detecting TLS issues in delivery - Cannot start TLS: handshake failure

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

detecting TLS issues in delivery - Cannot start TLS: handshake failure

Stefan Bauer-2
Hi,

how can the following error be detected and an instant bounce/reject will be send to the sender?

-- 880 Kbytes in 3 Requests.
root@mx1:~# mailq
-Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
A97288008B   776694 Sun Jan 13 13:14:29  sender@sender
                                         (Cannot start TLS: handshake failure)
                                         recipient@recipient

Jan 15 14:23:01 mx1 smtp[5985]: SSL_connect error to recipient.tld[ip]:25: -1
Jan 15 14:23:01 mx1 smtp[5985]: warning: TLS library problem: error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:1472:
Jan 15 14:23:01 mx1 smtp[5985]: A97288008B: to=<recipient@recipient>, relay=recipient.tld[ip]:25, delay=173312, delays=173282/15/15/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

smtp_delivery_status_filter does not seem to have any effect.

thank you.

Stefan
Reply | Threaded
Open this post in threaded view
|

Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure

Wietse Venema
Stefan Bauer:

> Hi,
>
> how can the following error be detected and an instant bounce/reject will
> be send to the sender?
>
> -- 880 Kbytes in 3 Requests.
> root@mx1:~# mailq
> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
> A97288008B   776694 Sun Jan 13 13:14:29  sender@sender
>                                          (Cannot start TLS: handshake
> failure)

http://www.postfix.org/postconf.5.html#reject_unverified_recipient.

> Jan 15 14:23:01 mx1 smtp[5985]: SSL_connect error to recipient.tld[ip]:25:
> -1
> Jan 15 14:23:01 mx1 smtp[5985]: warning: TLS library problem:
> error:141A318A:SSL routines:tls_process_ske_dhe:dh key too
> small:../ssl/statem/statem_clnt.c:1472:
> Jan 15 14:23:01 mx1 smtp[5985]: A97288008B: to=<recipient@recipient>,
> relay=recipient.tld[ip]:25, delay=173312, delays=173282/15/15/0, dsn=4.7.5,
> status=deferred (Cannot start TLS: handshake failure)
>
> smtp_delivery_status_filter does not seem to have any effect.

Then you made a mistake. Which mistake? Insufficient data.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure

Stefan Bauer-2
reject_unverified_recipient is no option as remote sites don't like probing/verify requests. After rechecking, i had a typo in my regex.

Damn! It was working as documented. Sorry.


Am Mi., 16. Jan. 2019 um 13:17 Uhr schrieb Wietse Venema <[hidden email]>:
Stefan Bauer:
> Hi,
>
> how can the following error be detected and an instant bounce/reject will
> be send to the sender?
>
> -- 880 Kbytes in 3 Requests.
> root@mx1:~# mailq
> -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
> A97288008B   776694 Sun Jan 13 13:14:29  sender@sender
>                                          (Cannot start TLS: handshake
> failure)

http://www.postfix.org/postconf.5.html#reject_unverified_recipient.

> Jan 15 14:23:01 mx1 smtp[5985]: SSL_connect error to recipient.tld[ip]:25:
> -1
> Jan 15 14:23:01 mx1 smtp[5985]: warning: TLS library problem:
> error:141A318A:SSL routines:tls_process_ske_dhe:dh key too
> small:../ssl/statem/statem_clnt.c:1472:
> Jan 15 14:23:01 mx1 smtp[5985]: A97288008B: to=<recipient@recipient>,
> relay=recipient.tld[ip]:25, delay=173312, delays=173282/15/15/0, dsn=4.7.5,
> status=deferred (Cannot start TLS: handshake failure)
>
> smtp_delivery_status_filter does not seem to have any effect.

Then you made a mistake. Which mistake? Insufficient data.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure

Wietse Venema
Stefan Bauer:
> reject_unverified_recipient is no option as remote sites don't like
> probing/verify requests. After rechecking, i had a typo in my regex.

