postfix issue with ecc certificates

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

postfix issue with ecc certificates

David Mehler
Hello,

I'm using Postfix 3.3. I am atempting to send mail from a remote
android phone running AquaMail Pro, which does support ECC
certificates of secp-256. So I got an ecc cert pair from letsencrypt
and installed it. Atempting to send an email gives me a handshake
error on the android client and the below log output, also my postconf
-n output.

Suggestions welcome.

Thanks.
Dave.

# tail -f /var/log/postfix.log
Aug  3 17:22:27 hostname postfix/submission/smtpd[65716]: connect from
xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]

Aug  3 17:22:27 hostname postfix/submission/smtpd[65716]: SSL_accept
error from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]: -1

Aug  3 17:22:27 hostname postfix/submission/smtpd[65716]: warning: TLS
library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no
shared cipher:s3_srvr.c:1427:

Aug  3 17:22:27 hostname postfix/submission/smtpd[65716]: lost
connection after STARTTLS from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]

Aug  3 17:22:27 hostname postfix/submission/smtpd[65716]: disconnect
from xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx] ehlo=1 starttls=0/1 commands=1/2


# postconf -n
allow_percent_hack = no
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
bounce_template_file = /usr/local/etc/postfix/bounce.cf
broken_sasl_auth_clients = no
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
delay_warning_time = 4h
disable_vrfy_command = yes
header_checks = regexp:/usr/local/etc/postfix/phish419.regexp
html_directory = /usr/local/share/doc/postfix
in_flow_delay = 1s
inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1
inet_protocols = ipv4
local_recipient_maps = $virtual_mailbox_maps
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
meta_directory = /usr/local/libexec/postfix
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks
minimal_backoff_time = 5m
mydestination = localhost
mydomain = example.com
myhostname = mail.example.com
mynetworks = $config_directory/mynetworks
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
non_smtpd_milters = $smtpd_milters
postscreen_access_list = permit_mynetworks,
cidr:/usr/local/etc/postfix/postscreen_access.cidr,
cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2
bl.spameatingmonkey.net*2 bl.spamcop.net dnsbl.sorbs.net
psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4
list.dnswl.org=127.[0..255].[0..255].0*-2
list.dnswl.org=127.[0..255].[0..255].1*-3
list.dnswl.org=127.[0..255].[0..255].[2..255]*-4
postscreen_dnsbl_threshold = 2
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
queue_run_delay = 5m
readme_directory = /usr/local/share/doc/postfix
recipient_delimiter = +
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
shlib_directory = /usr/local/lib/postfix
show_user_unknown_table_name = no
smtp_helo_timeout = 60s
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_ciphers = high
smtp_tls_key_file = $smtpd_tls_key_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
CBC3-SHA
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_sasl_authenticated
reject_unknown_client_hostname check_client_access
cidr:/usr/local/etc/postfix/spamfarms check_client_access
cidr:/usr/local/etc/postfix/sinokorea.cidr
check_reverse_client_hostname_access
pcre:/usr/local/etc/postfix/fqrdns.pcre
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated
reject_invalid_helo_hostname reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname check_helo_access
hash:/usr/local/etc/postfix/helo_access,
smtpd_milters = unix:/var/run/rspamd/milter.sock,inet:127.0.0.1:8472
smtpd_recipient_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain reject_unauth_pipelining
check_recipient_access
mysql:/usr/local/etc/postfix/db/recipient-access.cf
permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3]
reject_unlisted_recipient check_policy_service
unix:private/dovecot-quota
smtpd_reject_unlisted_sender = yes
smtpd_relay_restrictions = permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = mysql:/usr/local/etc/postfix/db/accounts.cf
mysql:/usr/local/etc/postfix/db/aliases.cf
smtpd_sender_restrictions = reject_non_fqdn_sender
reject_sender_login_mismatch reject_unknown_sender_domain
,check_sender_mx_access cidr:/usr/local/etc/postfix/bogus_mx
check_sender_access hash:/usr/local/etc/postfix/safe_addresses
check_sender_access hash:/usr/local/etc/postfix/auto-whtlst
smtpd_soft_error_limit = 3
smtpd_tls_CAfile = /usr/local/etc/ssl/acme/example.com/cacert.crt
smtpd_tls_auth_only = no
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/dh.pem
smtpd_tls_eccert_file = /usr/local/etc/ssl/acme/example.com/fullchain.crt
smtpd_tls_eckey_file =
/usr/local/etc/ssl/acme/example.com/privssl/server-ec256.key
smtpd_tls_eecdh_grade = ultra
smtpd_tls_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 , DES, ADH, RC4, PSD,
SRP, 3DES, eNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
smtputf8_enable = yes
soft_bounce = no
strict_rfc821_envelopes = yes
swap_bangpath = no
tls_high_cipherlist =
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
tls_preempt_cipherlist = yes
tls_ssl_options = no_ticket, no_compression
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/usr/local/etc/postfix/db/aliases.cf
virtual_gid_maps = static:999
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = proxy:mysql:/usr/local/etc/postfix/db/domains.cf
virtual_mailbox_maps = proxy:mysql:/usr/local/etc/postfix/db/accounts.cf
virtual_minimum_uid = 999
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:999
Reply | Threaded
Open this post in threaded view
|

