Troubleshooting "SSL_accept error" that happens with only one domain , iship.com (a UPS company)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Troubleshooting "SSL_accept error" that happens with only one domain , iship.com (a UPS company)

daveg
Hello,

My office receives email from UPS, since we're a customer.

One of the domains that UPS emails from is apparently "iship.com".

We're not getting those emails.

From the Postfix mail server's logs there's this for one of the 'misses'

  mail postfix/postscreen[4531]: PASS NEW [64.74.4.33]:56785
  mail postfix/postscreen-smtpd/smtpd[4537]: connect from mail3.iship.com[64.74.4.33]
  mail postfix/postscreen-smtpd/smtpd[4537]: SSL_accept error from mail3.iship.com[64.74.4.33]: -1
  mail postfix/postscreen-smtpd/smtpd[4537]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:ssl/statem/statem_srvr.c:1404:
  mail postfix/postscreen-smtpd/smtpd[4537]: lost connection after STARTTLS from mail3.iship.com[64.74.4.33]
  mail postfix/postscreen-smtpd/smtpd[4537]: disconnect from mail3.iship.com[64.74.4.33] ehlo=1 starttls=0/1 commands=1/2

This is the only domain that I see this error with.  I'm guessing it's some kind of problem with their SSL?

I tried to communicate with someone @ iship.com.  Nobody home.  Or interested :-(

I checked with some tools I read about online, and I get

  telnet mail3.iship.com 25
    Trying 64.74.4.33...
    Connected to mail3.iship.com.
    Escape character is '^]'.
    220 mail3.iship.com Microsoft ESMTP MAIL Service ready at Tue, 24 Oct 2017 16:07:14 -0700
    ehlo me
    250-mail3.iship.com Hello [xx.xx.xx.xx]
    250-SIZE 16777216
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH
    250-X-EXPS NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250 XEXCH50

and

  openssl s_client -connect mail3.iship.com:25 -starttls smtp
    CONNECTED(00000003)
    write:errno=0
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 350 bytes and written 209 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1508886336
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no

I'd like to get a handle on what the problem actually is here.  And if I can fix something on my end, maybe a workaround for this one domain.  Or better, if I can figure out how to get THEM to fix it, if it really is on their system.

Thanks for any help.

Dave
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting "SSL_accept error" that happens with only one domain , iship.com (a UPS company)

Petri Riihikallio
> [hidden email] wrote on 25.10.2017 at 2:35:
>
> Hello,
>
> My office receives email from UPS, since we're a customer.
>
> One of the domains that UPS emails from is apparently "iship.com".
>
> We're not getting those emails.

You and UPS require different sets of ciphers and have none in common. Either you have tinkered with server cipher requirements or UPS has edited their client cipher list. Check your postconf -n to find out if its you.
http://www.postfix.org/TLS_README.html#server_cipher

Testing with openssl s_client doesn’t prove anything about Postfix cipher settings (except that the connection is possible if no setting denies it.)

The general rule is to use the defaults. Postfix defaults are set to err on the safe side. You’ll gain very little by altering them. If you try to “harden” Postfix you usually end up with no connection or fall back to plaintext.

--
Cheers
Petri
https://metis.fi/en/petri
tel:+358400505939



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting "SSL_accept error" that happens with only one domain , iship.com (a UPS company)

daveg
On Wed, Oct 25, 2017, at 03:39 AM, Petri Riihikallio wrote:
> You and UPS require different sets of ciphers and have none in common. Either you have tinkered with server cipher requirements or UPS has edited their client cipher list. Check your postconf -n to find out if its you.
> http://www.postfix.org/TLS_README.html#server_cipher
>
> Testing with openssl s_client doesn’t prove anything about Postfix cipher settings (except that the connection is possible if no setting denies it.)
>
> The general rule is to use the defaults. Postfix defaults are set to err on the safe side. You’ll gain very little by altering them. If you try to “harden” Postfix you usually end up with no connection or fall back to plaintext.

I checked the server and this is how it's configured

 postconf -n | grep smtpd | grep tls | grep ciphers
  smtpd_tls_ciphers = medium
  smtpd_tls_exclude_ciphers = EXPORT, LOW, RC4, eNULL, NULL
  smtpd_tls_mandatory_ciphers = medium
  smtpd_tls_mandatory_exclude_ciphers = aNULL
  tlsproxy_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers

 postconf -n | grep smtpd | grep tls | grep protocols
  smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
  smtpd_tls_protocols = !SSLv2, !SSLv3
  tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
  tlsproxy_tls_protocols = $smtpd_tls_protocols

Checking the logs for last 6 months, this is the ONLY domain that these errors exist for.  I guess

Any way to check what THEY are trying to use?  Which cipher?

Dave
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting "SSL_accept error" that happens with only one domain , iship.com (a UPS company)

daveg
On Wed, Oct 25, 2017, at 06:32 AM, Fazzina, Angelo wrote:
> When it works I get this
>
> Oct 25 09:30:01 mta1 postfix/smtpd[2313]: Anonymous TLS connection established from unknown[60.6.49.148]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Sure, here too.

This server gets lots of mail from lots of domains.   All of them that use TLS have that kind of message.

There are no problems with ciphers of any kind.  At least not in the logs.
Except for this one domain.

