Hi,
currently we are experiencing problems with an incoming SMTP/TLS connection. Remote side is an Ironport device, we are using postfix 2.8.13 on solaris 10. The problem exists only for incoming mails (ironport to postfix), the other direction works fine. It happens for both opportunistic (which cisco calls "preferred") and mandatory TLS. As soon as they switch to plaintext, the mails pass through. The problem exists with both of their and both of our relays. On our side we are using TLS since several years (2005/2006) with a lot of partners (some of them have ironports too) and it is the first time that we have such an issue. So the problem seems to be on their side, but I'd prefer to be sure and ideally give them a hint on what's going wrong here: Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 mail.info] connect from mail.dgverlag.de[145.253.80.6] Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 mail.info] setting up TLS connection from mail.dgverlag.de[145.253.80.6] Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 mail.info] certificate verification failed for mail.dgverlag.de[145.253.80.6]: untrusted issuer /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 mail.info] mail.dgverlag.de[145.253.80.6]: Untrusted: subject_CN=DGVDEX.DGVERLAG.DE, issuer=VR IDENT SSL CA 2011, fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:85:9A:55:6D Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 mail.info] Untrusted TLS connection established from mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits) Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731 mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146: Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 mail.info] lost connection after STARTTLS from mail.dgverlag.de[145.253.80.6] Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 mail.info] disconnect from mail.dgverlag.de[145.253.80.6] Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553 mail.info] connect from mail2.dgverlag.de[145.253.80.47] Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553 mail.info] setting up TLS connection from mail2.dgverlag.de[145.253.80.47] Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553 mail.info] certificate verification failed for mail2.dgverlag.de[145.253.80.47]: untrusted issuer /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553 mail.info] SSL_accept error from mail2.dgverlag.de[145.253.80.47]: -1 Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 947731 mail.warning] warning: TLS library problem: 22673:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146: Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553 mail.info] lost connection after STARTTLS from mail2.dgverlag.de[145.253.80.47] Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553 mail.info] disconnect from mail2.dgverlag.de[145.253.80.47] Does the message TLS library problem: 22673:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146 indicate a problem on our side? Please let me know if you need any further information. Below the log output with debug_peer_list: Jan Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] connect from mail.dgverlag.de[145.253.80.6] Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostname: mail.dgverlag.de ~? 127.0.0.1/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostaddr: 145.253.80.6 ~? 127.0.0.1/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.37/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.37/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.38/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.38/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.13/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.13/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.14/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.14/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_list_match: mail.dgverlag.de: no match Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_list_match: 145.253.80.6: no match Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] send attr request = connect Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] send attr ident = smtp:145.253.80.6 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] private/anvil: wanted attribute: status Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute name: status Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute value: 0 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] private/anvil: wanted attribute: count Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute name: count Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute value: 1 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] private/anvil: wanted attribute: rate Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute name: rate Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute value: 1 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] private/anvil: wanted attribute: (list terminator) Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute name: (end) Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] > mail.dgverlag.de[145.253.80.6]: 220 mail.ruv.de ESMTP Mailservice Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] watchdog_pat: 1f7df0 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] < mail.dgverlag.de[145.253.80.6]: EHLO mail1.dgverlag.de Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] > mail.dgverlag.de[145.253.80.6]: 250-mail.ruv.de Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] > mail.dgverlag.de[145.253.80.6]: 250-PIPELINING Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] > mail.dgverlag.de[145.253.80.6]: 250-SIZE 56000000 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] > mail.dgverlag.de[145.253.80.6]: 250-ETRN Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_list_match: mail.dgverlag.de: no match Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_list_match: 145.253.80.6: no match Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] > mail.dgverlag.de[145.253.80.6]: 250-STARTTLS Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] > mail.dgverlag.de[145.253.80.6]: 250-ENHANCEDSTATUSCODES Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] > mail.dgverlag.de[145.253.80.6]: 250-8BITMIME Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] > mail.dgverlag.de[145.253.80.6]: 250 DSN Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] watchdog_pat: 1f7df0 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] < mail.dgverlag.de[145.253.80.6]: STARTTLS Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] > mail.dgverlag.de[145.253.80.6]: 220 2.0.0 Ready to start TLS Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] setting up TLS connection from mail.dgverlag.de[145.253.80.6] Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] auto_clnt_open: connected to private/tlsmgr Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] send attr request = seed Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] send attr size = 32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] private/tlsmgr: wanted attribute: status Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute name: status Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute value: 0 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] private/tlsmgr: wanted attribute: seed Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute name: seed Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute value: giSoP2fCUG+iOLAWUWNKWqftNv1pJeqK3SoJ5/eNH1c= Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] private/tlsmgr: wanted attribute: (list terminator) Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute name: (end) Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] certificate verification failed for mail.dgverlag.de[145.253.80.6]: untrusted issuer /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] SSL_accept error from mail.dgverlag.de[145.253.80.6]: -1 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 947731 mail.warning] warning: TLS library problem: 16654:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146: Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostname: mail.dgverlag.de ~? 127.0.0.1/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostaddr: 145.253.80.6 ~? 127.0.0.1/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.37/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.37/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.38/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.38/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.13/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.13/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.14/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.14/32 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_list_match: mail.dgverlag.de: no match Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] match_list_match: 145.253.80.6: no match Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] send attr request = disconnect Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] send attr ident = smtp:145.253.80.6 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] private/anvil: wanted attribute: status Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute name: status Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute value: 0 Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] private/anvil: wanted attribute: (list terminator) Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] input attribute name: (end) Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] lost connection after STARTTLS from mail.dgverlag.de[145.253.80.6] Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553 mail.info] disconnect from mail.dgverlag.de[145.253.80.6] |
