problem connecting with android device

Hello!

A problem with an android device connecting to postfix on a CentOS8 server.

mail_version = 3.3.1

I have this in the log:

Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: initializing the server-side TLS engine
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: connect from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: setting up TLS connection from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept:before SSL initialization
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept:before SSL initialization
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL3 alert write:fatal:protocol version
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept:error in error
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept error from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: -1
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1661:
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: lost connection after STARTTLS from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]
Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: disconnect from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142] ehlo=1 starttls=0/1 commands=1/2

# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_name = Mailserver dualbit.de
mail_owner = postfix
mailbox_transport = lmtp:unix:private/dovecot-lmtp
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
meta_directory = /etc/postfix
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix/README_FILES
sample_directory = /usr/share/doc/postfix/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_cert_file = /etc/letsencrypt/live/smtp.dualbit.de/fullchain.pem
smtp_tls_key_file = /etc/letsencrypt/live/smtp.dualbit.de/privkey.pem
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_use_tls = yes
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = dualbit.de
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_CApath = /etc/pki/tls/certs
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.dualbit.de/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/smtp.dualbit.de/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom

I can connect from my PC with claws-mail without problem.
Any hint on this?

Regards

  Andreas

On 18 Jul 2020, at 07:25, ratatouille <[hidden email]> wrote:
> mail_version = 3.3.1

This is quite old. The current version of 3.3.x is 3.3.12.

> Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"

I don't see a line like this in my logs. Are you setting a custom set of ciphers? This looks like tls_medium_cipherlist.

> Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL3 alert write:fatal:protocol version
> Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept:error in error
> Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept error from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: -1
> Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1661:

What does this look like owhen your Claws MIA connects?

But the basic answer is your android device and your mail server cannot find a common secure protocol. This is normally caused by you restricting security protocols or, less commonly, by a client that is trying to downgrade security. I am pretty sure that you need to update you postfix and your openssl (or whatever package you are using for TLS).

I am suspicious of your "SSL3" in there as that should absolutely not be used, and the default in postfix is

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3



--
"A musicologist is a man who can read music but can't hear it." -
        Sir Thomas Beecham (1879 - 1961)

On 19 Jul 2020, at 8:33, @lbutlr wrote:

> I am suspicious of your "SSL3" in there as that should absolutely not
> be used,

OpenSSL still uses 'SSL3' in diagnostic messages that refer to
operations that still use implementations that date back to SSLv3, even
when they are used as part of later TLS versions.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Hello!

"@lbutlr" <[hidden email]> schrieb am 19.07.20 um 06:33:10 Uhr:

> On 18 Jul 2020, at 07:25, ratatouille <[hidden email]> wrote:
> > mail_version = 3.3.1  
>
> This is quite old. The current version of 3.3.x is 3.3.12.
>
> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"  
>
> I don't see a line like this in my logs. Are you setting a custom set of ciphers? This looks like tls_medium_cipherlist.

This is smtpd_tls_loglevel = 2

No special cipherlist
smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium

> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL3 alert write:fatal:protocol version
> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept:error in error
> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept error from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: -1
> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1661:  
>
> What does this look like owhen your Claws MIA connects?

This is what I see with claws-mail MUA, smtpd_tls_loglevel = 1

Jul 19 22:41:37 dualbit1 postfix/smtpd[834008]: connect from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]
Jul 19 22:41:37 dualbit1 postfix/smtpd[834008]: Anonymous TLS connection established from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jul 19 22:41:38 dualbit1 postfix/smtpd[834008]: 335E530E891C: client=p57b62c8e.dip0.t-ipconnect.de[87.182.44.142], sasl_method=CRAM-MD5, sasl_username=[hidden email]
Jul 19 22:41:38 dualbit1 postfix/cleanup[834012]: 335E530E891C: message-id=<[hidden email]>
Jul 19 22:41:38 dualbit1 postfix/qmgr[633245]: 335E530E891C: from=<[hidden email]>, size=745, nrcpt=1 (queue active)
Jul 19 22:41:38 dualbit1 postfix/smtpd[834008]: disconnect from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Jul 19 22:41:44 dualbit1 postfix/smtp[834013]: Trusted TLS connection established to smtp.bitclusive.de[92.60.38.182]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jul 19 22:41:45 dualbit1 postfix/smtp[834013]: 335E530E891C: host smtp.bitclusive.de[92.60.38.182] said: 450 4.2.0 <[hidden email]>: Recipient address rejected: Greylisted for 300 seconds (in reply to RCPT TO command)


