Hello!
A problem with an android device connecting to postfix on a CentOS8 server. mail_version = 3.3.1 I have this in the log: Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: initializing the server-side TLS engine Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: connect from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142] Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: setting up TLS connection from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142] Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept:before SSL initialization Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept:before SSL initialization Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL3 alert write:fatal:protocol version Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept:error in error Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept error from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: -1 Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1661: Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: lost connection after STARTTLS from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142] Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: disconnect from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142] ehlo=1 starttls=0/1 commands=1/2 # postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases broken_sasl_auth_clients = yes command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 home_mailbox = Maildir/ html_directory = no inet_interfaces = all inet_protocols = all mail_name = Mailserver dualbit.de mail_owner = postfix mailbox_transport = lmtp:unix:private/dovecot-lmtp mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man meta_directory = /etc/postfix mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain, myorigin = $mydomain newaliases_path = /usr/bin/newaliases.postfix queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/postfix/README_FILES sample_directory = /usr/share/doc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop shlib_directory = /usr/lib64/postfix smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_CApath = /etc/pki/tls/certs smtp_tls_cert_file = /etc/letsencrypt/live/smtp.dualbit.de/fullchain.pem smtp_tls_key_file = /etc/letsencrypt/live/smtp.dualbit.de/privkey.pem smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtp_use_tls = yes smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = dualbit.de smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtpd_tls_CApath = /etc/pki/tls/certs smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.dualbit.de/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/live/smtp.dualbit.de/privkey.pem smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_req_ccert = no smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom I can connect from my PC with claws-mail without problem. Any hint on this? Regards Andreas |
On 18 Jul 2020, at 07:25, ratatouille <[hidden email]> wrote:
> mail_version = 3.3.1 This is quite old. The current version of 3.3.x is 3.3.12. > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" I don't see a line like this in my logs. Are you setting a custom set of ciphers? This looks like tls_medium_cipherlist. > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL3 alert write:fatal:protocol version > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept:error in error > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept error from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: -1 > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1661: What does this look like owhen your Claws MIA connects? But the basic answer is your android device and your mail server cannot find a common secure protocol. This is normally caused by you restricting security protocols or, less commonly, by a client that is trying to downgrade security. I am pretty sure that you need to update you postfix and your openssl (or whatever package you are using for TLS). I am suspicious of your "SSL3" in there as that should absolutely not be used, and the default in postfix is smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 -- "A musicologist is a man who can read music but can't hear it." - Sir Thomas Beecham (1879 - 1961) |
On 19 Jul 2020, at 8:33, @lbutlr wrote:
> I am suspicious of your "SSL3" in there as that should absolutely not > be used, OpenSSL still uses 'SSL3' in diagnostic messages that refer to operations that still use implementations that date back to SSLv3, even when they are used as part of later TLS versions. -- Bill Cole [hidden email] or [hidden email] (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire |
In reply to this post by @lbutlr
Hello!
"@lbutlr" <[hidden email]> schrieb am 19.07.20 um 06:33:10 Uhr: > On 18 Jul 2020, at 07:25, ratatouille <[hidden email]> wrote: > > mail_version = 3.3.1 > > This is quite old. The current version of 3.3.x is 3.3.12. > > > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" > > I don't see a line like this in my logs. Are you setting a custom set of ciphers? This looks like tls_medium_cipherlist. This is smtpd_tls_loglevel = 2 No special cipherlist smtpd_tls_ciphers = medium smtpd_tls_mandatory_ciphers = medium > > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL3 alert write:fatal:protocol version > > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept:error in error > > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept error from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: -1 > > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1661: > > What does this look like owhen your Claws MIA