confused with ssl settings and some error - need help

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

confused with ssl settings and some error - need help

Poliman - Serwis
Hi,
To default dovecot.conf file I added (based on found documentation):
ssl = required
disable_plaintext_auth = yes     #change default 'no' to 'yes'
ssl_prefer_server_ciphers = yes
ssl_options = no_compression
ssl_dh_parameters_length = 2048
ssl_cipher_list = ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

I have below errors (they appear in loop in mail.err log file):
#Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
#Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
#Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
#Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

When I setup in postfix main.cf file (other lines default):
tls_ssl_options = no_ticket, no_compression
tls_preempt_cipherlist = yes
smtpd_sasl_security_options=noanonymous,noplaintext
smtpd_sasl_tls_security_options=noanonymous,noplaintext
smtpd_tls_mandatory_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
#instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't know what should be setup
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA

Is between dovecot and postfix some communication using above ciphers or something that generate that errors in log or maybe some public client try connect and can't establish connection?

Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl 1.0.2k.
--
Pozdrawiam / Best Regards
Piotr Bracha



tel. 534 555 877
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: confused with ssl settings and some error - need help

Wilfried.Essig@Essignetz.de
Your loglines seem to come from "dovecot: imap-login".

Does your postfix makes imap logins? Mine doesn't do that.

But it should be possible by way of using smtp-auth that tests logins
against an imap server. Do you have this? Then, why didn't you provide
the according loglines from your postfix?

As i see on dovecot list, you asked the same question over there -
yesterday. And you got a smart answer - yesterday.
(http://markmail.org/message/u2b5aytovpkuxwgj)

Do you use LMTP or smtp-auth against imap?

Otherwise, i assume, you are completely wrong here on postfix list.


Try to learn the difference between postfix, dovecot and the clients you
and/or your customers are using. That will really help you more.



Willi



Am 27.04.2017 um 07:12 schrieb Poliman - Serwis:

> Hi,
> To default dovecot.conf file I added (based on found documentation):
> ssl = required
> disable_plaintext_auth = yes     #change default 'no' to 'yes'
> ssl_prefer_server_ciphers = yes
> ssl_options = no_compression
> ssl_dh_parameters_length = 2048
> ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
> I have below errors (they appear in loop in mail.err log file):
> #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
> mac
> #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
>
> When I setup in postfix main.cf file (other lines default):
> tls_ssl_options = no_ticket, no_compression
> tls_preempt_cipherlist = yes
> smtpd_sasl_security_options=noanonymous,noplaintext
> smtpd_sasl_tls_security_options=noanonymous,noplaintext
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
> #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't
> know what should be setup
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
>
> Is between dovecot and postfix some communication using above ciphers or
> something that generate that errors in log or maybe some public client try
> connect and can't establish connection?
>
> Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl
> 1.0.2k.
>

Reply | Threaded
Open this post in threaded view
|

Re: confused with ssl settings and some error - need help

Poliman - Serwis
It can be deleted. Posted on wrong mailing list.

2017-04-27 10:18 GMT+02:00 [hidden email] <[hidden email]>:
Your loglines seem to come from "dovecot: imap-login".

Does your postfix makes imap logins? Mine doesn't do that.

But it should be possible by way of using smtp-auth that tests logins
against an imap server. Do you have this? Then, why didn't you provide
the according loglines from your postfix?

As i see on dovecot list, you asked the same question over there -
yesterday. And you got a smart answer - yesterday.
(http://markmail.org/message/u2b5aytovpkuxwgj)

Do you use LMTP or smtp-auth against imap?

Otherwise, i assume, you are completely wrong here on postfix list.


Try to learn the difference between postfix, dovecot and the clients you
and/or your customers are using. That will really help you more.



Willi



Am 27.04.2017 um 07:12 schrieb Poliman - Serwis:
> Hi,
> To default dovecot.conf file I added (based on found documentation):
> ssl = required
> disable_plaintext_auth = yes     #change default 'no' to 'yes'
> ssl_prefer_server_ciphers = yes
> ssl_options = no_compression
> ssl_dh_parameters_length = 2048
> ssl_cipher_list =
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
>
> I have below errors (they appear in loop in mail.err log file):
> #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> #Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
> mac
> #Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error:
> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
>
> When I setup in postfix main.cf file (other lines default):
> tls_ssl_options = no_ticket, no_compression
> tls_preempt_cipherlist = yes
> smtpd_sasl_security_options=noanonymous,noplaintext
> smtpd_sasl_tls_security_options=noanonymous,noplaintext
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
> #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't
> know what should be setup
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
> smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
>
> Is between dovecot and postfix some communication using above ciphers or
> something that generate that errors in log or maybe some public client try
> connect and can't establish connection?
>
> Server with Ubuntu 16.04 LTS, postfix 3.1 and dovecot 2.2.22 and openssl
> 1.0.2k.
>




--
Pozdrawiam / Best Regards
Piotr Bracha



tel. 534 555 877
[hidden email]