Jan P. Kessler:
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731 > mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1 > encoding routines:ASN1_item_verify:unknown message digest > algorithm:a_verify.c:146: > Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 947731 > mail.warning] warning: TLS library problem: 22673:error:0D0C50A1:asn1 > encoding routines:ASN1_item_verify:unknown message digest > algorithm:a_verify.c:146: They use a message digest function that is not available (or ir not turned on) on your side. I'll leave it to Victor or other OpenSSL knowledgeables to find put what message digest type is the problem. Wietse |
In reply to this post by Jan P. Kessler-2
On Fri, Jun 14, 2013 at 12:24:39PM +0200, Jan P. Kessler wrote:
> currently we are experiencing problems with an incoming SMTP/TLS > connection. Remote side is an Ironport device, we are using postfix > 2.8.13 on solaris 10. Please show "postconf -n". > Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 > mail.info] certificate verification failed for > mail.dgverlag.de[145.253.80.6]: untrusted issuer > /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root Why do you check client certificates? > Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 > mail.info] Untrusted TLS connection established from > mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits) Why do you use RC4? This suite usually have a pretty low preference. > Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731 > mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1 > encoding routines:ASN1_item_verify:unknown message digest > algorithm:a_verify.c:146: And now openssl gets something it does not like at all. > Please let me know if you need any further information. Below the log > output with debug_peer_list: The documentation tells you to show configs and no verbose lo. Bastian -- I'm frequently appalled by the low regard you Earthmen have for life. -- Spock, "The Galileo Seven", stardate 2822.3 |
>> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 >> mail.info] certificate verification failed for >> mail.dgverlag.de[145.253.80.6]: untrusted issuer >> /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root > Why do you check client certificates? Because we authenticate/whitelist some other systems by their client certificate. >> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 >> mail.info] Untrusted TLS connection established from >> mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits) > Why do you use RC4? This suite usually have a pretty low preference. It is the remote side, that tries RC4. If we establish a connection to their ironport, the following is used: Jun 14 11:48:17 rv-smtpext-101 postfix-OUT/smtp[25604]: [ID 197553 mail.info] Untrusted TLS connection established to mail1.dgverlag.de[145.253.80.6]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) >> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731 >> mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1 >> encoding routines:ASN1_item_verify:unknown message digest >> algorithm:a_verify.c:146: > And now openssl gets something it does not like at all. > >> Please let me know if you need any further information. Below the log >> output with debug_peer_list: > The documentation tells you to show configs and no verbose lo. Bastian, I really don't want to argue here. It is absolutely clear, that (as you and others also have noticed) openssl "does not like sth at all" here. And I doubt that "postconf -n" will help with this, but for the sake of clarity you'll find the information below. What I really wanted to know is, what exactly "openssl does not like at all" (means what kind of message digest is failing here and how we might circumvent/exclude the problem). postconf -n | sed 's/mydomain/EXAMPLE.COM/g' address_verify_map = btree:$data_directory/VERIFY_ADDRESS address_verify_negative_cache = yes address_verify_negative_expire_time = 3d address_verify_negative_refresh_time = 3h address_verify_poll_count = 3 address_verify_poll_delay = 6 address_verify_positive_expire_time = 31d address_verify_positive_refresh_time = 7d address_verify_sender = [hidden email] address_verify_transport_maps = btree:/etc/postfix/verify_transport alias_database = hash:/etc/postfix/aliases alias_maps = $alias_database alternate_config_directories = /etc/postfix/OUT, /etc/postfix/TLSONLY body_checks = pcre:/etc/postfix/body_checks body_checks_size_limit = 512000 bounce_queue_lifetime = 3d bounce_template_file = /etc/postfix/bounce.cf command_directory = /opt/vrnetze/postfix/sbin config_directory = /etc/postfix daemon_directory = /opt/vrnetze/postfix/libexec data_directory = /var/spool/postfix/DATA debug_peer_level = 2 default_privs = nobody delay_warning_time = 12h disable_vrfy_command = yes fast_flush_domains = $relay_domains header_checks = pcre:/etc/postfix/header_checks html_directory = no inet_interfaces = all luser_relay = [hidden email] mail_name = Mailservice mail_owner = postfix mailbox_size_limit = 56000001 mailq_path = /usr/bin/mailq manpage_directory = /opt/vrnetze/postfix/man maximal_queue_lifetime = 3d message_size_limit = 56000000 mime_header_checks = pcre:/etc/postfix/mime_header_checks mydestination = $myhostname, localhost.$mydomain mydomain = EXAMPLE.COM myhostname = mail.EXAMPLE.COM mynetworks = /etc/postfix/relay_from_networks myorigin = $myhostname newaliases_path = /usr/bin/newaliases plaintext_reject_code = 554 proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9 queue_directory = /var/spool/postfix readme_directory = /opt/vrnetze/postfix/doc receive_override_options = no_address_mappings relay_domains = $config_directory/relay_to_domains remote_header_rewrite_domain = domain.invalid sample_directory = /etc/postfix sender_canonical_maps = btree:/etc/postfix/sender_canonical sendmail_path = /usr/lib/sendmail setgid_group = postdrop smtp_enforce_tls = no smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem smtp_tls_key_file = /etc/postfix/CERTS/key.pem smtp_tls_loglevel = 1 smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER smtp_tls_scert_verifydepth = 8 smtp_tls_session_cache_database = btree:$data_directory/smtp_scache smtp_tls_session_cache_timeout = 3600s smtp_use_tls = yes smtpd_banner = $myhostname ESMTP Mailservice smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce smtpd_end_of_data_restrictions = check_recipient_access btree:/etc/postfix/GROESSENBESCHRAENKUNG smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_policy_service_max_idle = 700s smtpd_policy_service_max_ttl = 1800s smtpd_policy_service_timeout = 600s smtpd_proxy_timeout = 600s smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_mynetworks, reject_unauth_destination, check_client_access pcre:/etc/postfix/TLS_VERSENDER_CLIENTS, check_sender_access btree:/etc/postfix/TLS_VERSENDER, check_ccert_access btree:/etc/postfix/tls_ccerts, check_client_access cidr:/etc/postfix/CLIENT_WHITELIST, check_sender_access btree:/etc/postfix/ABSENDER_WHITELIST, check_client_access pcre:/etc/postfix/CLIENT_BLACKLIST, check_recipient_access pcre:/etc/postfix/EMPFAENGER_BLACKLIST, check_helo_access pcre:/etc/postfix/HELOCHECK, check_sender_access btree:/etc/postfix/INTERNE_DOMAINS, check_sender_access pcre:/etc/postfix/ABSENDER_BLACKLIST, reject_invalid_helo_hostname, reject_non_fqdn_sender, reject_unknown_sender_domain, check_sender_mx_access cidr:/etc/postfix/PRIVATE_NETZE, reject_rbl_client zen.spamhaus.org, check_recipient_access btree:/etc/postfix/POLICYCHECK, check_recipient_access btree:/etc/postfix/VERIFY_EMPFAENGER, permit smtpd_restriction_classes = hapolicycheck, hagroessencheck, hagreylistcheck, pfwpolicycheck, greylistcheck, absenderverifizierung, empfaengerverifizierung, groessencheck smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem smtpd_tls_ask_ccert = yes smtpd_tls_ccert_verifydepth = 8 smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA smtpd_tls_key_file = /etc/postfix/CERTS/key.pem smtpd_tls_loglevel = 1 smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_protocols = SSLv3, TLSv1 smtpd_tls_received_header = yes smtpd_tls_req_ccert = no smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no transport_maps = btree:/etc/postfix/fehlerdomains, btree:/etc/postfix/transport unknown_local_recipient_reject_code = 550 unverified_recipient_reject_code = 550 unverified_recipient_reject_reason = User unknown -- Empfaenger nicht gefunden |
In reply to this post by Jan P. Kessler-2
On Fri, Jun 14, 2013 at 12:24:39PM +0200, Jan P. Kessler wrote:
