendmail
setgid_group = postdrop
smtp_enforce_tls = no
smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem
smtp_tls_key_file = /etc/postfix/CERTS/key.pem
smtp_tls_loglevel = 1
smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER
smtp_tls_scert_verifydepth = 8
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP Mailservice
smtpd_enforce_tls = no
smtpd_recipient_restrictions = reject_non_fqdn_recipient,      
reject_non_fqdn_sender, permit_mynetworks,      reject
smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_ccert_verifydepth = 8
smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem
smtpd_tls_key_file = /etc/postfix/CERTS/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
syslog_name = postfix-OUT
transport_maps = btree:/etc/postfix/fehlerdomains,
btree:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_local_recipient_reject_code = 550


Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Jan P. Kessler-2
some additional information:

# /opt/vrnetze/openssl/bin/openssl s_client -connect
mxtls.allianz.com:25 -starttls smtp
CONNECTED(00000004)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=DE/ST=Bayern/L=Unterf\xC3\xB6hring/O=Allianz Managed Operations
& Services SE/OU=Allianz Group/CN=*.allianz.de
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVzCCBD+gAwIBAgIQRje+sRdEDc8quKMQfyp3vTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTMwMjE5
MDAwMDAwWhcNMTQwMjI0MjM1OTU5WjCBmDELMAkGA1UEBhMCREUxDzANBgNVBAgM
BkJheWVybjEWMBQGA1UEBwwNVW50ZXJmw7ZocmluZzExMC8GA1UECgwoQWxsaWFu
eiBNYW5hZ2VkIE9wZXJhdGlvbnMgJiBTZXJ2aWNlcyBTRTEWMBQGA1UECwwNQWxs
aWFueiBHcm91cDEVMBMGA1UEAwwMKi5hbGxpYW56LmRlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA34vFk6ijdJ5H/IdHOPvyvFPa/I/CN0+NvhmgluJs
5p2IebxKNYZb+K7PiQSMD+aeFLw8EEbKdRIya7+KgKKkcrWKXMY68dZ3ehANvm7L
OEQgSy0DsGsWEH5HUUw2vzY9Se66LNwYausPWwEOP2dBCtPq6xISAzv0WmL89z4b
CuxjQV1pK9Qm7Ee5bm9gIpTRHm8NXxyRCg0G49e+cU8D2+8NaYO/N1kLhnXXGKFx
oo/wXEuqCD4SR0JDLq/Ues3o+pH/ObALlaZpl0DLOws4tCADGM36v8VmWA/PEMuT
kowK2RxlNG1YHpp8CJutta9Ah4JvX/p4J4XrjR8In8gw1QIDAQABo4IBfDCCAXgw
FwYDVR0RBBAwDoIMKi5hbGxpYW56LmRlMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
AgWgMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZl
cmlzaWduLmNvbS9TVlJTZWN1cmVHMy5jcmwwQwYDVR0gBDwwOjA4BgpghkgBhvhF
AQc2MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZT
RMGCfh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0
cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2Vj
dXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2VyMA0GCSqGSIb3
DQEBBQUAA4IBAQCTj4I2An6Sg02mjUwdNpbw+QwBZPnjixLFOTY02ehBGJ80eF1Y
HkyCJQXiyuL9yiqdDU0iB+HfPkz8ASAPKpH2GZqU57hq0GEADrqift/3XVg681UF
hvKBG6ciVrS2bgXpdBAE8XMMoLbbvruom4UrjphFMY4gNMkjFUn8kzNP8pFFuODx
/26V6m/VSuqUq9H51F1G4NpsfAWJMrPatmnKBLV2nGhTMXe1AOraDGKTEFiM4DLf
hOO3G/LjE0PLt1ALv3HagnWR5PbtSxVwaMHWdClHzWiwhaimtwiBZkbn1UN6FENI
mF7X2lcyxk5n5Q5mGCNQQaIxkre04F8oXtAM
-----END CERTIFICATE-----
subject=/C=DE/ST=Bayern/L=Unterf\xC3\xB6hring/O=Allianz Managed
Operations & Services SE/OU=Allianz Group/CN=*.allianz.de
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server
CA - G3
---
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
SSL handshake has read 6159 bytes and written 566 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
27BA0212310594A9E6BFA40D0ECB0D11C6B5AC6C0D43262B551072C99AE6AEF6
    Session-ID-ctx:
    Master-Key:
00F84A8BEE171D1DD0DDE339984755CD253E804DDD7039A1C496D7348F03CF170F1B485133EFC1E67F5669279761A2D0
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 2c cb a1 28 60 8d dd ab-22 b3 fd 81 d4 bd 2d fd  
,..(`...".....-.
    0010 - 35 30 7e 80 4a ea 42 fd-2a 17 ec 73 3d b7 51 7d  
50~.J.B.*..s=.Q}
    0020 - 48 7b 70 69 eb ed 92 2b-df 11 af 10 7a 81 30 63  
H{pi...+....z.0c
    0030 - b1 04 54 a9 e3 e8 80 63-e4 72 a3 01 95 c4 56 e9  
..T....c.r....V.
    0040 - 32 b5 2e 55 8b ae 34 da-29 73 90 82 1f 4a e0 f7  
2..U..4.)s...J..
    0050 - ff f9 dd 3e d5 f1 33 6c-34 7a ed 59 4a 8f 38 ae  
...>..3l4z.YJ.8.
    0060 - 6b e0 49 5d 4b 1b bf 27-5b 64 86 a4 e5 38 3e 9b  
k.I]K..'[d...8>.
    0070 - e8 a7 81 75 92 78 02 10-5d e5 be a2 c8 f9 87 7b  
...u.x..]......{
    0080 - eb bb c7 90 c7 70 0f 63-83 cf 20 d5 b3 65 33 a4   .....p.c..
..e3.
    0090 - 65 34 18 75 10 6b 91 0f-73 af 9b 79 43 a4 a8 de  
e4.u.k..s..yC...

