Re: "legacy" SSL and postfix smtp

Thu, 11 Dec 2008 12:13:42 -0800 

Ok, that could be it.
The main culprit I am trying to figure out is Entourage (I just noticed a bunch of messages on that I should look through). 

The log for it looks like this:


Dec 11 14:49:48 arnold postfix/smtpd[6341]: connect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:49:48 arnold postfix/smtpd[6341]: lost connection after EHLO 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:49:48 arnold postfix/smtpd[6341]: disconnect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:28 arnold postfix/smtpd[4671]: connect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:28 arnold postfix/smtpd[4671]: setting up TLS connection 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:29 arnold postfix/smtpd[4671]: TLS connection established 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]: TLSv1 with 
cipher DES-CBC3-SHA (168/168 bits)
Dec 11 14:56:29 arnold postfix/smtpd[4671]: lost connection after EHLO 
from c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]
Dec 11 14:56:29 arnold postfix/smtpd[4671]: disconnect from 
c-24-63-203-109.hsd1.nh.comcast.net[24.63.203.109]



The error I am getting now is that the server does not support any of 
the authentication methods. Before I was getting a greylist "try later" 
message. I think it is trying on port 25.



Wrapper mode is not on and if I try Thunderbird with SSL it does default 
to that port which is open in the firewall. But I get no attempted TLS 
connection. My syslog just tracks that the ip/mac address is hitting it.



I notice in my log that there is one other instance of 168 DES ciphers 
that appears to be failing while all other types appear to be working. 
Could that be the issue? If so how do I fix it?

Noel Jones wrote:

John Baker wrote:

We have a few people using programs (mostly MS crap) that insist on 
older versions of SSL rather than tls.



Internally this works okay but externally ssl gets bounced by my grey 
listing. This seems to indicate that it is not actually authenticating 
right but allowing it to pass internally because its on the network 
and the port is open.



"legacy" SSL makes me think of the long-deprecated "smtps" wrapper mode 
SSL on port 465 that some MS products (still) seem to prefer rather than 
using STARTTLS on a standard port.


Do you have the smtps port enabled in postfix and your firewall?


Do your logs show these clients using SSL/TLS and attempting 
authentication?  Use "smtpd_tls_loglevel = 1" in main.cf.






--
John Baker
Network Systems Administrator
Marlboro College
Phone: 451-7551 off campus; 551 on campus






















					Reply via email to