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 > mail.info] mail.dgverlag.de[145.253.80.6]: Untrusted: > subject_CN=DGVDEX.DGVERLAG.DE, issuer=VR IDENT SSL CA 2011, > fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:85:9A:55:6D Certificate details: $ openssl x509 -md5 -fingerprint -text -in cert.pem MD5 Fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:85:9A:55:6D Certificate: Data: Version: 3 (0x2) Serial Number: 162 (0xa2) Signature Algorithm: sha256WithRSAEncryption Issuer: C=DE, O=GAD EG, OU=VR IDENT, CN=VR IDENT SSL CA 2011 Validity Not Before: Jul 13 11:18:43 2012 GMT Not After : Aug 13 21:59:59 2013 GMT Subject: C=DE, ST=HESSEN, L=WIESBADEN, O=DEUTSCHER GENOSSENSCHAFTS-VERLAG EG, OU=ORGANISATION, CN=DGVDEX.DGVERLAG.DE Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:f8:88:4e:bc:7d:3d:73:a7:72:a2:5b:5c:bc:0a: cf:44:10:15:d8:3d:93:1a:35:0d:5f:33:e8:11:53: d0:98:ff:65:89:76:bc:18:d9:0a:62:cb:a5:46:c6: 70:43:aa:6e:11:1a:e8:85:93:51:1f:49:68:c3:72: a8:cd:2f:b3:2d:63:ce:63:67:65:e5:00:5d:4e:8f: 75:56:f3:83:df:ec:84:05:1e:3b:1c:fd:49:97:a7: 22:a9:59:65:f1:74:e3:d5:ce:90:ef:f2:c4:ea:25: 6b:a7:e8:9e:2c:9a:a8:76:a7:b4:9a:54:e8:b3:56: 15:ab:8c:7a:c3:33:62:f2:9c:98:16:35:62:ff:c5: 00:19:06:bd:a2:59:41:40:69:6b:26:e8:c3:86:d0: c0:ed:b0:4e:06:8e:d2:64:7e:2e:cf:03:6b:a9:62: c1:01:fd:7b:d9:1c:48:03:87:35:10:17:9b:0b:f4: 33:98:6d:fe:ea:02:1d:f0:74:1d:e4:b9:be:6d:14: be:61:f0:5f:82:ea:e8:f8:fe:90:84:ed:ac:a3:a3: b9:5c:26:07:e5:68:64:5f:63:69:43:99:9d:ab:cd: a8:26:f6:af:46:32:0a:76:10:2e:b3:a8:e1:bd:63: 9c:56:a5:84:b4:05:cb:11:83:78:73:30:bf:b6:8d: 23:a3 Exponent: 65537 (0x10001) X509v3 extensions: Authority Information Access: OCSP - URI:http://ocsp.vr-ident.de/gtnocsp/OCSPResponder/VR%20Ident%20SSL%20CA%202011 X509v3 Authority Key Identifier: keyid:50:52:4F:44:2E:47:54:4E:2E:45:58:53:53:4C:43:41:2E:53:49:47:47:45:4E:52:53:2E:30:30:30:30:32:32:30:30 DirName:/C=DE/O=GAD EG/OU=VR IDENT/CN=VR IDENT EXTERNAL ROOT CA 2011 serial:04 X509v3 CRL Distribution Points: Full Name: URI:http://www.vr-ident.de/gtncrl/CRLResponder/VR%20Ident%20SSL%20CA%202011 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Subject Key Identifier: 60:1E:93:11:E3:BA:7D:19:A6:88:FB:DD:8E:90:73:50:47:E7:CB:20 X509v3 Extended Key Usage: TLS Web Server Authentication Signature Algorithm: sha256WithRSAEncryption 9b:c5:33:88:de:38:6b:4f:5c:0f:97:af:d7:18:60:f6:7c:03: 23:2b:38:cf:d7:14:fb:31:25:91:61:63:48:cc:52:26:6e:a9: 3a:a0:8f:a7:98:e8:4a:17:8a:e0:fd:a0:d1:56:92:bd:b6:85: 21:02:0f:1c:95:e0:e7:7a:ad:a5:31:21:e9:4b:5f:4a:e3:bd: e7:04:64:54:69:fc:6e:c8:9d:28:ef:53:12:ff:57:c0:71:1e: b7:e8:5a:0a:9d:65:a4:91:2c:1a:d9:36:46:75:c4:56:47:5a: b3:5c:38:7d:4d:ea:12:64:58:8a:3c:02:07:21:53:cc:10:66: 87:5c:63:99:67:04:c0:70:3e:41:62:3f:6a:c0:93:1e:e5:f3: 53:f2:4c:43:b7:b4:83:8f:81:18:a9:42:f2:76:2e:d0:cc:71: bc:ca:66:7b:df:75:73:f1:13:0b:ac:98:ae:92:84:a3:b4:52: 53:b2:00:87:de:1e:cf:cb:d5:a3:32:3c:81:5c:fd:54:e9:c8: 70:b4:b8:d0:64:96:8d:d7:4a:46:f7:2b:b4:df:f7:ad:0c:7d: a6:71:3f:08:7c:7a:a6:9b:c0:38:6c:9b:e6:00:cd:14:4a:bd: 71:6f:c3:a9:87:b9:70:6d:ba:04:59:f1:d8:c7:1d:17:de:6f: 29:e5:3f:1d -----BEGIN CERTIFICATE----- MIIFAjCCA+qgAwIBAgICAKIwDQYJKoZIhvcNAQELBQAwUDELMAkGA1UEBhMCREUx DzANBgNVBAoMBkdBRCBFRzERMA8GA1UECwwIVlIgSURFTlQxHTAbBgNVBAMMFFZS IElERU5UIFNTTCBDQSAyMDExMB4XDTEyMDcxMzExMTg0M1oXDTEzMDgxMzIxNTk1 OVowgZQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZIRVNTRU4xEjAQBgNVBAcMCVdJ RVNCQURFTjEsMCoGA1UECgwjREVVVFNDSEVSIEdFTk9TU0VOU0NIQUZUUy1WRVJM QUcgRUcxFTATBgNVBAsMDE9SR0FOSVNBVElPTjEbMBkGA1UEAwwSREdWREVYLkRH VkVSTEFHLkRFMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+IhOvH09 c6dyoltcvArPRBAV2D2TGjUNXzPoEVPQmP9liXa8GNkKYsulRsZwQ6puERrohZNR H0low3KozS+zLWPOY2dl5QBdTo91VvOD3+yEBR47HP1Jl6ciqVll8XTj1c6Q7/LE 6iVrp+ieLJqodqe0mlTos1YVq4x6wzNi8pyYFjVi/8UAGQa9ollBQGlrJujDhtDA 7bBOBo7SZH4uzwNrqWLBAf172RxIA4c1EBebC/QzmG3+6gId8HQd5Lm+bRS+YfBf guro+P6QhO2so6O5XCYH5WhkX2NpQ5mdq82oJvavRjIKdhAus6jhvWOcVqWEtAXL EYN4czC/to0jowIDAQABo4IBnzCCAZswZgYIKwYBBQUHAQEEWjBYMFYGCCsGAQUF BzABhkpodHRwOi8vb2NzcC52ci1pZGVudC5kZS9ndG5vY3NwL09DU1BSZXNwb25k ZXIvVlIlMjBJZGVudCUyMFNTTCUyMENBJTIwMjAxMTCBkgYDVR0jBIGKMIGHgCJQ Uk9ELkdUTi5FWFNTTENBLlNJR0dFTlJTLjAwMDAyMjAwoV6kXDBaMQswCQYDVQQG EwJERTEPMA0GA1UECgwGR0FEIEVHMREwDwYDVQQLDAhWUiBJREVOVDEnMCUGA1UE AwweVlIgSURFTlQgRVhURVJOQUwgUk9PVCBDQSAyMDExggEEMFgGA1UdHwRRME8w TaBLoEmGR2h0dHA6Ly93d3cudnItaWRlbnQuZGUvZ3RuY3JsL0NSTFJlc3BvbmRl ci9WUiUyMElkZW50JTIwU1NMJTIwQ0ElMjAyMDExMA4GA1UdDwEB/wQEAwIFoDAd BgNVHQ4EFgQUYB6TEeO6fRmmiPvdjpBzUEfnyyAwEwYDVR0lBAwwCgYIKwYBBQUH AwEwDQYJKoZIhvcNAQELBQADggEBAJvFM4jeOGtPXA+Xr9cYYPZ8AyMrOM/XFPsx JZFhY0jMUiZuqTqgj6eY6EoXiuD9oNFWkr22hSECDxyV4Od6raUxIelLX0rjvecE ZFRp/G7InSjvUxL/V8BxHrfoWgqdZaSRLBrZNkZ1xFZHWrNcOH1N6hJkWIo8Agch U8wQZodcY5lnBMBwPkFiP2rAkx7l81PyTEO3tIOPgRipQvJ2LtDMcbzKZnvfdXPx EwusmK6ShKO0UlOyAIfeHs/L1aMyPIFc/VTpyHC0uNBklo3XSkb3K7Tf960MfaZx Pwh8eqabwDhsm+YAzRRKvXFvw6mHuXBtugRZ8djHHRfebynlPx0= -----END CERTIFICATE----- > Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553 > mail.info] Untrusted TLS connection established from > mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits) > Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731 > mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1 > encoding routines:ASN1_item_verify:unknown message digest > algorithm:a_verify.c:146: From above: Signature Algorithm: sha256WithRSAEncryption It looks your OpenSSL library does not enable this via OpenSSL_add_ssl_algorithms(). The use of certificates with signature algorithms other than MD5 and SHA-1 is supposed to be negotiated via TLSv1.2, plain SSLv3/TLSv1 do not have a way to negotiate these, and clients or servers that use SHA-2 signatures will run into interoperability problems. > Does the message > > TLS library problem: 22673:error:0D0C50A1:asn1 encoding > routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146 > > indicate a problem on our side? A misconfiguration on their side, and lack of support for SHA-2 signatures on your side. > Please let me know if you need any further information. Below the log > output with debug_peer_list: Can you report the output of "ldd /usr/libexec/postfix/smtpd" (smtpd is in $daemon_directory, adjust as necessary). That will help nail down the exact OpenSSL version in use. Also report the O/S distribution and version of the package that contains the libssl that smtpd depends on. I would have expected SHA-2 support as of OpenSSL 1.0.0a. $ git diff OpenSSL_1_0_0..OpenSSL_1_0_0a ssl/ssl_algs.c diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index a26ae43..0967b2d 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -105,6 +105,14 @@ int SSL_library_init(void) EVP_add_digest_alias(SN_sha1,"ssl3-sha1"); EVP_add_digest_alias(SN_sha1WithRSAEncryption,SN_sha1WithRSA); #endif +#ifndef OPENSSL_NO_SHA256 + EVP_add_digest(EVP_sha224()); + EVP_add_digest(EVP_sha256()); +#endif +#ifndef OPENSSL_NO_SHA512 + EVP_add_digest(EVP_sha384()); + EVP_add_digest(EVP_sha512()); +#endif #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_DSA) EVP_add_digest(EVP_dss1()); /* DSA with sha1 */ EVP_add_digest_alias(SN_dsaWithSHA1,SN_dsaWithSHA1_2); -- Viktor. |
> Signature Algorithm: sha256WithRSAEncryption > > It looks your OpenSSL library does not enable this via > OpenSSL_add_ssl_algorithms(). > > The use of certificates with signature algorithms other than MD5 > and SHA-1 is supposed to be negotiated via TLSv1.2, plain SSLv3/TLSv1 > do not have a way to negotiate these, and clients or servers that > use SHA-2 signatures will run into interoperability problems. > Can you report the output of "ldd /usr/libexec/postfix/smtpd" (smtpd > is in $daemon_directory, adjust as necessary). That will help nail > down the exact OpenSSL version in use. Also report the O/S > distribution and version of the package that contains the libssl > that smtpd depends on. > > I would have expected SHA-2 support as of OpenSSL 1.0.0a. Ok, so the problem seems to be clear. The system uses an ancient openssl version (sunfreeware package): # uname -a SunOS rv-smtpext-201 5.10 Generic_148888-03 sun4v sparc SUNW,T5140 # ldd /opt/vrnetze/postfix/libexec/smtpd libdb-4.7.so => /usr/local/BerkeleyDB.4.7/lib/libdb-4.7.so libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8 libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8 libpcre.so.0 => /usr/local/lib/libpcre.so.0 libresolv.so.2 => /lib/libresolv.so.2 libsocket.so.1 => /lib/libsocket.so.1 libnsl.so.1 => /lib/libnsl.so.1 libc.so.1 => /lib/libc.so.1 librt.so.1 => /usr/lib/librt.so.1 libpthread.so.1 => /usr/lib/libpthread.so.1 libgcc_s.so.1 => /usr/local/lib/libgcc_s.so.1 libdl.so.1 => /lib/libdl.so.1 libdevinfo.so.1 => /usr/lib/libdevinfo.so.1 libmp.so.2 => /lib/libmp.so.2 libmd.so.1 => /lib/libmd.so.1 libscf.so.1 => /lib/libscf.so.1 libaio.so.1 => /lib/libaio.so.1 libnvpair.so.1 => /lib/libnvpair.so.1 libsec.so.1 => /lib/libsec.so.1 libgen.so.1 => /lib/libgen.so.1 libdoor.so.1 => /lib/libdoor.so.1 libuutil.so.1 => /lib/libuutil.so.1 libavl.so.1 => /lib/libavl.so.1 libm.so.2 => /lib/libm.so.2 /platform/SUNW,T5140/lib/libc_psr.so.1 /platform/SUNW,T5140/lib/libmd_psr.so.1 # /usr/local/ssl/bin/openssl version OpenSSL 0.9.8k 25 Mar 2009 Thank you very much for your help! Is it possible to deactivate the "smtpd_tls_ask_ccert = yes" setting for this special target? Ideally without deactivating the complete STARTTLS extension completely? I understand that the correct solution is an openssl upgrade on our side (due to other security related reasons), but I need a maintenance window for this. |
On Fri, Jun 14, 2013 at 05:53:03PM +0200, Jan P. Kessler wrote:
> >I would have expected SHA-2 support as of OpenSSL 1.0.0a. > > Ok, so the problem seems to be clear. The system uses an ancient > openssl version (sunfreeware package): > > libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8 > libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8 > > # /usr/local/ssl/bin/openssl version > OpenSSL 0.9.8k 25 Mar 2009 > > Thank you very much for your help! Is it possible to deactivate the > "smtpd_tls_ask_ccert = yes" setting for this special target? Ideally > without deactivating the complete STARTTLS extension completely? Only via NAT, if you can divert traffic from this client IP to a different SMTP listener in which the feature is disabled via master.cf. The sender should replace their certificate, it is not compliant with TLSv1. This too may take time. I never enabled ask_ccert on port 25, I had used 587 for that (on a machine that nevertheless was not an MSA), and clients with special access configured via ccerts had to use a transport table or similar to send to a non-default port to get that access. > I understand that the correct solution is an openssl upgrade on our > side (due to other security related reasons), but I need a > maintenance window for this. Build OpenSSL 1.0.1e from source without shared libraries, just ".a" files (default via OpenSSL's Configure). Then link Postfix against that, and deploy. For example with OpenSSL built in /var/tmp/openssl (libcrypto.a and libssl.a in that directory, and include files in /var/tmp/openssl/include) build as follows (adjusting paths as required): #! /bin/sh DEST=/usr/local CCARGS='-DUSE_TLS -I/var/tmp/openssl/include ...' AUXLIBS='-L/var/tmp/openssl -lssl -lcrypto ...' while read -r name val do CCARGS="$CCARGS $(printf -- '-D%s=\\"%s\\"' $name $val)" done <<EOF DEF_COMMAND_DIR $DEST/sbin DEF_CONFIG_DIR $DEST/etc DEF_DAEMON_DIR $DEST/libexec DEF_MAILQ_PATH /usr/bin/mailq DEF_HTML_DIR $DEST/html DEF_MANPAGE_DIR $DEST/man DEF_NEWALIAS_PATH /usr/bin/newaliases DEF_README_DIR $DEST/readme DEF_SENDMAIL_PATH /usr/sbin/sendmail EOF make -f Makefile.init "CCARGS=$CCARGS" "AUXLIBS=$AUXLIBS" makefiles make -- Viktor. |