Dave
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting "SSL_accept error" that happens with only one domain , iship.com (a UPS company)

Matus UHLAR - fantomas
In reply to this post by daveg
>On Wed, Oct 25, 2017, at 03:39 AM, Petri Riihikallio wrote:
>> You and UPS require different sets of ciphers and have none in common. Either you have tinkered with server cipher requirements or UPS has edited their client cipher list. Check your postconf -n to find out if its you.
>> http://www.postfix.org/TLS_README.html#server_cipher
>>
>> Testing with openssl s_client doesn’t prove anything about Postfix cipher settings (except that the connection is possible if no setting denies it.)
>>
>> The general rule is to use the defaults. Postfix defaults are set to err
>> on the safe side.  You’ll gain very little by altering them.  If you try
>> to “harden” Postfix you usually end up with no connection or fall back to
>> plaintext.

On 25.10.17 05:49, [hidden email] wrote:
>I checked the server and this is how it's configured
>
> postconf -n | grep smtpd | grep tls | grep ciphers
>  smtpd_tls_ciphers = medium
>  smtpd_tls_mandatory_ciphers = medium

this looks like you only accept medium grade ciphers ... so no high grade.
That means, Petri was right about "hardening". use "medium, high"

>Any way to check what THEY are trying to use?  Which cipher?

you can capture their connections using tcpdump or wireshark, but I don't
think that's important now...
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.  -- Daffy Duck & Porky Pig
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting "SSL_accept error" that happens with only one domain , iship.com (a UPS company)

daveg


On Wed, Oct 25, 2017, at 06:45 AM, Matus UHLAR - fantomas wrote:
> > postconf -n | grep smtpd | grep tls | grep ciphers
> >  smtpd_tls_ciphers = medium
> >  smtpd_tls_mandatory_ciphers = medium
>
> this looks like you only accept medium grade ciphers ... so no high grade.
> That means, Petri was right about "hardening". use "medium, high"

What do you mean by

  "That means, Petri was right about "hardening". use "medium, high""

?

At

 http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_ciphers

for

 smtpd_tls_mandatory_ciphers (default: medium)

it says

 medium
    Enable "MEDIUM" grade or stronger OpenSSL ciphers. These use 128-bit or longer symmetric bulk-encryption keys. This is the default minimum strength for mandatory TLS encryption. The underlying cipherlist is specified via the tls_medium_cipherlist configuration parameter, which you are strongly encouraged to not change.

and for

 smtpd_tls_ciphers (default: medium)

it says

    The minimum TLS cipher grade that the Postfix SMTP server will use with opportunistic TLS encryption. Cipher types listed in smtpd_tls_exclude_ciphers are excluded from the base definition of the selected cipher grade. The default value is "medium" for Postfix releases after the middle of 2015, "export" for older releases.

For both parameters, a value of 'medium' is

 (1) a "miniumum strength"
 (2) *includes* high.
 (3) is the default

Why use 'medium, high' ?

Dave
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting "SSL_accept error" that happens with only one domain , iship.com (a UPS company)

Petri Riihikallio
In reply to this post by daveg
> I checked the server and this is how it's configured
>
> postconf -n | grep smtpd | grep tls | grep ciphers
>  smtpd_tls_ciphers = medium
>  smtpd_tls_exclude_ciphers = EXPORT, LOW, RC4, eNULL, NULL
>  smtpd_tls_mandatory_ciphers = medium
>  smtpd_tls_mandatory_exclude_ciphers = aNULL
>  tlsproxy_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers

Both smtpd_*_exclude_ciphers default to empty. Do you know why they are non-empty in your config?

Like I wrote earlier: If you try to “harden” Postfix you’ll run into trouble. Postfix defaults to as secure as possible without sacrificing functionality.

Perhaps iship.com is running some really old MTA, but it is their decision. In that case (after emptying the exclude lists) you can try replacing “medium" with “export”. That is not a recommended setting (a.k.a. default) however, so try first just without the exclusions.

--
Cheers
Petri
https://metis.fi/en/petri
tel:+358400505939



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Troubleshooting "SSL_accept error" that happens with only one domain , iship.com (a UPS company)

daveg


On Wed, Oct 25, 2017, at 06:57 AM, Petri Riihikallio wrote:

> > I checked the server and this is how it's configured
> >
> > postconf -n | grep smtpd | grep tls | grep ciphers
> >  smtpd_tls_ciphers = medium
> >  smtpd_tls_exclude_ciphers = EXPORT, LOW, RC4, eNULL, NULL
> >  smtpd_tls_mandatory_ciphers = medium
> >  smtpd_tls_mandatory_exclude_ciphers = aNULL
> >  tlsproxy_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
>
> Both smtpd_*_exclude_ciphers default to empty. Do you know why they are non-empty in your config?

The notes I found just reference this article by

 "An OpenSSL User’s Guide to DROWN"
  https://www.openssl.org/blog/blog/2016/03/01/an-openssl-users-guide-to-drown/
   Posted by Viktor Dukhovni and Emilia Käsper , Mar 1st, 2016 2:59 pm

Which recommended

 # Suggested, not strictly needed:
 #
 smtpd_tls_exclude_ciphers =
         EXPORT, LOW, MD5, SEED, IDEA, RC2
 smtp_tls_exclude_ciphers =
         EXPORT, LOW, MD5, aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2

and this discussion

 "RC4 in live email servers?"
   http://postfix.1071664.n5.nabble.com/RC4-in-live-email-servers-td78249.html#a78283
   Viktor Dukhovni, Jul 18, 2015; 1:12pm

Dave