error ssl stacked error routines

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

error ssl stacked error routines

Poliman - Serwis
Hi
I have configured one line in postfix main.cf (after configure each line I check /var/log/mail.err):
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem

After setup above line I have error in above log file (these 4 lines looped):
Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
Apr 25 14:14:25 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
Apr 25 14:10:51 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:14094085:SSL routines:ssl3_read_bytes:ccs received early
Apr 25 14:09:16 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext

--
Pozdrawiam / Best Regards
Piotr Bracha



tel. 534 555 877
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: error ssl stacked error routines

Viktor Dukhovni

> On Apr 25, 2017, at 10:15 AM, Poliman - Serwis <[hidden email]> wrote:
>
> I have configured one line in postfix main.cf (after configure each line
> I check /var/log/mail.err):

For *Postfix* errors.

> smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem

This is a reasonable Postfix setting, presumably you have a freshly generated
2048-bit strong prime DH parameters in that file.

> After setup above line I have error in above log file (these 4 lines looped):

These are *Dovecot* errors, and "dovecot" != "postfix".

> Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
> Apr 25 14:14:25 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
> Apr 25 14:10:51 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:14094085:SSL routines:ssl3_read_bytes:ccs received early
> Apr 25 14:09:16 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext

Perhaps there are some MUAs connecting to the dovecot IMAP service in
cleartext on a port where TLS is expected.  Please take this issue to
a Dovecot mailing list.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: error ssl stacked error routines

Poliman - Serwis
Yes I have freshly generated dh2048.pem. It's new server and I try to secure him. Should this line be uncommented? (I commented it out because of above errors) I wrote these errors here, becouse they are related to this one line from postfix.

2017-04-25 20:09 GMT+02:00 Viktor Dukhovni <[hidden email]>:

> On Apr 25, 2017, at 10:15 AM, Poliman - Serwis <[hidden email]> wrote:
>
> I have configured one line in postfix main.cf (after configure each line
> I check /var/log/mail.err):

For *Postfix* errors.

> smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem

This is a reasonable Postfix setting, presumably you have a freshly generated
2048-bit strong prime DH parameters in that file.

> After setup above line I have error in above log file (these 4 lines looped):

These are *Dovecot* errors, and "dovecot" != "postfix".

> Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
> Apr 25 14:08:09 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number
> Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
> Apr 25 14:08:51 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
> Apr 25 14:14:25 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
> Apr 25 14:10:51 serwer-1 dovecot: pop3-login: Error: SSL: Stacked error: error:14094085:SSL routines:ssl3_read_bytes:ccs received early
> Apr 25 14:09:16 serwer-1 dovecot: imap-login: Error: SSL: Stacked error: error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext

Perhaps there are some MUAs connecting to the dovecot IMAP service in
cleartext on a port where TLS is expected.  Please take this issue to
a Dovecot mailing list.

--
        Viktor.




--
Pozdrawiam / Best Regards
Piotr Bracha



tel. 534 555 877
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: error ssl stacked error routines

Viktor Dukhovni

> On Apr 26, 2017, at 12:50 AM, Poliman - Serwis <[hidden email]> wrote:
>
> Yes I have freshly generated dh2048.pem. It's new server and I try to secure him.
> Should this line be uncommented?

The setting is correct, and should be used.

> (I commented it out because of above errors)

Those errors are completely unrelated to the configuration in question.

> I wrote these errors here, becouse they are related to this one line from postfix.

No, they are not.  The DH group used by the Postfix SMTP server has NO relationship
to the SSL behaviour of the Dovecot IMAP service.  For help with Dovecot, ask on the
Dovecot list.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: error ssl stacked error routines

Poliman - Serwis
Is between dovecot and postfix some communication? On totally default dovecot config and little modification in main.cf postfix file (other lines default):
tls_ssl_options = no_ticket, no_compression
tls_preempt_cipherlist = yes
smtpd_sasl_security_options=noanonymous,noplaintext
smtpd_sasl_tls_security_options=noanonymous,noplaintext
smtpd_tls_mandatory_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
#instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't know what should be setup
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA
smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA

Before setup those lines in main.cf, dovecot didn't cry any error in log.




2017-04-26 16:29 GMT+02:00 Viktor Dukhovni <[hidden email]>:

> On Apr 26, 2017, at 12:50 AM, Poliman - Serwis <[hidden email]> wrote:
>
> Yes I have freshly generated dh2048.pem. It's new server and I try to secure him.
> Should this line be uncommented?

The setting is correct, and should be used.

> (I commented it out because of above errors)

Those errors are completely unrelated to the configuration in question.

> I wrote these errors here, becouse they are related to this one line from postfix.

No, they are not.  The DH group used by the Postfix SMTP server has NO relationship
to the SSL behaviour of the Dovecot IMAP service.  For help with Dovecot, ask on the
Dovecot list.

--
        Viktor.




--
Pozdrawiam / Best Regards
Piotr Bracha



tel. 534 555 877
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: error ssl stacked error routines

Wietse Venema
Poliman - Serwis:
> Is between dovecot and postfix some communication? On totally default

Dovecot does not read Postfix config files.

> Before setup those lines in main.cf, dovecot didn't cry any error in log.