> The sender should replace their certificate, it is not compliant with > TLSv1. This too may take time. > > I never enabled ask_ccert on port 25, I had used 587 for that (on a > machine that nevertheless was not an MSA), and clients with special > access configured via ccerts had to use a transport table or similar > to send to a non-default port to get that access. Thank you for the detailed analysis. I will give them a hint. Although the chance might be small that they will have other partners using old ssl versions and asking for their ccert, they should know about that. The interesting part for me is, that smtp (means when we sent mails to them using tls) had no problems with their sha2 cert. I will consider switching to submission port for our ccert-whitelisted/authenticated partners, too. It was the first time we encounter problems with that setting since several years (I was aware of the warning note in the docs, but it always worked for us). >> I understand that the correct solution is an openssl upgrade on >> our side (due to other security related reasons), but I need a >> maintenance window for this. > > Build OpenSSL 1.0.1e from source without shared libraries, just ".a" > files (default via OpenSSL's Configure). Then link Postfix against > that, and deploy. For example with OpenSSL built in /var/tmp/openssl > (libcrypto.a and libssl.a in that directory, and include files in > /var/tmp/openssl/include) build as follows (adjusting paths as > required): Fortunately I was able to get a change window for one of the nodes last night. After the prodecure below everything seems to be fine now on this machine. I'll wait some days and update the other nodes, too. Thanks again for your assistance! # self compiled things here BASE=/opt/vrnetze # sunstudio compiler CC=/opt/SUNWspro/bin/cc CXX=/opt/SUNWspro/bin/cc # openssl ./Configure \ --prefix=${BASE}/openssl \ --openssldir=${BASE}/openssl \ solaris-sparcv9-cc make; make install # postfix MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib -L/usr/local/lib" MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include -I/usr/local/include" make tidy; make makefiles \ CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \ AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre" make; make upgrade |
On Sat, Jun 15, 2013 at 12:07:26PM +0200, Jan P. Kessler wrote:
> # openssl > ./Configure \ > --prefix=${BASE}/openssl \ > --openssldir=${BASE}/openssl \ > solaris-sparcv9-cc > make; make install > > # postfix > MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib > -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib > -L/usr/local/lib" > MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include > -I/usr/local/include" > > make tidy; make makefiles \ > CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \ > AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre" > make; make upgrade If you're interested, I now have another option for you, a Postfix patch that will likely enable support for SHA-2 digests even when Postfix is compiled and linked with OpenSSL 0.9.8. Keep in mind that that latest OpenSSL 0.9.8 patch level is now 0.9.8y, and I seem to recall that you had 0.9.8k which likely various unpatched bugs. So you should probably upgrade the system's OpenSSL 0.9.8 libraries to 0.9.8y. The patch is for DANE support with OpenSSL 1.0.0 (first release before 1.0.0a) and some systems with older 1.1.0-dev snapshots, but should also address your problem. --- src/tls/tls_misc.c +++ src/tls/tls_misc.c @@ -1129,6 +1129,24 @@ int tls_validate_digest(const char *dgst) unsigned int md_len; /* + * Register SHA-2 digests, if implemented and not already registered. + * Improves interoperability with clients and servers that prematurely + * deploy SHA-2 certificates. Also facilitates DANE and TA support. + */ +#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256) + if (!EVP_get_digestbyname(LN_sha224)) + EVP_add_digest(EVP_sha224()); + if (!EVP_get_digestbyname(LN_sha256)) + EVP_add_digest(EVP_sha256()); +#endif +#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512) + if (!EVP_get_digestbyname(LN_sha384)) + EVP_add_digest(EVP_sha384()); + if (!EVP_get_digestbyname(LN_sha512)) + EVP_add_digest(EVP_sha512()); +#endif + + /* * If the administrator specifies an unsupported digest algorithm, fail * now, rather than in the middle of a TLS handshake. */ -- Viktor. |
>> # openssl >> ./Configure \ >> --prefix=${BASE}/openssl \ >> --openssldir=${BASE}/openssl \ >> solaris-sparcv9-cc >> make; make install >> >> # postfix >> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib >> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib >> -L/usr/local/lib" >> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include >> -I/usr/local/include" >> >> make tidy; make makefiles \ >> CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \ >> AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre" >> make; make upgrade The openssl update from 0.9.8k to 1.0.1e solved the client certificate issue. Unfortunately now we see another problem with the outgoing instance, trying to send to another partner with mandatory TLS: Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25 Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1 Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] 704A35DD5: Cannot start TLS: handshake failure Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.21] said: 403 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command) Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25 Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1 Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] 704A35DD5: Cannot start TLS: handshake failure Jun 16 00:28:55 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] 704A35DD5: to=<[hidden email]>, relay=mxtls.allianz.com[194.127.3.22]:25, delay=62663, delays=62662/0/0.54/0.01, dsn=4.7.0, status=deferred (host mxtls.allianz.com[194.127.3.22] said: 403 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)) BEFORE UPGRADE: Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553 mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25 Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553 mail.info] certificate verification failed for mxtls.allianz.com[194.127.3.21]:25: untrusted issuer /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553 mail.info] Untrusted TLS connection established to mxtls.allianz.com[194.127.3.21]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jun 14 11:43:42 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553 mail.info] 19688599D: to=<[hidden email]>, relay=mxtls.allianz.com[194.127.3.21]:25, delay=0.94, delays=0.03/0/0.48/0.43, dsn=2.0.0, status=sent (250 2.0.0 r5E9hfN2006147 Message accepted for delivery) Other outgoing TLS connections seem to work fine: Jun 16 00:29:52 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] setting up TLS connection to gmail-smtp-in.l.google.com[173.194.70.26]:25 Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] Trusted TLS connection established to gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits) Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 mail.info] CBF8256AD: to=<[hidden email]>, relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.85, delays=0.01/0/0.18/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1371335393 b5si7050738eew.190 - gsmtp) Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info] setting up TLS connection to smail2-neu.mailintern.local[10.221.24.22]:25 Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info] Trusted TLS connection established to smail2-neu.mailintern.local[10.221.24.22]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jun 16 00:29:55 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info] 6195A56F4: to=<[hidden email]>, relay=smail2-neu.mailintern.local[10.221.24.22]:25, delay=11, delays=11/0/0.14/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 98BABC6DA0) Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553 mail.info] setting up TLS connection to smtpcl3.fiducia.de[195.200.34.38]:25 Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553 mail.info] smtpcl3.fiducia.de[195.200.34.38]:25: re-using session with untrusted certificate, look for details earlier in the log Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553 mail.info] Untrusted TLS connection established to smtpcl3.fiducia.de[195.200.34.38]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jun 16 00:29:58 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553 mail.info] 932B356AF: to=<[hidden