connects? This is what I see with claws-mail MUA, smtpd_tls_loglevel = 1 Jul 19 22:41:37 dualbit1 postfix/smtpd[834008]: connect from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142] Jul 19 22:41:37 dualbit1 postfix/smtpd[834008]: Anonymous TLS connection established from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jul 19 22:41:38 dualbit1 postfix/smtpd[834008]: 335E530E891C: client=p57b62c8e.dip0.t-ipconnect.de[87.182.44.142], sasl_method=CRAM-MD5, sasl_username=[hidden email] Jul 19 22:41:38 dualbit1 postfix/cleanup[834012]: 335E530E891C: message-id=<[hidden email]> Jul 19 22:41:38 dualbit1 postfix/qmgr[633245]: 335E530E891C: from=<[hidden email]>, size=745, nrcpt=1 (queue active) Jul 19 22:41:38 dualbit1 postfix/smtpd[834008]: disconnect from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142] ehlo=2 starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8 Jul 19 22:41:44 dualbit1 postfix/smtp[834013]: Trusted TLS connection established to smtp.bitclusive.de[92.60.38.182]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jul 19 22:41:45 dualbit1 postfix/smtp[834013]: 335E530E891C: host smtp.bitclusive.de[92.60.38.182] said: 450 4.2.0 <[hidden email]>: Recipient address rejected: Greylisted for 300 seconds (in reply to RCPT TO command) > But the basic answer is your android device and your mail server cannot find a common secure protocol. This is normally caused by you restricting security protocols or, less commonly, by a client that is trying to downgrade security. I am pretty sure that you need to update you postfix and your openssl (or whatever package you are using for TLS). I am not aware I restrict security protocls on this testserver. This android version is old, it's version 4.0.3. I had problems connecting to dovecot too and found out android is using TLSv1. > I am suspicious of your "SSL3" in there as that should absolutely not be used, and the default in postfix is > > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 Interestingly I don't have this problem with android connecting to a postfixserver 2.11.11. Andreas |
On Sun, Jul 19, 2020 at 06:33:10AM -0600, @lbutlr wrote:
> On 18 Jul 2020, at 07:25, ratatouille <[hidden email]> wrote: > > mail_version = 3.3.1 > > This is quite old. The current version of 3.3.x is 3.3.12. Sure, but some packaged distributions tend to backport fixes without bumping the version number, so we don't actually know that is materially different from 3.3.12. > > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" > > I don't see a line like this in my logs. Are you setting a custom set > of ciphers? This looks like tls_medium_cipherlist. You (sensibly) don't have verbose logging enabled. > > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept error from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: -1 > > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1661: The client TLS hello offered either a protocol that's too new, too old, or was just garbled. > But the basic answer is your android device and your mail server > cannot find a common secure protocol. This is normally caused by you > restricting security protocols or, less commonly, by a client that is > trying to downgrade security. I am pretty sure that you need to update > you postfix and your openssl (or whatever package you are using for > TLS). This is unlikely to be necessary. Please avoid wild guesses. > I am suspicious of your "SSL3" in there as that should absolutely not > be used, and the default in postfix is > > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 As already pointed out, this is a red herring. On Sun, Jul 19, 2020 at 10:48:00PM +0200, ratatouille wrote: > This is what I see with claws-mail MUA, smtpd_tls_loglevel = 1 > > Jul 19 22:41:37 dualbit1 postfix/smtpd[834008]: Anonymous TLS connection established from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Your server supports TLS 1.2. > This android version is old, it's version 4.0.3. I had problems connecting to dovecot > too and found out android is using TLSv1. This is quite possibly the issue, and even if Postfix is not explicitly restricting the TLS version to >= 1.2, your system-wide "openssl.cnf" file may well be doing that. Look for "MinProtocol" in that file: $ openssl version -d OPENSSLDIR: "/etc/ssl" $ ls /etc/ssl/openssl.cnf /etc/ssl/openssl.cnf > > I am suspicious of your "SSL3" in there as that should absolutely not be used, and the default in postfix is > > > > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > > Interestingly I don't have this problem with android connecting to a postfixserver 2.11.11. That may have been on a system with a different /etc/ssl/openssl.cnf (perhaps a past version of that file on the same machine). -- Viktor. |
Viktor Dukhovni <[hidden email]> schrieb am 19.07.20 um 17:05:02 Uhr:
> > Jul 19 22:41:37 dualbit1 postfix/smtpd[834008]: Anonymous TLS connection established from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > > Your server supports TLS 1.2. > > > This android version is old, it's version 4.0.3. I had problems connecting to dovecot > > too and found out android is using TLSv1. > > This is quite possibly the issue, and even if Postfix is not explicitly > restricting the TLS version to >= 1.2, your system-wide "openssl.cnf" > file may well be doing that. Look for "MinProtocol" in that file: > > $ openssl version -d > OPENSSLDIR: "/etc/ssl" > $ ls /etc/ssl/openssl.cnf > /etc/ssl/openssl.cnf No entry MinProtocol /etc/pki/tls/openssl.cnf. The manpage says [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 Andreas |
Free forum by Nabble | Edit this page |