    Start Time: 1371343913
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP
HELO mail.EXAMPLE.COM
250 mailgw.allianz.de Hello mail.EXAMPLE.COM [91.235.236.8], pleased to
meet you
MAIL FROM:[hidden email]
250 2.1.0 [hidden email]... Sender ok
RCPT TO:[hidden email]
RENEGOTIATING
[CTRL+C]



Am 16.06.2013 01:58, schrieb Jan P. Kessler:

> >> # openssl
> >> ./Configure \
> >>     --prefix=${BASE}/openssl \
> >>     --openssldir=${BASE}/openssl \
> >>     solaris-sparcv9-cc
> >> make; make install
> >>
> >> # postfix
> >> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
> >> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
> >> -L/usr/local/lib"
> >> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
> >> -I/usr/local/include"
> >>
> >> make tidy; make makefiles \
> >>     CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
> >>     AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
> >> make; make upgrade
>
> The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> issue. Unfortunately now we see another problem with the outgoing
> instance, trying to send to another partner with mandatory TLS:
>
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.21] said: 403
> 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:28:55 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: to=<[hidden email]>,
> relay=mxtls.allianz.com[194.127.3.22]:25, delay=62663,
> delays=62662/0/0.54/0.01, dsn=4.7.0, status=deferred (host
> mxtls.allianz.com[194.127.3.22] said: 403 4.7.0 encryption too weak 0
> less than 256 (in reply to MAIL FROM command))
>
> BEFORE UPGRADE:
> Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] certificate verification failed for
> mxtls.allianz.com[194.127.3.21]:25: untrusted issuer /C=US/O=VeriSign,
> Inc./OU=Class 3 Public Primary Certification Authority
> Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] Untrusted TLS connection established to
> mxtls.allianz.com[194.127.3.21]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
> (256/256 bits)
> Jun 14 11:43:42 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] 19688599D: to=<[hidden email]>,
> relay=mxtls.allianz.com[194.127.3.21]:25, delay=0.94,
> delays=0.03/0/0.48/0.43, dsn=2.0.0, status=sent (250 2.0.0
> r5E9hfN2006147 Message accepted for delivery)
>
> Other outgoing TLS connections seem to work fine:
>
> Jun 16 00:29:52 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] setting up TLS connection to
> gmail-smtp-in.l.google.com[173.194.70.26]:25
> Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] Trusted TLS connection established to
> gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher
> ECDHE-RSA-RC4-SHA (128/128 bits)
> Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] CBF8256AD: to=<[hidden email]>,
> relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.85,
> delays=0.01/0/0.18/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1371335393
> b5si7050738eew.190 - gsmtp)
>
> Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
> setting up TLS connection to smail2-neu.mailintern.local[10.221.24.22]:25
> Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
> Trusted TLS connection established to
> smail2-neu.mailintern.local[10.221.24.22]:25: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> Jun 16 00:29:55 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
> 6195A56F4: to=<[hidden email]>,
> relay=smail2-neu.mailintern.local[10.221.24.22]:25, delay=11,
> delays=11/0/0.14/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
> 98BABC6DA0)
>
> Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] setting up TLS connection to smtpcl3.fiducia.de[195.200.34.38]:25
> Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] smtpcl3.fiducia.de[195.200.34.38]:25: re-using session with
> untrusted certificate, look for details earlier in the log
> Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] Untrusted TLS connection established to
> smtpcl3.fiducia.de[195.200.34.38]:25: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> Jun 16 00:29:58 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] 932B356AF: to=<[hidden email]>,
> relay=smtpcl3.fiducia.de[195.200.34.38]:25, delay=2.1,
> delays=0.58/0.07/0.26/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
> as 7C5731C8C89)
>
> I have already tried to wipe the smtp_scache.db without success. Could
> you give me another hint? Verbose logs and configuration follow at the
> end of this mail.
>
> > If you're interested, I now have another option for you, a Postfix
> > patch that will likely enable support for SHA-2 digests even when
> > Postfix is compiled and linked with OpenSSL 0.9.8.
>
> May I ask if this would have a chance to be included in future postfix
> releases? Just to know if postfix has to be patched again with updates.
>
> > Keep in mind that that latest OpenSSL 0.9.8 patch level is now
> > 0.9.8y, and I seem to recall that you had 0.9.8k which likely