email]>, relay=smtpcl3.fiducia.de[195.200.34.38]:25, delay=2.1, delays=0.58/0.07/0.26/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 7C5731C8C89) I have already tried to wipe the smtp_scache.db without success. Could you give me another hint? Verbose logs and configuration follow at the end of this mail. > If you're interested, I now have another option for you, a Postfix > patch that will likely enable support for SHA-2 digests even when > Postfix is compiled and linked with OpenSSL 0.9.8. May I ask if this would have a chance to be included in future postfix releases? Just to know if postfix has to be patched again with updates. > Keep in mind that that latest OpenSSL 0.9.8 patch level is now > 0.9.8y, and I seem to recall that you had 0.9.8k which likely > various unpatched bugs. So you should probably upgrade the system's > OpenSSL 0.9.8 libraries to 0.9.8y. Thanks, but the 0.9.8k openssl lib is anyway not the solaris 10 default. It was installed separately some time ago from a different source (sunfreeware) to compile postfix. I'd prefer to drop it completely. It is not used by other software on these systems. # postconf -c /etc/postfix/OUT mail_version mail_version = 2.8.13 # /opt/vrnetze/openssl/bin/openssl version OpenSSL 1.0.1e 11 Feb 2013 # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3 # postqueue -c /etc/postfix/OUT -i 704A35DD5 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] mxtls.allianz.com[194.127.3.22]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] looking for session smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 in smtp cache Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553 mail.info] lookup smtp session id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] SSL_connect:before/connect initialization Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B)) Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 b7 ....f... b..Q.... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0010 a5 91 88 61 35 5b 04 b0|16 00 7a 15 84 3c b5 0b ...a5[.. ..z..<.. Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0020 59 23 37 d6 e4 7d 6f 15|82 8f c6 00 00 ca c0 19 Y#7..}o. ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28 . ...m.: ...0.,.( Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b .$....." .!.....k Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a .j.9.8.. ...2...* Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17 .&...... .=.5.... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34 ........ .....l.4 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09 ...F./.+ .'.#.... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32 ........ .g.@.3.2 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25 .....E.D .1.-.).% Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07 .......< ./...A.. Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04 ........ ...o.... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19 .......4 .2...... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00 ........ .....#.. Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02 ...". .. ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01 ........ ... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] SSL_connect:SSLv2/v3 write client hello A Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF)) Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] SSL_connect:error in SSLv2/v3 read server hello A Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] remove session smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 from client cache Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553 mail.info] delete smtp session id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 704A35DD5: Cannot start TLS: handshake failure Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.22] said: 403 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command) Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] mxtls.allianz.com[194.127.3.21]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] looking for session smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 in smtp cache Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553 mail.info] lookup smtp session id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] SSL_connect:before/connect initialization Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] write to 000A3418 [000F6020] (363 bytes => 363 (0x16B)) Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 70 ....f... b..Q...p Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0010 e9 dc 5b a9 11 c3 47 1e|77 5b 4a a8 81 81 26 40 ..[...G. w[J...&@ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0020 e2 0a 41 b0 2e b9 96 2c|2e 63 e4 00 00 ca c0 19 ..A...., .c...... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28 . ...m.: ...0.,.( Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b .$....." .!.....k Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a .j.9.8.. ...2...* Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17 .&...... .=.5.... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34 ........ .....l.4 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09 ...F./.+ .'.#.... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32 ........ .g.@.3.2 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25 .....E.D .1.-.).% Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07 .......< ./...A.. Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04 ........ ...o.... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19 .......4 .2...... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00 ........ .....#.. Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02 ...". .. ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01 ........ ........ Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01 ........ ... Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] SSL_connect:SSLv2/v3 write client hello A Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] read from 000A3418 [000E8098] (7 bytes => -1 (0xFFFFFFFF)) Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] SSL_connect:error in SSLv2/v3 read server hello A Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] remove session smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 from client cache Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553 mail.info] delete smtp session id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 704A35DD5: Cannot start TLS: handshake failure Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 mail.info] 704A35DD5: to=<[hidden email]>, relay=mxtls.allianz.com[194.127.3.21]:25, delay=64211, delays=64211/0/0.54/0.01, dsn=4.7.0, status=deferred (host mxtls.allianz.com[194.127.3.21] said: 403 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)) # egrep -v "^#" /etc/postfix/OUT/master.cf smtp26 inet n - n - 200 smtpd -o smtpd_client_connection_count_limit=100 cryptosmtp unix - - n - 50 smtp -o smtp_data_done_timeout=1200 tlsmgr unix - - n 1000? 1 tlsmgr pickup fifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr rewrite unix - - n - - trivial-rewrite bounce unix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verify unix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap smtp unix - - n - - smtp relay unix - - n - - smtp showq unix n - n - - showq error unix - - n - - error discard unix - - n - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - n - - lmtp anvil unix - - n - 1 anvil scache unix - - n - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} old-cyrus unix - n n - - pipe flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} cyrus unix - n n - - pipe user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient # postconf -c /etc/postfix/OUT -n alias_database = hash:/etc/postfix/aliases alias_maps = $alias_database body_checks = pcre:/etc/postfix/OUT/body_checks body_checks_size_limit = 512000 bounce_queue_lifetime = 3d bounce_template_file = /etc/postfix/bounce.cf command_directory = /opt/vrnetze/postfix/sbin config_directory = /etc/postfix/OUT daemon_directory = /opt/vrnetze/postfix/libexec data_directory = /var/spool/postfix-OUT/DATA debug_peer_level = 2 default_privs = nobody default_process_limit = 200 disable_vrfy_command = yes fast_flush_domains = $relay_domains header_checks = pcre:/etc/postfix/OUT/header_checks html_directory = no inet_interfaces = all luser_relay = [hidden email] mail_name = Mailservice mail_owner = postfix mailbox_size_limit = 56000001 mailq_path = /usr/bin/mailq manpage_directory = /opt/vrnetze/postfix/man maximal_queue_lifetime = 3d message_size_limit = 56000000 mime_header_checks = pcre:/etc/postfix/OUT/mime_header_checks mydestination = $myhostname, localhost.$mydomain mydomain = EXAMPLE.COM myhostname = mail.EXAMPLE.COM mynetworks = /etc/postfix/relay_from_networks myorigin = $myhostname newaliases_path = /usr/bin/newaliases proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9 queue_directory = /var/spool/postfix-OUT readme_directory = /opt/vrnetze/postfix/doc receive_override_options = no_address_mappings relay_domains = /etc/postfix/relay_to_domains sample_directory = /etc/postfix sender_canonical_maps = btree:/etc/postfix/sender_canonical sendmail_path = /usr/lib/sendmail setgid_group = postdrop smtp_enforce_tls = no smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem smtp_tls_key_file = /etc/postfix/CERTS/key.pem smtp_tls_loglevel = 1 smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER smtp_tls_scert_verifydepth = 8 smtp_tls_session_cache_database = btree:$data_directory/smtp_scache smtp_tls_session_cache_timeout = 3600s smtp_use_tls = yes smtpd_banner = $myhostname ESMTP Mailservice smtpd_enforce_tls = no smtpd_recipient_restrictions = reject_non_fqdn_recipient, reject_non_fqdn_sender, permit_mynetworks, reject smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem smtpd_tls_ask_ccert = yes smtpd_tls_ccert_verifydepth = 8 smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem smtpd_tls_key_file = /etc/postfix/CERTS/key.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_req_ccert = no smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes soft_bounce = no syslog_name = postfix-OUT transport_maps = btree:/etc/postfix/fehlerdomains, btree:/etc/postfix/transport unknown_address_reject_code = 554 unknown_local_recipient_reject_code = 550 |
