On Mon, Nov 25, 2024 at 03:29:54PM +0100, Matus UHLAR - fantomas via
Postfix-users wrote:
> > Have you tries connecting to this server with:
> >
> > $ openssl s_client -connect <hostname>:25 \
> > -starttls smtp -tls1_2 -cipher 'HIGH+AES+kRSA+CBC:@STRENGTH'
> >
> > Seems like determining whether the ciphers could interoperate is the
> > first step.
>
> works with tls1.3, doesn't work otherwise:
Of course, because TLS 1.3 ignores "-ciphers", it does algorithm
negotiation very differently.
> 00A77BF7:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
> failure:../ssl/record/rec_layer_s3.c:1605:SSL alert number 40
Ah, so the server refuses these, sending an alert. Now you need to
determine why the server is unwilling.
> I have also tried this from Debian 10 machine without success, it doesn't
> understand the "CBC" part
The client OS does not matter.
> > > Alert Message
> > > Level: Fatal (2)
> > > Description: Handshake Failure (40)
> >
> > That's not useful, without known which party sent the alert.
>
> sorry, forgot to say it was server reply to TLS helo.
As confirmed by the s_client test. It sure looks like RSA key exchange
is disabled in your OpenSSL (unless you've not Postfix settings you have
that disable 'kRSA' or CBC ciphers). In which case you'd need to figure
out how to reënable it, or build your own OpenSSL to link Postfix with,
that is not crippled. To avoid problems with shared library conflicts,
you'd need a "shlib_variant". In my builds I add file to the
"Configurations" directory of the source tree:
Configurations/99-viktor.conf:
my %targets = (
"linux-x86_64-rpk" => {
inherit_from => [ "linux-x86_64" ],
shlib_variant => "rpk",
},
"BSD-x86_64-rpk" => {
inherit_from => [ "BSD-x86_64" ],
shlib_variant => "rpk",
},
);
The string "rpk" can be anything else you want, just not already
used with another custom OpenSSL build.
Then, I run
$ ./Configure --prefix=/opt/openssl/3.4 -Wl,-rpath,/opt/openssl/3.4/lib64
linux-x86_64-rpk
$ make
$ make test
# make install_sw
# make install_ssldirs
to create a build in a non-default location with the non-default SO_NAME
variant libraries. I then configure Postfix with:
#! /bin/sh
PFIX=/opt/postfix
OSSL=/opt/openssl/3.4
OSSL_LDFLAGS="-Wl,-R,$OSSL/lib64 -L$OSSL/lib64 -lssl -lcrypto"
OSSL_CFLAGS="-I$OSSL/include"
make -f Makefile.init dynamicmaps=yes shared=yes pie=yes
openssl_path=$OSSL/bin/openssl \
"CCARGS=$OSSL_CFLAGS "'-DNO_NIS -DUSE_SASL_AUTH -I/usr/include/sasl
-DHAS_PCRE=2 -DUSE_CYRUS_SASL -DUSE_TLS -DHAS_CDB -DHAS_LMDB' \
"AUXLIBS=$OSSL_LDFLAGS "'-lsasl2 -ldb' \
'AUXLIBS_CDB=-lcdb' \
'AUXLIBS_PCRE=-lpcre2-8' \
'AUXLIBS_LMDB=-llmdb' \
command_directory=$PFIX/sbin \
config_directory=$PFIX/etc \
daemon_directory=$PFIX/libexec \
data_directory=/var/lib/postfix \
mailq_path=$PFIX/sbin/mailq \
newaliases_path=$PFIX/sbin/newaliases \
queue_directory=/var/spool/postfix \
sendmail_path=$PFIX/sbin/sendmail \
shlib_directory=$PFIX/lib64/MAIL_VERSION \
html_directory=no \
manpage_directory=$PFIX/man \
readme_directory=no \
makefiles
After running that:
$ make
# make upgrade
# install bin/posttls-finger /opt/postfix/sbin/posttls-finger
# install -m 0444 man/man1/posttls-finger.1
/opt/postfix/man/man1/posttls-finger.1
Running that build instead of the vendor's' means tweaking the init or
systemd configs accordingly.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