Correlation is not causation.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: error ssl stacked error routines

Viktor Dukhovni
In reply to this post by Poliman - Serwis
On Thu, Apr 27, 2017 at 06:55:37AM +0200, Poliman - Serwis wrote:

> Is between dovecot and postfix some communication?

None to the IMAP service, and especially nothing that involves
smtpd(8) TLS settings.

> tls_ssl_options = no_ticket, no_compression

You've been reading and following some idiot's guide to "securing"
TLS with Postfix, leave this and most of the below settings at
their default values.

> tls_preempt_cipherlist = yes

That's fine.

> smtpd_sasl_security_options=noanonymous,noplaintext

Better, just disable SASL without TLS.


> smtpd_sasl_tls_security_options=noanonymous,noplaintext

Unless you're doing GSSAPI, most of the other options require a
store of the actual unhashed passwords on the server, and far worse
than "plaintext".  I would not use "noplaintext".

> smtpd_tls_mandatory_ciphers = high

Bad idea, set "medium" instead, default in recent versions of Postfix.

> smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem

This is fine.

> #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't
> know what should be setup
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA

Leave this parameter at its default value.  Instead, if that is
not *already* the default, set:

    smtpd_tls_protocols = !SSLv2, !SSLv3

> smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA

The above is inane.  Leave this parameter at its default value.
Instead, make sure that you have (likely already the default):

    smtp_tls_ciphers = medium

Only if you desperately want a smaller TLS ClientHello, try:

    smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5

Those are not needed for interoperability and just add bloat.  You
may also add RC4, after monitoring your server for a while (a month
or more) and checking your logs to make sure that no legitimate
peers require RC4 (look for TLS connections using RC4 in your logs).

> Before setup those lines in main.cf, dovecot didn't cry any error in log.

Dovecot errors are the result of configuration changes you've made in
Dovecot.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: error ssl stacked error routines

Poliman - Serwis
Perfect answer, I appreciate it. I will do like You adviced. I have few questions more about configuration:
"> smtpd_sasl_tls_security_options=noanonymous,noplaintext

Unless you're doing GSSAPI, most of the other options require a
store of the actual unhashed passwords on the server, and far worse
than "plaintext".  I would not use "noplaintext"."

1. I saw that GSSAPI is some kind of authentication like SASL. In my configuration I haven't lines for this. It's not default thing, yes?
2. I test my server using Internal PCI Scan and there are some vulnerabilities related to weak ciphers. That's why I used smtpd_tls_exclude_ciphers and smtp_tls_exclude_ciphers with -> aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA, DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA. I would just have nice secured server but - of course - not extreme.
Default values are:
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL

Should they be like above?

"Better, just disable SASL without TLS."
3. How to do this? I would not crashed postfix configuration. I still learn how to do something better. Unfortunately I can depend only on knowledge from network and smart people.

Internal PCI Scan says that:
- SMTP Service Cleartext Login Permitted for 25 / tcp / smtp
- SSL Medium Strength Cipher Suites Supported for 25 / tcp / smtp  and  465 / tcp / smtp
- SSL 64-bit Block Size Cipher Suites Supported (SWEET32) for 25 / tcp / smtp  and  465 / tcp / smtp

They are marked as medium vulnerability. Should I try leave it as it is without fear?

2017-04-27 17:29 GMT+02:00 Viktor Dukhovni <[hidden email]>:
On Thu, Apr 27, 2017 at 06:55:37AM +0200, Poliman - Serwis wrote:

> Is between dovecot and postfix some communication?

None to the IMAP service, and especially nothing that involves
smtpd(8) TLS settings.

> tls_ssl_options = no_ticket, no_compression

You've been reading and following some idiot's guide to "securing"
TLS with Postfix, leave this and most of the below settings at
their default values.

> tls_preempt_cipherlist = yes

That's fine.

> smtpd_sasl_security_options=noanonymous,noplaintext

Better, just disable SASL without TLS.


> smtpd_sasl_tls_security_options=noanonymous,noplaintext

Unless you're doing GSSAPI, most of the other options require a
store of the actual unhashed passwords on the server, and far worse
than "plaintext".  I would not use "noplaintext".

> smtpd_tls_mandatory_ciphers = high

Bad idea, set "medium" instead, default in recent versions of Postfix.

> smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem

This is fine.

> #instead of below I tried smtpd_tls_mandatory_exclude_ciphers but I don't
> know what should be setup
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA

Leave this parameter at its default value.  Instead, if that is
not *already* the default, set:

    smtpd_tls_protocols = !SSLv2, !SSLv3

> smtp_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, ECDHE-RSA-DES-CBC3-SHA,
> DES-CBC3-SHA, RC4-MD5, RC4-SHA, ECDHE-RSA-RC4-SHA

The above is inane.  Leave this parameter at its default value.
Instead, make sure that you have (likely already the default):

    smtp_tls_ciphers = medium

Only if you desperately want a smaller TLS ClientHello, try:

    smtp_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5

Those are not needed for interoperability and just add bloat.  You
may also add RC4, after monitoring your server for a while (a month
or more) and checking your logs to make sure that no legitimate
peers require RC4 (look for TLS connections using RC4 in your logs).

> Before setup those lines in main.cf, dovecot didn't cry any error in log.

Dovecot errors are the result of configuration changes you've made in
Dovecot.

--
        Viktor.



--
Pozdrawiam / Best Regards
Piotr Bracha



tel. 534 555 877
[hidden email]