some additional information:
# /opt/vrnetze/openssl/bin/openssl s_client -connect mxtls.allianz.com:25 -starttls smtp CONNECTED(00000004) depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=DE/ST=Bayern/L=Unterf\xC3\xB6hring/O=Allianz Managed Operations & Services SE/OU=Allianz Group/CN=*.allianz.de i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIFVzCCBD+gAwIBAgIQRje+sRdEDc8quKMQfyp3vTANBgkqhkiG9w0BAQUFADCB tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTMwMjE5 MDAwMDAwWhcNMTQwMjI0MjM1OTU5WjCBmDELMAkGA1UEBhMCREUxDzANBgNVBAgM BkJheWVybjEWMBQGA1UEBwwNVW50ZXJmw7ZocmluZzExMC8GA1UECgwoQWxsaWFu eiBNYW5hZ2VkIE9wZXJhdGlvbnMgJiBTZXJ2aWNlcyBTRTEWMBQGA1UECwwNQWxs aWFueiBHcm91cDEVMBMGA1UEAwwMKi5hbGxpYW56LmRlMIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEA34vFk6ijdJ5H/IdHOPvyvFPa/I/CN0+NvhmgluJs 5p2IebxKNYZb+K7PiQSMD+aeFLw8EEbKdRIya7+KgKKkcrWKXMY68dZ3ehANvm7L OEQgSy0DsGsWEH5HUUw2vzY9Se66LNwYausPWwEOP2dBCtPq6xISAzv0WmL89z4b CuxjQV1pK9Qm7Ee5bm9gIpTRHm8NXxyRCg0G49e+cU8D2+8NaYO/N1kLhnXXGKFx oo/wXEuqCD4SR0JDLq/Ues3o+pH/ObALlaZpl0DLOws4tCADGM36v8VmWA/PEMuT kowK2RxlNG1YHpp8CJutta9Ah4JvX/p4J4XrjR8In8gw1QIDAQABo4IBfDCCAXgw FwYDVR0RBBAwDoIMKi5hbGxpYW56LmRlMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD AgWgMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZl cmlzaWduLmNvbS9TVlJTZWN1cmVHMy5jcmwwQwYDVR0gBDwwOjA4BgpghkgBhvhF AQc2MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMw HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZT RMGCfh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0 cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2Vj dXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2VyMA0GCSqGSIb3 DQEBBQUAA4IBAQCTj4I2An6Sg02mjUwdNpbw+QwBZPnjixLFOTY02ehBGJ80eF1Y HkyCJQXiyuL9yiqdDU0iB+HfPkz8ASAPKpH2GZqU57hq0GEADrqift/3XVg681UF hvKBG6ciVrS2bgXpdBAE8XMMoLbbvruom4UrjphFMY4gNMkjFUn8kzNP8pFFuODx /26V6m/VSuqUq9H51F1G4NpsfAWJMrPatmnKBLV2nGhTMXe1AOraDGKTEFiM4DLf hOO3G/LjE0PLt1ALv3HagnWR5PbtSxVwaMHWdClHzWiwhaimtwiBZkbn1UN6FENI mF7X2lcyxk5n5Q5mGCNQQaIxkre04F8oXtAM -----END CERTIFICATE----- subject=/C=DE/ST=Bayern/L=Unterf\xC3\xB6hring/O=Allianz Managed Operations & Services SE/OU=Allianz Group/CN=*.allianz.de issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- Acceptable client certificate CA names /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3 --- SSL handshake has read 6159 bytes and written 566 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 27BA0212310594A9E6BFA40D0ECB0D11C6B5AC6C0D43262B551072C99AE6AEF6 Session-ID-ctx: Master-Key: 00F84A8BEE171D1DD0DDE339984755CD253E804DDD7039A1C496D7348F03CF170F1B485133EFC1E67F5669279761A2D0 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket: 0000 - 2c cb a1 28 60 8d dd ab-22 b3 fd 81 d4 bd 2d fd ,..(`...".....-. 0010 - 35 30 7e 80 4a ea 42 fd-2a 17 ec 73 3d b7 51 7d 50~.J.B.*..s=.Q} 0020 - 48 7b 70 69 eb ed 92 2b-df 11 af 10 7a 81 30 63 H{pi...+....z.0c 0030 - b1 04 54 a9 e3 e8 80 63-e4 72 a3 01 95 c4 56 e9 ..T....c.r....V. 0040 - 32 b5 2e 55 8b ae 34 da-29 73 90 82 1f 4a e0 f7 2..U..4.)s...J.. 0050 - ff f9 dd 3e d5 f1 33 6c-34 7a ed 59 4a 8f 38 ae ...>..3l4z.YJ.8. 0060 - 6b e0 49 5d 4b 1b bf 27-5b 64 86 a4 e5 38 3e 9b k.I]K..'[d...8>. 0070 - e8 a7 81 75 92 78 02 10-5d e5 be a2 c8 f9 87 7b ...u.x..]......{ 0080 - eb bb c7 90 c7 70 0f 63-83 cf 20 d5 b3 65 33 a4 .....p.c.. ..e3. 0090 - 65 34 18 75 10 6b 91 0f-73 af 9b 79 43 a4 a8 de e4.u.k..s..yC... Start Time: 1371343913 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- 250 HELP HELO mail.EXAMPLE.COM 250 mailgw.allianz.de Hello mail.EXAMPLE.COM [91.235.236.8], pleased to meet you MAIL FROM:[hidden email] 250 2.1.0 [hidden email]... Sender ok RCPT TO:[hidden email] RENEGOTIATING [CTRL+C] Am 16.06.2013 01:58, schrieb Jan P. Kessler: > >> # openssl > >> ./Configure \ > >> --prefix=${BASE}/openssl \ > >> --openssldir=${BASE}/openssl \ > >> solaris-sparcv9-cc > >> make; make install > >> > >> # postfix > >> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib > >> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib > >> -L/usr/local/lib" > >> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include > >> -I/usr/local/include" > >> > >> make tidy; make makefiles \ > >> CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \ > >> AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre" > >> make; make upgrade > > The openssl update from 0.9.8k to 1.0.1e solved the client certificate > issue. Unfortunately now we see another problem with the outgoing > instance, trying to send to another partner with mandatory TLS: > > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25 > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1 > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] 704A35DD5: Cannot start TLS: handshake failure > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.21] said: 403 > 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command) > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25 > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1 > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] 704A35DD5: Cannot start TLS: handshake failure > Jun 16 00:28:55 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] 704A35DD5: to=<[hidden email]>, > relay=mxtls.allianz.com[194.127.3.22]:25, delay=62663, > delays=62662/0/0.54/0.01, dsn=4.7.0, status=deferred (host > mxtls.allianz.com[194.127.3.22] said: 403 4.7.0 encryption too weak 0 > less than 256 (in reply to MAIL FROM command)) > > BEFORE UPGRADE: > Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553 > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25 > Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553 > mail.info] certificate verification failed for > mxtls.allianz.com[194.127.3.21]:25: untrusted issuer /C=US/O=VeriSign, > Inc./OU=Class 3 Public Primary Certification Authority > Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553 > mail.info] Untrusted TLS connection established to > mxtls.allianz.com[194.127.3.21]:25: TLSv1 with cipher DHE-RSA-AES256-SHA > (256/256 bits) > Jun 14 11:43:42 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553 > mail.info] 19688599D: to=<[hidden email]>, > relay=mxtls.allianz.com[194.127.3.21]:25, delay=0.94, > delays=0.03/0/0.48/0.43, dsn=2.0.0, status=sent (250 2.0.0 > r5E9hfN2006147 Message accepted for delivery) > > Other outgoing TLS connections seem to work fine: > > Jun 16 00:29:52 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] setting up TLS connection to > gmail-smtp-in.l.google.com[173.194.70.26]:25 > Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] Trusted TLS connection established to > gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher > ECDHE-RSA-RC4-SHA (128/128 bits) > Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > mail.info] CBF8256AD: to=<[hidden email]>, > relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.85, > delays=0.01/0/0.18/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1371335393 > b5si7050738eew.190 - gsmtp) > > Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info] > setting up TLS connection to smail2-neu.mailintern.local[10.221.24.22]:25 > Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info] > Trusted TLS connection established to > smail2-neu.mailintern.local[10.221.24.22]:25: TLSv1 with cipher > DHE-RSA-AES256-SHA (256/256 bits) > Jun 16 00:29:55 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info] > 6195A56F4: to=<[hidden email]>, > relay=smail2-neu.mailintern.local[10.221.24.22]:25, delay=11, > delays=11/0/0.14/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as > 98BABC6DA0) > > Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553 > mail.info] setting up TLS connection to smtpcl3.fiducia.de[195.200.34.38]:25 > Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553 > mail.info] smtpcl3.fiducia.de[195.200.34.38]:25: re-using session with > untrusted certificate, look for details earlier in the log > Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553 > mail.info] Untrusted TLS connection established to > smtpcl3.fiducia.de[195.200.34.38]:25: TLSv1 with cipher > DHE-RSA-AES256-SHA (256/256 bits) > Jun 16 00:29:58 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553 > mail.info] 932B356AF: to=<[hidden email]>, > relay=smtpcl3.fiducia.de[195.200.34.38]:25, delay=2.1, > delays=0.58/0.07/0.26/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued > as 7C5731C8C89) > > I have already tried to wipe the smtp_scache.db without success. Could > you give me another hint? Verbose logs and configuration follow at the > end of this mail. > > > If you're interested, I now have another option for you, a Postfix > > patch that will likely enable support for SHA-2 digests even when > > Postfix is compiled and linked with OpenSSL 0.9.8. > > May I ask if this would have a chance to be included in future postfix > releases? Just to know if postfix has to be patched again with updates. > > > Keep in mind that that latest OpenSSL 0.9.8 patch level is now > > 0.9.8y, and I seem to recall that you had 0.9.8k which likely > > various unpatched bugs. So you should probably upgrade the system's > > OpenSSL 0.9.8 libraries to 0.9.8y. > > Thanks, but the 0.9.8k openssl lib is anyway not the solaris 10 default. > It was installed separately some time ago from a different source > (sunfreeware) to compile postfix. I'd prefer to drop it completely. It > is not used by other software on these systems. > > # postconf -c /etc/postfix/OUT mail_version > mail_version = 2.8.13 > # /opt/vrnetze/openssl/bin/openssl version > OpenSSL 1.0.1e 11 Feb 2013 > > # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3 > # postqueue -c /etc/postfix/OUT -i 704A35DD5 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] mxtls.allianz.com[194.127.3.22]:25: TLS cipher list > "aNULL:-aNULL:ALL:+RC4:@STRENGTH" > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] looking for session > smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 > in smtp cache > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553 > mail.info] lookup smtp session > id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] SSL_connect:before/connect initialization > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B)) > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 b7 > ....f... b..Q.... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0010 a5 91 88 61 35 5b 04 b0|16 00 7a 15 84 3c b5 0b > ...a5[.. ..z..<.. > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0020 59 23 37 d6 e4 7d 6f 15|82 8f c6 00 00 ca c0 19 > Y#7..}o. ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28 . > ...m.: ...0.,.( > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b > .$....." .!.....k > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a > .j.9.8.. ...2...* > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17 > .&...... .=.5.... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34 > ........ .....l.4 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09 > ...F./.+ .'.#.... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32 > ........ .g.@.3.2 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25 > .....E.D .1.-.).% > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07 > .......< ./...A.. > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04 > ........ ...o.... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19 > .......4 .2...... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00 > ........ .....#.. > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02 ...". > .. ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01 > ........ ... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] SSL_connect:SSLv2/v3 write client hello A > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF)) > Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] SSL_connect:error in SSLv2/v3 read server hello A > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] remove session > smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 > from client cache > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553 > mail.info] delete smtp session > id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 704A35DD5: Cannot start TLS: handshake failure > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.22] said: 403 > 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command) > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] mxtls.allianz.com[194.127.3.21]:25: TLS cipher list > "aNULL:-aNULL:ALL:+RC4:@STRENGTH" > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] looking for session > smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 > in smtp cache > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553 > mail.info] lookup smtp session > id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] SSL_connect:before/connect initialization > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] write to 000A3418 [000F6020] (363 bytes => 363 (0x16B)) > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 70 > ....f... b..Q...p > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0010 e9 dc 5b a9 11 c3 47 1e|77 5b 4a a8 81 81 26 40 > ..[...G. w[J...&@ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0020 e2 0a 41 b0 2e b9 96 2c|2e 63 e4 00 00 ca c0 19 > ..A...., .c...... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28 . > ...m.: ...0.,.( > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b > .$....." .!.....k > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a > .j.9.8.. ...2...* > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17 > .&...... .=.5.... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34 > ........ .....l.4 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09 > ...F./.+ .'.#.... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32 > ........ .g.@.3.2 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25 > .....E.D .1.-.).% > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07 > .......< ./...A.. > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04 > ........ ...o.... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19 > .......4 .2...... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00 > ........ .....#.. > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02 ...". > .. ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01 > ........ ........ > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01 > ........ ... > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] SSL_connect:SSLv2/v3 write client hello A > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] read from 000A3418 [000E8098] (7 bytes => -1 (0xFFFFFFFF)) > Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] SSL_connect:error in SSLv2/v3 read server hello A > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] remove session > smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 > from client cache > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553 > mail.info] delete smtp session > id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647 > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 704A35DD5: Cannot start TLS: handshake failure > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] 704A35DD5: to=<[hidden email]>, > relay=mxtls.allianz.com[194.127.3.21]:25, delay=64211, > delays=64211/0/0.54/0.01, dsn=4.7.0, status=deferred (host > mxtls.allianz.com[194.127.3.21] said: 403 4.7.0 encryption too weak 0 > less than 256 (in reply to MAIL FROM command)) > > > # egrep -v "^#" /etc/postfix/OUT/master.cf > smtp26 inet n - n - 200 smtpd > -o smtpd_client_connection_count_limit=100 > cryptosmtp unix - - n - 50 smtp > -o smtp_data_done_timeout=1200 > tlsmgr unix - - n 1000? 1 tlsmgr > pickup fifo n - n 60 1 pickup > cleanup unix n - n - 0 cleanup > qmgr fifo n - n 300 1 qmgr > rewrite unix - - n - - trivial-rewrite > bounce unix - - n - 0 bounce > defer unix - - n - 0 bounce > trace unix - - n - 0 bounce > verify unix - - n - 1 verify > flush unix n - n 1000? 0 flush > proxymap unix - - n - - proxymap > smtp unix - - n - - smtp > relay unix - - n - - smtp > showq unix n - n - - showq > error unix - - n - - error > discard unix - - n - - discard > local unix - n n - - local > virtual unix - n n - - virtual > lmtp unix - - n - - lmtp > anvil unix - - n - 1 anvil > scache unix - - n - 1 scache > maildrop unix - n n - - pipe > flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient} > old-cyrus unix - n n - - pipe > flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} > cyrus unix - n n - - pipe > user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} > uucp unix - n n - - pipe > flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail > ($recipient) > ifmail unix - n n - - pipe > flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) > bsmtp unix - n n - - pipe > flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop > $recipient > > # postconf -c /etc/postfix/OUT -n > alias_database = hash:/etc/postfix/aliases > alias_maps = $alias_database > body_checks = pcre:/etc/postfix/OUT/body_checks > body_checks_size_limit = 512000 > bounce_queue_lifetime = 3d > bounce_template_file = /etc/postfix/bounce.cf > command_directory = /opt/vrnetze/postfix/sbin > config_directory = /etc/postfix/OUT > daemon_directory = /opt/vrnetze/postfix/libexec > data_directory = /var/spool/postfix-OUT/DATA > debug_peer_level = 2 > default_privs = nobody > default_process_limit = 200 > disable_vrfy_command = yes > fast_flush_domains = $relay_domains > header_checks = pcre:/etc/postfix/OUT/header_checks > html_directory = no > inet_interfaces = all > luser_relay = [hidden email] > mail_name = Mailservice > mail_owner = postfix > mailbox_size_limit = 56000001 > mailq_path = /usr/bin/mailq > manpage_directory = /opt/vrnetze/postfix/man > maximal_queue_lifetime = 3d > message_size_limit = 56000000 > mime_header_checks = pcre:/etc/postfix/OUT/mime_header_checks > mydestination = $myhostname, localhost.$mydomain > mydomain = EXAMPLE.COM > myhostname = mail.EXAMPLE.COM > mynetworks = /etc/postfix/relay_from_networks > myorigin = $myhostname > newaliases_path = /usr/bin/newaliases > proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9 > queue_directory = /var/spool/postfix-OUT > readme_directory = /opt/vrnetze/postfix/doc > receive_override_options = no_address_mappings > relay_domains = /etc/postfix/relay_to_domains > sample_directory = /etc/postfix > sender_canonical_maps = btree:/etc/postfix/sender_canonical > sendmail_path = /usr/lib/sendmail > setgid_group = postdrop > smtp_enforce_tls = no > smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem > smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem > smtp_tls_key_file = /etc/postfix/CERTS/key.pem > smtp_tls_loglevel = 1 > smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER > smtp_tls_scert_verifydepth = 8 > smtp_tls_session_cache_database = btree:$data_directory/smtp_scache > smtp_tls_session_cache_timeout = 3600s > smtp_use_tls = yes > smtpd_banner = $myhostname ESMTP Mailservice > smtpd_enforce_tls = no > smtpd_recipient_restrictions = reject_non_fqdn_recipient, > reject_non_fqdn_sender, permit_mynetworks, reject > smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem > smtpd_tls_ask_ccert = yes > smtpd_tls_ccert_verifydepth = 8 > smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem > smtpd_tls_key_file = /etc/postfix/CERTS/key.pem > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_tls_req_ccert = no > smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache > smtpd_tls_session_cache_timeout = 3600s > smtpd_use_tls = yes > soft_bounce = no > syslog_name = postfix-OUT > transport_maps = btree:/etc/postfix/fehlerdomains, > btree:/etc/postfix/transport > unknown_address_reject_code = 554 > unknown_local_recipient_reject_code = 550 > > |
In reply to this post by Jan P. Kessler-2