reject_unverified RECIPIENT, not reject_unverified_SENDER

        Wietse

> Damn! It was working as documented. Sorry.
>
>
> Am Mi., 16. Jan. 2019 um 13:17 Uhr schrieb Wietse Venema <
> [hidden email]>:
>
> > Stefan Bauer:
> > > Hi,
> > >
> > > how can the following error be detected and an instant bounce/reject will
> > > be send to the sender?
> > >
> > > -- 880 Kbytes in 3 Requests.
> > > root@mx1:~# mailq
> > > -Queue ID-  --Size-- ----Arrival Time---- -Sender/Recipient-------
> > > A97288008B   776694 Sun Jan 13 13:14:29  sender@sender
> > >                                          (Cannot start TLS: handshake
> > > failure)
> >
> > http://www.postfix.org/postconf.5.html#reject_unverified_recipient.
> >
> > > Jan 15 14:23:01 mx1 smtp[5985]: SSL_connect error to
> > recipient.tld[ip]:25:
> > > -1
> > > Jan 15 14:23:01 mx1 smtp[5985]: warning: TLS library problem:
> > > error:141A318A:SSL routines:tls_process_ske_dhe:dh key too
> > > small:../ssl/statem/statem_clnt.c:1472:
> > > Jan 15 14:23:01 mx1 smtp[5985]: A97288008B: to=<recipient@recipient>,
> > > relay=recipient.tld[ip]:25, delay=173312, delays=173282/15/15/0,
> > dsn=4.7.5,
> > > status=deferred (Cannot start TLS: handshake failure)
> > >
> > > smtp_delivery_status_filter does not seem to have any effect.
> >
> > Then you made a mistake. Which mistake? Insufficient data.
> >
> >         Wietse
> >
Reply | Threaded
Open this post in threaded view
|

Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure

Viktor Dukhovni
> On Jan 16, 2019, at 9:56 AM, Wietse Venema <[hidden email]> wrote:
>
>> reject_unverified_recipient is no option as remote sites don't like
>> probing/verify requests. After rechecking, i had a typo in my regex.
>
> reject_unverified RECIPIENT, not reject_unverified_SENDER

Specifically, because it would be used on the submission port or
only for clients in trusted networks, it would not be open to abuse
by random strangers.  The same users allowed to send email to the
remote site, are the ones who would initially trigger a verification
probe occasionally as part of submitting an outbound message.

It is fairly safe, and should not raise any issue with remote
receiving systems.  You can monitor your logs for signs of
misuse by trusted clients.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure

Stefan Bauer-2
"Some sites may blacklist you when you are probing them too often (a probe is an SMTP session that does not deliver mail), or when you are probing them too often for a non-existent address. This is one reason why you should use sender address verification sparingly, if at all, when your site receives lots of email."

http://www.postfix.org/ADDRESS_VERIFICATION_README.html#limitations

As our user may do mailings from time to time, i do not want to get bad reputation by probing microsoft,yahoo whatever too often. :) for remote site, i see no difference between sender and recipient verification. in both cases, im doing a 'half delivery' of a mail.


Am Mittwoch, 16. Januar 2019 schrieb Viktor Dukhovni <[hidden email]>:

>> On Jan 16, 2019, at 9:56 AM, Wietse Venema <[hidden email]> wrote:
>>
>>> reject_unverified_recipient is no option as remote sites don't like
>>> probing/verify requests. After rechecking, i had a typo in my regex.
>>
>> reject_unverified RECIPIENT, not reject_unverified_SENDER
>
> Specifically, because it would be used on the submission port or
> only for clients in trusted networks, it would not be open to abuse
> by random strangers.  The same users allowed to send email to the
> remote site, are the ones who would initially trigger a verification
> probe occasionally as part of submitting an outbound message.
>
> It is fairly safe, and should not raise any issue with remote
> receiving systems.  You can monitor your logs for signs of
> misuse by trusted clients.
>
> --
>         Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: detecting TLS issues in delivery - Cannot start TLS: handshake failure

Viktor Dukhovni
> On Jan 16, 2019, at 3:24 PM, Stefan Bauer <[hidden email]> wrote:
>
> "Some sites may blacklist you when you are probing them too often (a probe is an SMTP session that does not deliver mail), or when you are probing them too often for a non-existent address. This is one reason why you should use sender address verification sparingly, if at all, when your site receives lots of email."
>
> http://www.postfix.org/ADDRESS_VERIFICATION_README.html#limitations
>
> As our user may do mailings from time to time, i do not want to get bad reputation by probing microsoft,yahoo whatever too often. :) for remote site, i see no difference between sender and recipient verification. in both cases, im doing a 'half delivery' of a mail.

But there is a big difference.  With sender verification complete
strangers can get your MTA to probe address validity at sites you
never send email to.

With recipient verification, you're at most doubling the number of
RCPT TO commands sent to a site, because you'd otherwise just send
the message, perhaps repeatedly, if it enters your queue and then
soft-fails on each delivery attempt before ultimately bouncing.

If you have bulk senders, you could opt them out of recipient
verification, and perhaps also TLS enforcement.

--
        Viktor.