> > various unpatched bugs.  So you should probably upgrade the system's
> > OpenSSL 0.9.8 libraries to 0.9.8y.
>
> Thanks, but the 0.9.8k openssl lib is anyway not the solaris 10 default.
> It was installed separately some time ago from a different source
> (sunfreeware) to compile postfix. I'd prefer to drop it completely. It
> is not used by other software on these systems.
>
> # postconf -c /etc/postfix/OUT mail_version
> mail_version = 2.8.13
> # /opt/vrnetze/openssl/bin/openssl version
> OpenSSL 1.0.1e 11 Feb 2013
>
> # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
> # postqueue -c /etc/postfix/OUT -i 704A35DD5
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] mxtls.allianz.com[194.127.3.22]:25: TLS cipher list
> "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] looking for session
> smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> in smtp cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] lookup smtp session
> id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:before/connect initialization
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B))
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 b7
> ....f... b..Q....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0010 a5 91 88 61 35 5b 04 b0|16 00 7a 15 84 3c b5 0b
> ...a5[.. ..z..<..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0020 59 23 37 d6 e4 7d 6f 15|82 8f c6 00 00 ca c0 19
> Y#7..}o. ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28  .
> ...m.: ...0.,.(
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b
> .$....." .!.....k
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
> .j.9.8.. ...2...*
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17
> .&...... .=.5....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34
> ........ .....l.4
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09
> ...F./.+ .'.#....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32
> ........ .g.@.3.2
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25
> .....E.D .1.-.).%
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07
> .......< ./...A..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04
> ........ ...o....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19
> .......4 .2......
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00
> ........ .....#..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02  ...".
> .. ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01                
> ........ ...
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:SSLv2/v3 write client hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
> Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:error in SSLv2/v3 read server hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] remove session
> smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> from client cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] delete smtp session
> id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.22] said: 403
> 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] mxtls.allianz.com[194.127.3.21]:25: TLS cipher list
> "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] looking for session
> smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> in smtp cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] lookup smtp session
> id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:before/connect initialization
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] write to 000A3418 [000F6020] (363 bytes => 363 (0x16B))
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 70
> ....f... b..Q...p
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0010 e9 dc 5b a9 11 c3 47 1e|77 5b 4a a8 81 81 26 40
> ..[...G. w[J...&@
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0020 e2 0a 41 b0 2e b9 96 2c|2e 63 e4 00 00 ca c0 19
> ..A...., .c......
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28  .
> ...m.: ...0.,.(
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b
> .$....." .!.....k
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
> .j.9.8.. ...2...*
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17
> .&...... .=.5....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34
> ........ .....l.4
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09
> ...F./.+ .'.#....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32
> ........ .g.@.3.2
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25
> .....E.D .1.-.).%
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07
> .......< ./...A..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04
> ........ ...o....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19
> .......4 .2......
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00
> ........ .....#..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02  ...".
> .. ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01                
> ........ ...
