Supporting legacy clients

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Supporting legacy clients

KSB-2
Hi!
After upgrading to postfix 3.1 (from 2.9), one of our clients said, it
cannot send mail anymore(he has OE6 on XP and said it's planned to
upgrade, but not now).

What we got in log's:
postfix/smtpd[16747]: connect from CLIENTIP
postfix/smtpd[16747]: setting up TLS connection from CLIENTIP
postfix/smtpd[16747]: CLIENTIP: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
postfix/smtpd[16747]: SSL_accept:before SSL initialization
postfix/smtpd[16747]: SSL_accept:before SSL initialization
postfix/smtpd[16747]: SSL3 alert write:fatal:handshake failure
postfix/smtpd[16747]: SSL_accept:error in error
postfix/smtpd[16747]: SSL_accept error from CLIENTIP: -1
postfix/smtpd[16747]: warning: TLS library problem: error:1417A0C1:SSL
routines:tls_post_process_client_hello:no shared
cipher:../ssl/statem/statem_srvr.c:1422:
postfix/smtpd[16747]: lost connection after STARTTLS from CLIENTIP
postfix/smtpd[16747]: disconnect from CLIENTIP ehlo=1 starttls=0/1
commands=1/2
postfix/smtpd[16801]: connect from CLIENTIP
postfix/smtpd[16801]: lost connection after MAIL from CLIENTIP
postfix/smtpd[16801]: disconnect from CLIENTIP ehlo=1 mail=1 commands=2


Regards to ciphers configuration - everything is left default:
# postconf -n | grep cipher
#

We also noticed that tls_medium_cipherlist has changed, is it cause of
this problem (real cause is old software though)?

--
KSB
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Supporting legacy clients

@lbutlr
On 2017-03-08 (03:51 MST), KSB <[hidden email]> wrote:
>
> Hi!
> After upgrading to postfix 3.1 (from 2.9), one of our clients said, it cannot send mail anymore(he has OE6 on XP and said it's planned to upgrade, but not now).

OE6 has been out of development for… 10 years? It simply cannot do modern security.

They can get a version of Thunderbird that should still work under XP, or if you’ve setup webmail (roundcube, squirrelmail) they can use that.

> We also noticed that tls_medium_cipherlist has changed, is it cause of this problem (real cause is old software though)?

No, the problem is a classic PEBKAC issue.

--
Apple broke AppleScripting signatures in Mail.app, so no random signatures.


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Supporting legacy clients

Viktor Dukhovni
In reply to this post by KSB-2

> On Mar 8, 2017, at 5:51 AM, KSB <[hidden email]> wrote:
>
> After upgrading to postfix 3.1 (from 2.9), one of our clients said, it cannot send mail anymore(he has OE6 on XP and said it's planned to upgrade, but not now).
>
> What we got in log's:
> postfix/smtpd[16747]: connect from CLIENTIP
> postfix/smtpd[16747]: setting up TLS connection from CLIENTIP
> postfix/smtpd[16747]: CLIENTIP: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
> postfix/smtpd[16747]: SSL_accept:before SSL initialization
> postfix/smtpd[16747]: SSL_accept:before SSL initialization
> postfix/smtpd[16747]: SSL3 alert write:fatal:handshake failure
> postfix/smtpd[16747]: SSL_accept:error in error
> postfix/smtpd[16747]: SSL_accept error from CLIENTIP: -1
> postfix/smtpd[16747]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1422:

I would expect XP systems to use RC4-SHA or RC4-MD5, both of which
are still included in the medium cipherlist, *provided* that the
OpenSSL library you're using still supports RC4.  Did you happen
to also upgrade OpenSSL (not just Postfix)?

Post the output of:

   $ openssl ciphers -v 'RSA+RC4'

making sure that "ldd openssl" reports the same libraries
that the Postfix "smtpd" is linked with.

When I try to use RC4 to connect to your server, I get:

   $ posttls-finger -c -Lsummary -o tls_medium_cipherlist="RC4" ksb.id.lv
   posttls-finger: SSL_connect error to mail.awtech.lv[94.101.232.12]:25: -1
   posttls-finger: warning: TLS library problem: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:769:

while 3DES works:

   $ posttls-finger -c -Lsummary -o tls_medium_cipherlist="3DES" ksb.id.lv
   posttls-finger: certificate verification failed for mail.awtech.lv[94.101.232.12]:25: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3
   posttls-finger: Untrusted TLS connection established to mail.awtech.lv[94.101.232.12]:25: TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA (112/168 bits)

So it looks like your OpenSSL library has dropped RC4 support, or
contrary to claim of "default" ciphers, you've in fact disabled RC4
in Postfix.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Supporting legacy clients

KSB-2
On 2017.03.08. 17:53, Viktor Dukhovni wrote:

>
>> On Mar 8, 2017, at 5:51 AM, KSB <[hidden email]> wrote:
>>
>> After upgrading to postfix 3.1 (from 2.9), one of our clients said, it cannot send mail anymore(he has OE6 on XP and said it's planned to upgrade, but not now).
>>
>> What we got in log's:
>> postfix/smtpd[16747]: connect from CLIENTIP
>> postfix/smtpd[16747]: setting up TLS connection from CLIENTIP
>> postfix/smtpd[16747]: CLIENTIP: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
>> postfix/smtpd[16747]: SSL_accept:before SSL initialization
>> postfix/smtpd[16747]: SSL_accept:before SSL initialization
>> postfix/smtpd[16747]: SSL3 alert write:fatal:handshake failure
>> postfix/smtpd[16747]: SSL_accept:error in error
>> postfix/smtpd[16747]: SSL_accept error from CLIENTIP: -1
>> postfix/smtpd[16747]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:1422:
>
> I would expect XP systems to use RC4-SHA or RC4-MD5, both of which
> are still included in the medium cipherlist, *provided* that the
> OpenSSL library you're using still supports RC4.  Did you happen
> to also upgrade OpenSSL (not just Postfix)?
>
> Post the output of:
>
>    $ openssl ciphers -v 'RSA+RC4'
>

$ openssl ciphers -v 'RSA+RC4'
Error in cipher list
140306525717696:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
cipher match:../ssl/ssl_lib.c:2018:

So yes, I've upgraded OpenSSL as well. Now I see 2 possibilities:
1) downgrade to older OpenSSL < 1.1.0
2) recompile openssl with enable-weak-ssl-ciphers

Is it correct?

>
> When I try to use RC4 to connect to your server, I get:
>

This is not relevant this time, as it's other server, but anyway thank
You for testing :)

--
KSB

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Supporting legacy clients

Viktor Dukhovni

> On Mar 8, 2017, at 11:12 AM, KSB <[hidden email]> wrote:
>
> $ openssl ciphers -v 'RSA+RC4'
> Error in cipher list
> 140306525717696:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2018:
>
> So yes, I've upgraded OpenSSL as well. Now I see 2 possibilities:
> 1) downgrade to older OpenSSL < 1.1.0
> 2) recompile openssl with enable-weak-ssl-ciphers

Yes, RC4 is disabled in default builds of OpenSSL 1.1.0.
If you need RC4 support for legacy clients, you need an
OpenSSL library that still has RC4.

If you have both OpenSSL 1.1.0e and 1.0.2k installed
(in different locations) you could compile and link Postfix
against 1.0.2k.  Otherwise, if you only have 1.1.0e, I'd
rebuild it with "enable-weak-ssl-ciphers" while the problem
users take their time to upgrade.

--
        Viktor.
Loading...