VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
00F84A8BEE171D1DD0DDE339984755CD253E804DDD7039A1C496D7348F03CF170F1B485133EFC1E67F5669279761A2D0
... Sender ok
Am 16.06.2013 01:58, schrieb Jan P. Kessler:
> >> # openssl
> >> ./Configure \
> >> --prefix=${BASE}/openssl \
> >> --openssldir=${BASE}/openssl \
> >> solaris-sparcv9-cc
> >> make; make install
> >>
> >> # postfix
> >> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
> >> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
> >> -L/usr/local/lib"
> >> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
> >> -I/usr/local/include"
> >>
> >> make tidy; make makefiles \
> >> CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
> >> AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
> >> make; make upgrade
>
> The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> issue. Unfortunately now we see another problem with the outgoing
> instance, trying to send to another partner with mandatory TLS:
>
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.21] said: 403
> 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:28:55 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: to=<
[hidden email]>,
> relay=mxtls.allianz.com[194.127.3.22]:25, delay=62663,
> delays=62662/0/0.54/0.01, dsn=4.7.0, status=deferred (host
> mxtls.allianz.com[194.127.3.22] said: 403 4.7.0 encryption too weak 0
> less than 256 (in reply to MAIL FROM command))
>
> BEFORE UPGRADE:
> Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] certificate verification failed for
> mxtls.allianz.com[194.127.3.21]:25: untrusted issuer /C=US/O=VeriSign,
> Inc./OU=Class 3 Public Primary Certification Authority
> Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] Untrusted TLS connection established to
> mxtls.allianz.com[194.127.3.21]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
> (256/256 bits)
> Jun 14 11:43:42 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] 19688599D: to=<
[hidden email]>,
> relay=mxtls.allianz.com[194.127.3.21]:25, delay=0.94,
> delays=0.03/0/0.48/0.43, dsn=2.0.0, status=sent (250 2.0.0
> r5E9hfN2006147 Message accepted for delivery)
>
> Other outgoing TLS connections seem to work fine:
>
> Jun 16 00:29:52 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] setting up TLS connection to
> gmail-smtp-in.l.google.com[173.194.70.26]:25
> Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] Trusted TLS connection established to
> gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher
> ECDHE-RSA-RC4-SHA (128/128 bits)
> Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] CBF8256AD: to=<
[hidden email]>,
> relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.85,
> delays=0.01/0/0.18/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1371335393
> b5si7050738eew.190 - gsmtp)
>
> Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
> setting up TLS connection to smail2-neu.mailintern.local[10.221.24.22]:25
> Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
> Trusted TLS connection established to
> smail2-neu.mailintern.local[10.221.24.22]:25: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> Jun 16 00:29:55 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
> 6195A56F4: to=<
[hidden email]>,
> relay=smail2-neu.mailintern.local[10.221.24.22]:25, delay=11,
> delays=11/0/0.14/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
> 98BABC6DA0)
>
> Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] setting up TLS connection to smtpcl3.fiducia.de[195.200.34.38]:25
> Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] smtpcl3.fiducia.de[195.200.34.38]:25: re-using session with
> untrusted certificate, look for details earlier in the log
> Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] Untrusted TLS connection established to
> smtpcl3.fiducia.de[195.200.34.38]:25: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> Jun 16 00:29:58 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] 932B356AF: to=<
[hidden email]>,
> relay=smtpcl3.fiducia.de[195.200.34.38]:25, delay=2.1,
> delays=0.58/0.07/0.26/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
> as 7C5731C8C89)
>
> I have already tried to wipe the smtp_scache.db without success. Could
> you give me another hint? Verbose logs and configuration follow at the
> end of this mail.
>
> > If you're interested, I now have another option for you, a Postfix
> > patch that will likely enable support for SHA-2 digests even when
> > Postfix is compiled and linked with OpenSSL 0.9.8.
>
> May I ask if this would have a chance to be included in future postfix
> releases? Just to know if postfix has to be patched again with updates.
>
> > Keep in mind that that latest OpenSSL 0.9.8 patch level is now
> > 0.9.8y, and I seem to recall that you had 0.9.8k which likely
> > various unpatched bugs. So you should probably upgrade the system's
> > OpenSSL 0.9.8 libraries to 0.9.8y.
>
> Thanks, but the 0.9.8k openssl lib is anyway not the solaris 10 default.
> It was installed separately some time ago from a different source
> (sunfreeware) to compile postfix. I'd prefer to drop it completely. It
> is not used by other software on these systems.
>
> # postconf -c /etc/postfix/OUT mail_version
> mail_version = 2.8.13
> # /opt/vrnetze/openssl/bin/openssl version
> OpenSSL 1.0.1e 11 Feb 2013
>
> # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
> # postqueue -c /etc/postfix/OUT -i 704A35DD5
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] mxtls.allianz.com[194.127.3.22]:25: TLS cipher list
> "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] looking for session
> smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> in smtp cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] lookup smtp session
> id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:before/connect initialization
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B))
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 b7
> ....f... b..Q....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0010 a5 91 88 61 35 5b 04 b0|16 00 7a 15 84 3c b5 0b
> ...a5[.. ..z..<..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0020 59 23 37 d6 e4 7d 6f 15|82 8f c6 00 00 ca c0 19
> Y#7..}o. ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28 .
> ...m.: ...0.,.(
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b
> .$....." .!.....k
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
> .j.9.8.. ...2...*
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17
> .&...... .=.5....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34
> ........ .....l.4
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09
> ...F./.+ .'.#....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32
> ........ .g.@.3.2
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25
> .....E.D .1.-.).%
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07
> .......< ./...A..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04
> ........ ...o....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19
> .......4 .2......
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00
> ........ .....#..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02 ...".
> .. ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01
> ........ ...