On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:
> The openssl update from 0.9.8k to 1.0.1e solved the client certificate > issue. Unfortunately now we see another problem with the outgoing > instance, trying to send to another partner with mandatory TLS: > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25 > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols attribute in the Postfix policy table. > > If you're interested, I now have another option for you, a Postfix > > patch that will likely enable support for SHA-2 digests even when > > Postfix is compiled and linked with OpenSSL 0.9.8. > > May I ask if this would have a chance to be included in future postfix > releases? Just to know if postfix has to be patched again with updates. My suggestion for Wietse was to include this in 2.10.1, and any future updates for earlier releases. I'll also add another small patch to solve bitrot with the server TLS session cache that is triggered by OpenSSL enabling TLSv1 session tickets. (Basically, just add SSL_OP_NO_TICKETS to the server-side session options). > # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3 Don't enable levels higher than 2 unless requested. > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B)) > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] SSL_connect:SSLv2/v3 write client hello A > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553 > mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF)) Server hangs up after client SSL hello. Perhaps too many ciphers, or perhaps protocol compatibility issues, or something else entirely, but what's new with 1.0.1e is mostly more ciphers and new protocols. Try adding "protocols=TLSv1" to the policy entry for this site, and if your Postfix is sufficiently new (and knows about TLSv1.1 and TLSv1.2) all other protocols will be disabled, and you may find that TLS works for you again. You've sure had some wicked bad luck with picking TLS partner sites. :-( -- Viktor. |
Am 16.06.2013 05:00, schrieb Viktor Dukhovni:
> On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote: > > > The openssl update from 0.9.8k to 1.0.1e solved the client certificate > > issue. Unfortunately now we see another problem with the outgoing > > instance, trying to send to another partner with mandatory TLS: > > > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25 > > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553 > > Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols > attribute in the Postfix policy table. Thanks, that worked (postfix 2.8.13): policy_table: [mxtls.allianz.com] verify protocols=SSLv3:TLSv1 # postqueue -c /etc/postfix/OUT -i 704A35DD5 Jun 16 10:31:04 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553 mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25 Jun 16 10:31:05 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553 mail.info] Trusted TLS connection established to mxtls.allianz.com[194.127.3.22]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) Jun 16 10:31:06 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553 mail.info] 704A35DD5: to=<[hidden email]>, relay=mxtls.allianz.com[194.127.3.22]:25, delay=98794, delays=98792/0/0.43/1.8, dsn=2.0.0, status=sent (250 2.0.0 r5G8V4q9023307 Message accepted for delivery) > > # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3 > > Don't enable levels higher than 2 unless requested. Yes, of course. Our normal setting is 1. Used this only for a second. > Try adding "protocols=TLSv1" to the policy entry for this site, > and if your Postfix is sufficiently new (and knows about TLSv1.1 > and TLSv1.2) all other protocols will be disabled, and you may find > that TLS works for you again. > > You've sure had some wicked bad luck with picking TLS partner sites. :-( Yep, that's what I thought, too ;) Currently I fear, that other partners might be also affected about this. Now the queues are almost empty but most traffic with other mandatory TLS partner sites will start to continue during work hours Mo-Fr and I'll be out of office for a week. What do you think about deactivating v1.1 and v1.2 globally? Currently: smtp_tls_mandatory_protocols = !SSLv2 smtp_tls_protocols = !SSLv2 Suggestion: smtp_tls_mandatory_protocols = !SSLv2 !TLSv1.1 !TLSv1.2 smtp_tls_protocols = !SSLv2 Will this work or are we expected to run into other compatibility issues with that from your experience? P.S.: On one machine I tried to switch to a shared openssl 1.0.1e build which also seems to work fine: # ldd /opt/vrnetze/postfix/libexec/smtpd|grep -i ssl libssl.so.1.0.0 => /opt/vrnetze/openssl/lib/libssl.so.1.0.0 libcrypto.so.1.0.0 => /opt/vrnetze/openssl/lib/libcrypto.so.1.0.0 Am I right concluding that this won't require a postfix rebuild on new openssl 1.0.x versions? Again, thank you very much for your time and thoughts! |
In reply to this post by Jan P. Kessler-2
Beside the point, yet possibly of interest:
On Sun, Jun 16, 2013 at 03:07:01AM +0200, Jan P. Kessler wrote: > # /opt/vrnetze/openssl/bin/openssl s_client -connect > mxtls.allianz.com:25 -starttls smtp > CONNECTED(00000004) snip > --- > 250 HELP > HELO mail.EXAMPLE.COM > 250 mailgw.allianz.de Hello mail.EXAMPLE.COM [91.235.236.8], > pleased to meet you > MAIL FROM:[hidden email] > 250 2.1.0 [hidden email]... Sender ok > RCPT TO:[hidden email] > RENEGOTIATING > [CTRL+C] Excerpt from s_client(1) manual: " CONNECTED COMMANDS If a connection is established with an SSL server then any data received from the server is displayed and any key presses will be sent to the server. When used interactively (which means neither -quiet nor -ign_eof have been given), the session will be renegotiated if the line begins with an R, and if the line begins with a Q or if end of file is reached, the connection will be closed down. " Your workaround is to use lowercase "r" in your RCPT TO command: rcpt to:<[hidden email]> rCPT TO:<[hidden email]> -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: |
In reply to this post by Jan P. Kessler-2
On Sun, Jun 16, 2013 at 11:13:05AM +0200, Jan P. Kessler wrote:
> > Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols > > attribute in the Postfix policy table. > > Thanks, that worked (postfix 2.8.13): > > policy_table: > [mxtls.allianz.com] verify protocols=SSLv3:TLSv1 With the destination domain in [], or when "match=..." is explicitly specified, the "verify" and "secure" levels are identical, otherwise I would probably shun "verify" and use "secure" with explicit "match" clauses as required. > Currently I fear, that other partners might be also affected about this. > Now the queues are almost empty but most traffic with other mandatory > TLS partner sites will start to continue during work hours Mo-Fr and > I'll be out of office for a week. What do you think about deactivating > v1.1 and v1.2 globally? Unlikely to cause any harm, and may help with some destinations. You lose support for AEAD modes which protect against "CRIME" and "BEAST", but those attacks are browser-specific. > smtp_tls_mandatory_protocols = !SSLv2 > smtp_tls_protocols = !SSLv2 > > Suggestion: > smtp_tls_mandatory_protocols = !SSLv2 !TLSv1.1 !TLSv1.2 > smtp_tls_protocols = !SSLv2 You can set both the same for now. Ideally there'll be some pressure on sites with broken TLSv1.2 (TLSv1.1 is a far more modest change) to get their implementations upgraded. But if you have critical traffic, it may be reasonable to be conservative in what you send... > Will this work or are we expected to run into other compatibility issues > with that from your experience? TLSv1 is tried and true and largely sufficient, it is a very safe choice. > P.S.: On one machine I tried to switch to a shared openssl 1.0.1e build > which also seems to work fine: > > # ldd /opt/vrnetze/postfix/libexec/smtpd|grep -i ssl > libssl.so.1.0.0 => /opt/vrnetze/openssl/lib/libssl.so.1.0.0 > libcrypto.so.1.0.0 => /opt/vrnetze/openssl/lib/libcrypto.so.1.0.0 > > Am I right concluding that this won't require a postfix rebuild on new > openssl 1.0.x versions? I can't speak for the stability of the OpenSSL ABI. It is *supposed* to work, whether it will, only time will tell. Many other users will rely on this stability on systems where 1.0.0 or 1.0.1 is the default OpenSSL library: $ openssl version OpenSSL 1.0.1e 11 Feb 2013 $ ldd $(type -p openssl) | grep /usr/lib | awk '{printf "%-20s %s\n", $1,$3}' libssl.so.1.0.0 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 libcrypto.so.1.0.0 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 -- Viktor. |
Free forum by Nabble | Edit this page |