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:SSLv2/v3 write client hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] read from 000A3418 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
> Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:error in SSLv2/v3 read server hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] remove session
> smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> from client cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] delete smtp session
> id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: to=<[hidden email]>,
> relay=mxtls.allianz.com[194.127.3.21]:25, delay=64211,
> delays=64211/0/0.54/0.01, dsn=4.7.0, status=deferred (host
> mxtls.allianz.com[194.127.3.21] said: 403 4.7.0 encryption too weak 0
> less than 256 (in reply to MAIL FROM command))
>
>
> # egrep -v "^#" /etc/postfix/OUT/master.cf
> smtp26  inet    n       -       n       -       200     smtpd
>   -o smtpd_client_connection_count_limit=100
> cryptosmtp      unix    -       -       n       -       50      smtp
>   -o smtp_data_done_timeout=1200
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> pickup    fifo  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache
> maildrop  unix  -       n       n       -       -       pipe
>   flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> old-cyrus unix  -       n       n       -       -       pipe
>   flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
> cyrus     unix  -       n       n       -       -       pipe
>   user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
> uucp      unix  -       n       n       -       -       pipe
>   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> ifmail    unix  -       n       n       -       -       pipe
>   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp     unix  -       n       n       -       -       pipe
>   flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
>
> # postconf -c /etc/postfix/OUT -n
> alias_database = hash:/etc/postfix/aliases
> alias_maps = $alias_database
> body_checks = pcre:/etc/postfix/OUT/body_checks
> body_checks_size_limit = 512000
> bounce_queue_lifetime = 3d
> bounce_template_file = /etc/postfix/bounce.cf
> command_directory = /opt/vrnetze/postfix/sbin
> config_directory = /etc/postfix/OUT
> daemon_directory = /opt/vrnetze/postfix/libexec
> data_directory = /var/spool/postfix-OUT/DATA
> debug_peer_level = 2
> default_privs = nobody
> default_process_limit = 200
> disable_vrfy_command = yes
> fast_flush_domains = $relay_domains
> header_checks = pcre:/etc/postfix/OUT/header_checks
> html_directory = no
> inet_interfaces = all
> luser_relay = [hidden email]
> mail_name = Mailservice
> mail_owner = postfix
> mailbox_size_limit = 56000001
> mailq_path = /usr/bin/mailq
> manpage_directory = /opt/vrnetze/postfix/man
> maximal_queue_lifetime = 3d
> message_size_limit = 56000000
> mime_header_checks = pcre:/etc/postfix/OUT/mime_header_checks
> mydestination = $myhostname, localhost.$mydomain
> mydomain = EXAMPLE.COM
> myhostname = mail.EXAMPLE.COM
> mynetworks = /etc/postfix/relay_from_networks
> myorigin = $myhostname
> newaliases_path = /usr/bin/newaliases
> proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9
> queue_directory = /var/spool/postfix-OUT
> readme_directory = /opt/vrnetze/postfix/doc
> receive_override_options = no_address_mappings
> relay_domains = /etc/postfix/relay_to_domains
> sample_directory = /etc/postfix
> sender_canonical_maps = btree:/etc/postfix/sender_canonical
> sendmail_path = /usr/lib/sendmail
> setgid_group = postdrop
> smtp_enforce_tls = no
> smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
> smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem
> smtp_tls_key_file = /etc/postfix/CERTS/key.pem
> smtp_tls_loglevel = 1
> smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER
> smtp_tls_scert_verifydepth = 8
> smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
> smtp_tls_session_cache_timeout = 3600s
> smtp_use_tls = yes
> smtpd_banner = $myhostname ESMTP Mailservice
> smtpd_enforce_tls = no
> smtpd_recipient_restrictions = reject_non_fqdn_recipient,      
> reject_non_fqdn_sender, permit_mynetworks,      reject
> smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
> smtpd_tls_ask_ccert = yes
> smtpd_tls_ccert_verifydepth = 8
> smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem
> smtpd_tls_key_file = /etc/postfix/CERTS/key.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_req_ccert = no
> smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> soft_bounce = no
> syslog_name = postfix-OUT
> transport_maps = btree:/etc/postfix/fehlerdomains,
> btree:/etc/postfix/transport
> unknown_address_reject_code = 554
> unknown_local_recipient_reject_code = 550
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Viktor Dukhovni
In reply to this post by Jan P. Kessler-2
On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:

