smtpd TLS handhake failures with specific site

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

smtpd TLS handhake failures with specific site

Thomas Leuxner
Hi,

recently I’m seeing STARTTLS issues with a specific site, while the TLS-handshakes work fine for other sites. The failed handshake manifests in this excerpt:

May 14 11:07:20 nihlus postfix/smtpd[60685]: connect from sam.dfn-cert.de[193.174.13.196]
May 14 11:07:20 nihlus postfix/smtpd[60685]: SSL_accept error from sam.dfn-cert.de[193.174.13.196]: -1
May 14 11:07:20 nihlus postfix/smtpd[60685]: warning: TLS library problem: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:960:
May 14 11:07:20 nihlus postfix/smtpd[60685]: lost connection after STARTTLS from sam.dfn-cert.de[193.174.13.196]
May 14 11:07:20 nihlus postfix/smtpd[60685]: disconnect from sam.dfn-cert.de[193.174.13.196]
May 14 11:07:20 nihlus postfix/postscreen[60684]: CONNECT from [193.174.13.196]:59867 to [188.138.4.217]:25
May 14 11:07:20 nihlus postfix/postscreen[60684]: WHITELISTED [193.174.13.196]:59867
May 14 11:07:20 nihlus postfix/smtpd[60685]: connect from sam.dfn-cert.de[193.174.13.196]
May 14 11:07:20 nihlus postfix/smtpd[60685]: 3gT94m2jg2z1y: client=sam.dfn-cert.de[193.174.13.196]
May 14 11:07:20 nihlus postfix/cleanup[60690]: 3gT94m2jg2z1y: message-id=<[hidden email]>
May 14 11:07:20 nihlus postfix/qmgr[18296]: 3gT94m2jg2z1y: from=<[hidden email]>, size=8951, nrcpt=1 (queue active)
May 14 11:07:20 nihlus postfix/smtpd[60685]: disconnect from sam.dfn-cert.de[193.174.13.196]

% postconf -n | grep tls
smtp_tls_loglevel = 1
smtp_tls_security_level = dane
smtp_tls_session_cache_database = lmdb:$data_directory/smtp_scache
smtpd_tls_cert_file = $config_directory/server.pem
smtpd_tls_dh1024_param_file = $config_directory/dh2048.pem
smtpd_tls_dh512_param_file = $config_directory/dh512.pem
smtpd_tls_eecdh_grade = none
smtpd_tls_key_file = /etc/ssl/private/host_domain_tld.key
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = lmdb:$data_directory/smtpd_scache
tls_preempt_cipherlist = yes

% openssl version
OpenSSL 1.0.1e 11 Feb 2013

% postconf mail_version
mail_version = 2.11.0

A quick test with SSL3 enabled allows a TLS connection from this particular server:

May 14 11:41:31 nihlus postfix/smtpd[60964]: connect from sam.dfn-cert.de[193.174.13.196]
May 14 11:41:31 nihlus postfix/smtpd[60964]: Anonymous TLS connection established from sam.dfn-cert.de[193.174.13.196]: SSLv3 with cipher ADH-AES256-SHA (256/256 bits)
May 14 11:41:31 nihlus postfix/smtpd[60964]: 3gT9rC3Znvz1y: client=sam.dfn-cert.de[193.174.13.196]
May 14 11:41:31 nihlus postfix/cleanup[60971]: 3gT9rC3Znvz1y: message-id=<[hidden email]>
May 14 11:41:31 nihlus postfix/qmgr[60752]: 3gT9rC3Znvz1y: from=<[hidden email]>, size=17656, nrcpt=1 (queue active)

How does one best implement a workaround for this site? Looking at TLS policies http://www.postfix.org/TLS_README.html#client_tls_policy these seem to target the client only.

Regards
Thomas
Reply | Threaded
Open this post in threaded view
|

Re: smtpd TLS handhake failures with specific site

lists@rhsoft.net


Am 17.05.2014 12:19, schrieb Thomas Leuxner:
> recently I’m seeing STARTTLS issues with a specific site, while the TLS-handshakes work fine for other sites. The failed handshake manifests in this excerpt:
> May 14 11:07:20 nihlus postfix/smtpd[60685]: warning: TLS library problem: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:960:
>
> smtpd_tls_protocols = !SSLv2,!SSLv3
>
> A quick test with SSL3 enabled allows a TLS connection from this particular server:
> How does one best implement a workaround for this site?

just don't break you configuration and blindly disable SSLv3
and you don't need a workaround for your own mistake

the other site don't support anything better than SSLv3

as first step you need to understand that you don't make
anything better in case of opportunistic TLS if you disable
ciphers and protocols left and right because you obviously
missed that it ends in connections from other servers falling
back to unencrypted connections if there is no suiteable
cipher both sides supporting or as in your case if you
disable a protocol the otehr side needs to connect it fails

you made that problem by add !SSLv3
solve it the same way by remove that