Re: postfix issue with ecc certificates

Wietse Venema
David Mehler:
> Aug  3 17:22:27 hostname postfix/submission/smtpd[65716]: warning: TLS
> library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> shared cipher:s3_srvr.c:1427:
...
> smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
> CBC3-SHA
> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3, !TLSv1
> smtp_tls_protocols = !SSLv2,!SSLv3, !TLSv1

Quick experiment: does it work when you comment out these lines?

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: postfix issue with ecc certificates

Viktor Dukhovni
In reply to this post by David Mehler


> On Aug 3, 2018, at 6:09 PM, David Mehler <[hidden email]> wrote:
>
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2

This does not leave too many working options... :-)

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: postfix issue with ecc certificates

David Mehler
Hello,

Thanks Wietse and Victor,

I commented out the smtp* lines and didn't fix it. What I then did was
changed my ecc_grade from ultra to strong. Does this sound like the
solution?

Thanks.
Dave.


On 8/3/18, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Aug 3, 2018, at 6:09 PM, David Mehler <[hidden email]> wrote:
>>
>> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
>> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1 !TLSv1.1 TLSv1.2
>
> This does not leave too many working options... :-)
>
> --
> Viktor.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: postfix issue with ecc certificates

Wietse Venema
David Mehler:
> Hello,
>
> Thanks Wietse and Victor,
>
> I commented out the smtp* lines and didn't fix it. What I then did was
> changed my ecc_grade from ultra to strong. Does this sound like the
> solution?

$ postconf|grep ecc_grade

[empty output]
Reply | Threaded
Open this post in threaded view
|

Re: postfix issue with ecc certificates

David Mehler
Hi,

Sorry, the parameter is smtpd_tls_eecdh_grade it was set to ultra I
set it to strong. I don't know if that's what did it but clients can
now send.

If I'm getting what I'm reading ultra refers to p-384 bit ecc curves,
while strong is p-256, that's what I've got.

Thanks.
Dave.


On 8/4/18, Wietse Venema <[hidden email]> wrote:

> David Mehler:
>> Hello,
>>
>> Thanks Wietse and Victor,
>>
>> I commented out the smtp* lines and didn't fix it. What I then did was
>> changed my ecc_grade from ultra to strong. Does this sound like the
>> solution?
>
> $ postconf|grep ecc_grade
>
> [empty output]
>
Reply | Threaded
Open this post in threaded view
|

Re: postfix issue with ecc certificates

Viktor Dukhovni


> On Aug 4, 2018, at 11:15 AM, David Mehler <[hidden email]> wrote:
>
> Sorry, the parameter is smtpd_tls_eecdh_grade it was set to ultra I
> set it to strong. I don't know if that's what did it but clients can
> now send.

With recent Postfix releases, and OpenSSL >= 1.0.2, the best setting
for this parameter is "auto", which negotiates a mutually agreeable
group based on the client's list of supported curves.

  http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade

Therefore (as with many other Postfix parameters) it is best to simply
NOT CHANGE the default value of this parameter.

  $ postconf -d mail_version smtpd_tls_eecdh_grade
  mail_version = 3.3.1
  smtpd_tls_eecdh_grade = auto

> If I'm getting what I'm reading ultra refers to p-384 bit ecc curves,
> while strong is p-256, that's what I've got.

Let Postfix do the work for you, you don't have to lock down all the
settings.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: postfix issue with ecc certificates

David Mehler
Hi,

Thanks, that has done it.

Thanks.
Dave.


On 8/4/18, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Aug 4, 2018, at 11:15 AM, David Mehler <[hidden email]> wrote:
>>
>> Sorry, the parameter is smtpd_tls_eecdh_grade it was set to ultra I
>> set it to strong. I don't know if that's what did it but clients can
>> now send.
>
> With recent Postfix releases, and OpenSSL >= 1.0.2, the best setting
> for this parameter is "auto", which negotiates a mutually agreeable
> group based on the client's list of supported curves.
>
>   http://www.postfix.org/postconf.5.html#smtpd_tls_eecdh_grade
>
> Therefore (as with many other Postfix parameters) it is best to simply
> NOT CHANGE the default value of this parameter.
>
>   $ postconf -d mail_version smtpd_tls_eecdh_grade
>   mail_version = 3.3.1
>   smtpd_tls_eecdh_grade = auto
>
>> If I'm getting what I'm reading ultra refers to p-384 bit ecc curves,
>> while strong is p-256, that's what I've got.
>
> Let Postfix do the work for you, you don't have to lock down all the
> settings.
>
> --
> Viktor.
>
>