> But the basic answer is your android device and your mail server cannot find a common secure protocol. This is normally caused by you restricting security protocols or, less commonly, by a client that is trying to downgrade security. I am pretty sure that you need to update you postfix and your openssl (or whatever package you are using for TLS).

I am not aware I restrict security protocls on this testserver.

This android version is old, it's version 4.0.3. I had problems connecting to dovecot
too and found out android is using TLSv1.

> I am suspicious of your "SSL3" in there as that should absolutely not be used, and the default in postfix is
>
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

Interestingly I don't have this problem with android connecting to a postfixserver 2.11.11.

  Andreas

On Sun, Jul 19, 2020 at 06:33:10AM -0600, @lbutlr wrote:

> On 18 Jul 2020, at 07:25, ratatouille <[hidden email]> wrote:
> > mail_version = 3.3.1
>
> This is quite old. The current version of 3.3.x is 3.3.12.

Sure, but some packaged distributions tend to backport fixes without
bumping the version number, so we don't actually know that is materially
different from 3.3.12.

> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
>
> I don't see a line like this in my logs. Are you setting a custom set
> of ciphers? This looks like tls_medium_cipherlist.

You (sensibly) don't have verbose logging enabled.

> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept error from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: -1
> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1661:

The client TLS hello offered either a protocol that's too new, too old,
or was just garbled.

> But the basic answer is your android device and your mail server
> cannot find a common secure protocol. This is normally caused by you
> restricting security protocols or, less commonly, by a client that is
> trying to downgrade security. I am pretty sure that you need to update
> you postfix and your openssl (or whatever package you are using for
> TLS).

This is unlikely to be necessary.  Please avoid wild guesses.

> I am suspicious of your "SSL3" in there as that should absolutely not
> be used, and the default in postfix is
>
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

As already pointed out, this is a red herring.

On Sun, Jul 19, 2020 at 10:48:00PM +0200, ratatouille wrote:

> This is what I see with claws-mail MUA, smtpd_tls_loglevel = 1
>
> Jul 19 22:41:37 dualbit1 postfix/smtpd[834008]: Anonymous TLS connection established from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Your server supports TLS 1.2.

> This android version is old, it's version 4.0.3. I had problems connecting to dovecot
> too and found out android is using TLSv1.

This is quite possibly the issue, and even if Postfix is not explicitly
restricting the TLS version to >= 1.2, your system-wide "openssl.cnf"
file may well be doing that.  Look for "MinProtocol" in that file:

    $ openssl version -d
    OPENSSLDIR: "/etc/ssl"
    $ ls /etc/ssl/openssl.cnf
    /etc/ssl/openssl.cnf

> > I am suspicious of your "SSL3" in there as that should absolutely not be used, and the default in postfix is
> >
> > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
>
> Interestingly I don't have this problem with android connecting to a postfixserver 2.11.11.

That may have been on a system with a different /etc/ssl/openssl.cnf
(perhaps a past version of that file on the same machine).

--
    Viktor.

Viktor Dukhovni <[hidden email]> schrieb am 19.07.20 um 17:05:02 Uhr:

No entry MinProtocol /etc/pki/tls/openssl.cnf.

The manpage says

[ssl_sect]

        system_default = system_default_sect

        [system_default_sect]

        MinProtocol = TLSv1.2

  Andreas