> The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> issue. Unfortunately now we see another problem with the outgoing
> instance, trying to send to another partner with mandatory TLS:

> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553

Disable TLSv1.1 and TLSv1.2 for this destination.  Use the protocols
attribute in the Postfix policy table.

> > If you're interested, I now have another option for you, a Postfix
> > patch that will likely enable support for SHA-2 digests even when
> > Postfix is compiled and linked with OpenSSL 0.9.8.
>
> May I ask if this would have a chance to be included in future postfix
> releases? Just to know if postfix has to be patched again with updates.

My suggestion for Wietse was to include this in 2.10.1, and any
future updates for earlier releases.  I'll also add another small
patch to solve bitrot with the server TLS session cache that is
triggered by OpenSSL enabling TLSv1 session tickets.  (Basically,
just add SSL_OP_NO_TICKETS to the server-side session options).

> # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3

Don't enable levels higher than 2 unless requested.

> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B))
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:SSLv2/v3 write client hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF))

Server hangs up after client SSL hello.  Perhaps too many ciphers,
or perhaps protocol compatibility issues, or something else entirely,
but what's new with 1.0.1e is mostly more ciphers and new protocols.

Try adding "protocols=TLSv1" to the policy entry for this site,
and if your Postfix is sufficiently new (and knows about TLSv1.1
and TLSv1.2) all other protocols will be disabled, and you may find
that TLS works for you again.

You've sure had some wicked bad luck with picking TLS partner sites. :-(

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Jan P. Kessler-2
Am 16.06.2013 05:00, schrieb Viktor Dukhovni:

> On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:
>
> > The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> > issue. Unfortunately now we see another problem with the outgoing
> > instance, trying to send to another partner with mandatory TLS:
>
> > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
>
> Disable TLSv1.1 and TLSv1.2 for this destination.  Use the protocols
> attribute in the Postfix policy table.

Thanks, that worked (postfix 2.8.13):

policy_table:
[mxtls.allianz.com]             verify protocols=SSLv3:TLSv1

# postqueue -c /etc/postfix/OUT -i 704A35DD5
Jun 16 10:31:04 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
Jun 16 10:31:05 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553
mail.info] Trusted TLS connection established to
mxtls.allianz.com[194.127.3.22]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
Jun 16 10:31:06 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553
mail.info] 704A35DD5: to=<[hidden email]>,
relay=mxtls.allianz.com[194.127.3.22]:25, delay=98794,
delays=98792/0/0.43/1.8, dsn=2.0.0, status=sent (250 2.0.0
r5G8V4q9023307 Message accepted for delivery)

> > # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
>
> Don't enable levels higher than 2 unless requested.

Yes, of course. Our normal setting is 1. Used this only for a second.

> Try adding "protocols=TLSv1" to the policy entry for this site,
> and if your Postfix is sufficiently new (and knows about TLSv1.1
> and TLSv1.2) all other protocols will be disabled, and you may find
> that TLS works for you again.
>
> You've sure had some wicked bad luck with picking TLS partner sites. :-(

Yep, that's what I thought, too ;)

Currently I fear, that other partners might be also affected about this.
Now the queues are almost empty but most traffic with other mandatory
TLS partner sites will start to continue during work hours Mo-Fr and
I'll be out of office for a week. What do you think about deactivating
v1.1 and v1.2 globally?

Currently:
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_protocols = !SSLv2

Suggestion:
smtp_tls_mandatory_protocols = !SSLv2 !TLSv1.1 !TLSv1.2
smtp_tls_protocols = !SSLv2

Will this work or are we expected to run into other compatibility issues
with that from your experience?

P.S.: On one machine I tried to switch to a shared openssl 1.0.1e build
which also seems to work fine:

# ldd /opt/vrnetze/postfix/libexec/smtpd|grep -i ssl
        libssl.so.1.0.0 =>       /opt/vrnetze/openssl/lib/libssl.so.1.0.0
        libcrypto.so.1.0.0 =>    /opt/vrnetze/openssl/lib/libcrypto.so.1.0.0

Am I right concluding that this won't require a postfix rebuild on new
openssl 1.0.x versions?