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:SSLv2/v3 write client hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
> Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:error in SSLv2/v3 read server hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] remove session
> smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> from client cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] delete smtp session
> id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.22] said: 403
> 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] mxtls.allianz.com[194.127.3.21]:25: TLS cipher list
> "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] looking for session
> smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> in smtp cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] lookup smtp session
> id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:before/connect initialization
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] write to 000A3418 [000F6020] (363 bytes => 363 (0x16B))
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 70
> ....f... b..Q...p
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0010 e9 dc 5b a9 11 c3 47 1e|77 5b 4a a8 81 81 26 40
> ..[...G. w[J...&@
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0020 e2 0a 41 b0 2e b9 96 2c|2e 63 e4 00 00 ca c0 19
> ..A...., .c......
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28 .
> ...m.: ...0.,.(
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b
> .$....." .!.....k
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
> .j.9.8.. ...2...*
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17
> .&...... .=.5....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34
> ........ .....l.4
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09
> ...F./.+ .'.#....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32
> ........ .g.@.3.2
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25
> .....E.D .1.-.).%
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07
> .......< ./...A..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04
> ........ ...o....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19
> .......4 .2......
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00
> ........ .....#..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02 ...".
> .. ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01
> ........ ...
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:SSLv2/v3 write client hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] read from 000A3418 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
> Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:error in SSLv2/v3 read server hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] remove session
> smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> from client cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] delete smtp session
> id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: to=<
[hidden email]>,
> relay=mxtls.allianz.com[194.127.3.21]:25, delay=64211,
> delays=64211/0/0.54/0.01, dsn=4.7.0, status=deferred (host
> mxtls.allianz.com[194.127.3.21] said: 403 4.7.0 encryption too weak 0
> less than 256 (in reply to MAIL FROM command))
>
>
> # egrep -v "^#" /etc/postfix/OUT/master.cf
> smtp26 inet n - n - 200 smtpd
> -o smtpd_client_connection_count_limit=100
> cryptosmtp unix - - n - 50 smtp
> -o smtp_data_done_timeout=1200
> tlsmgr unix - - n 1000? 1 tlsmgr
> pickup fifo n - n 60 1 pickup
> cleanup unix n - n - 0 cleanup
> qmgr fifo n - n 300 1 qmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
> flush unix n - n 1000? 0 flush
> proxymap unix - - n - - proxymap
> smtp unix - - n - - smtp
> relay unix - - n - - smtp
> showq unix n - n - - showq
> error unix - - n - - error
> discard unix - - n - - discard
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> anvil unix - - n - 1 anvil
> scache unix - - n - 1 scache
> maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> old-cyrus unix - n n - - pipe
> flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
> cyrus unix - n n - - pipe
> user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
> uucp unix - n n - - pipe
> flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
>
> # postconf -c /etc/postfix/OUT -n
> alias_database = hash:/etc/postfix/aliases
> alias_maps = $alias_database
> body_checks = pcre:/etc/postfix/OUT/body_checks
> body_checks_size_limit = 512000
> bounce_queue_lifetime = 3d
> bounce_template_file = /etc/postfix/bounce.cf
> command_directory = /opt/vrnetze/postfix/sbin
> config_directory = /etc/postfix/OUT
> daemon_directory = /opt/vrnetze/postfix/libexec
> data_directory = /var/spool/postfix-OUT/DATA
> debug_peer_level = 2
> default_privs = nobody
> default_process_limit = 200
> disable_vrfy_command = yes
> fast_flush_domains = $relay_domains
> header_checks = pcre:/etc/postfix/OUT/header_checks
> html_directory = no
> inet_interfaces = all
> luser_relay =
[hidden email]
> mail_name = Mailservice
> mail_owner = postfix
> mailbox_size_limit = 56000001
> mailq_path = /usr/bin/mailq
> manpage_directory = /opt/vrnetze/postfix/man
> maximal_queue_lifetime = 3d
> message_size_limit = 56000000
> mime_header_checks = pcre:/etc/postfix/OUT/mime_header_checks
> mydestination = $myhostname, localhost.$mydomain
> mydomain = EXAMPLE.COM
> myhostname = mail.EXAMPLE.COM
> mynetworks = /etc/postfix/relay_from_networks
> myorigin = $myhostname
> newaliases_path = /usr/bin/newaliases
> proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9
> queue_directory = /var/spool/postfix-OUT
> readme_directory = /opt/vrnetze/postfix/doc
> receive_override_options = no_address_mappings
> relay_domains = /etc/postfix/relay_to_domains
> sample_directory = /etc/postfix
> sender_canonical_maps = btree:/etc/postfix/sender_canonical
> sendmail_path = /usr/lib/sendmail
> setgid_group = postdrop
> smtp_enforce_tls = no
> smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
> smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem
> smtp_tls_key_file = /etc/postfix/CERTS/key.pem
> smtp_tls_loglevel = 1
> smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER
> smtp_tls_scert_verifydepth = 8
> smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
> smtp_tls_session_cache_timeout = 3600s
> smtp_use_tls = yes
> smtpd_banner = $myhostname ESMTP Mailservice
> smtpd_enforce_tls = no
> smtpd_recipient_restrictions = reject_non_fqdn_recipient,
> reject_non_fqdn_sender, permit_mynetworks, reject
> smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
> smtpd_tls_ask_ccert = yes
> smtpd_tls_ccert_verifydepth = 8
> smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem
> smtpd_tls_key_file = /etc/postfix/CERTS/key.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_req_ccert = no
> smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> soft_bounce = no
> syslog_name = postfix-OUT
> transport_maps = btree:/etc/postfix/fehlerdomains,
> btree:/etc/postfix/transport
> unknown_address_reject_code = 554
> unknown_local_recipient_reject_code = 550
>
>
Locked