Again, thank you very much for your time and thoughts!

Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

/dev/rob0
In reply to this post by Jan P. Kessler-2
Beside the point, yet possibly of interest:

On Sun, Jun 16, 2013 at 03:07:01AM +0200, Jan P. Kessler wrote:
> # /opt/vrnetze/openssl/bin/openssl s_client -connect
> mxtls.allianz.com:25 -starttls smtp
> CONNECTED(00000004)
snip

> ---
> 250 HELP
> HELO mail.EXAMPLE.COM
> 250 mailgw.allianz.de Hello mail.EXAMPLE.COM [91.235.236.8],
> pleased to meet you
> MAIL FROM:[hidden email]
> 250 2.1.0 [hidden email]... Sender ok
> RCPT TO:[hidden email]
> RENEGOTIATING
> [CTRL+C]

Excerpt from s_client(1) manual:

"
CONNECTED COMMANDS
 If a connection is established with an SSL server then any data
received from the server is displayed and any key presses will be
sent to the server. When used interactively (which means neither
-quiet nor -ign_eof have been given), the session will be
renegotiated if the line begins with an R, and if the line begins
with a Q or if end of file is reached, the connection will be closed
down.
"

Your workaround is to use lowercase "r" in your RCPT TO command:

rcpt to:<[hidden email]>
rCPT TO:<[hidden email]>
--
  http://rob0.nodns4.us/ -- system administration and consulting
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Problem using TLS: lost connection after STARTTLS

Viktor Dukhovni
In reply to this post by Jan P. Kessler-2
On Sun, Jun 16, 2013 at 11:13:05AM +0200, Jan P. Kessler wrote:

> > Disable TLSv1.1 and TLSv1.2 for this destination.  Use the protocols
> > attribute in the Postfix policy table.
>
> Thanks, that worked (postfix 2.8.13):
>
> policy_table:
> [mxtls.allianz.com]             verify protocols=SSLv3:TLSv1

With the destination domain in [], or when "match=..." is explicitly
specified, the "verify" and "secure" levels are identical, otherwise
I would probably shun "verify" and use "secure" with explicit "match"
clauses as required.

> Currently I fear, that other partners might be also affected about this.
> Now the queues are almost empty but most traffic with other mandatory
> TLS partner sites will start to continue during work hours Mo-Fr and
> I'll be out of office for a week. What do you think about deactivating
> v1.1 and v1.2 globally?

Unlikely to cause any harm, and may help with some destinations.
You lose support for AEAD modes which protect against "CRIME" and
"BEAST", but those attacks are browser-specific.

> smtp_tls_mandatory_protocols = !SSLv2
> smtp_tls_protocols = !SSLv2
>
> Suggestion:
> smtp_tls_mandatory_protocols = !SSLv2 !TLSv1.1 !TLSv1.2
> smtp_tls_protocols = !SSLv2

You can set both the same for now.  Ideally there'll be some pressure
on sites with broken TLSv1.2 (TLSv1.1 is a far more modest change)
to get their implementations upgraded.  But if you have critical
traffic, it may be reasonable to be conservative in what you send...

> Will this work or are we expected to run into other compatibility issues
> with that from your experience?

TLSv1 is tried and true and largely sufficient, it is a very safe choice.

> P.S.: On one machine I tried to switch to a shared openssl 1.0.1e build
> which also seems to work fine:
>
> # ldd /opt/vrnetze/postfix/libexec/smtpd|grep -i ssl
>         libssl.so.1.0.0 =>       /opt/vrnetze/openssl/lib/libssl.so.1.0.0
>         libcrypto.so.1.0.0 =>    /opt/vrnetze/openssl/lib/libcrypto.so.1.0.0
>
> Am I right concluding that this won't require a postfix rebuild on new
> openssl 1.0.x versions?

I can't speak for the stability of the OpenSSL ABI.  It is *supposed*
to work, whether it will, only time will tell.  Many other users will
rely on this stability on systems where 1.0.0 or 1.0.1 is the default
OpenSSL library:

    $ openssl version
    OpenSSL 1.0.1e 11 Feb 2013

    $ ldd $(type -p openssl) |
        grep /usr/lib |
        awk '{printf "%-20s %s\n", $1,$3}'
    libssl.so.1.0.0      /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
    libcrypto.so.1.0.0   /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0

--
        Viktor.