Re: Disabling SSLv2 on Postfox 2.5.1

Fri, 24 Jul 2009 03:43:45 -0700 

Barney Desmond wrote:

2009/7/24 Jake Vickers <j...@v2gnu.com>:

I ma having a spot of trouble disabling SSLv2 on a Postfix 2.5.1
installation (from Fedora 9 repo). Here is my postconf:



  

$ postconf -n

    

<snip>

  

smtpd_tls_mandatory_protocols = !SSLv2

    


As documented, this shouldn't be necessary:
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols


  

And when I try and check (from another machine) to see if it's still active:

openssl s_client -connect 192.168.0.10:25 -ssl2

I get this:

    

CONNECTED(00000003)

      

That means it's still answering SSLv2 correct?

    


Does it? It means you're getting a connection, it doesn't mean you're
getting past that point. You really want to test for TLS anyway, so
use openssl's SMTP protocol support. An example from my own TLS setup
(seeing as you haven't been forthcoming with details of your own):

% openssl s_client -connect yoshino.meidokon.net:587 -starttls smtp -ssl2
CONNECTED(00000003)
write:errno=104

It works fine if you remove the "-ssl2".

  



That's where it confuses me on my end. You see that I have 
smtpd_tls_mandatory = !SSLv2 in my config (even though the documentation 
says I do not need it), but when I use your command I get a connection 
and my certificate:




j...@jake-desktop:~$ openssl s_client -connect 270.271.204.26:587 
-starttls smtp -ssl2

CONNECTED(00000003)

depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See 
www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - 
RapidSSL(R)/CN=mail.network.com

verify error:num=20:unable to get local issuer certificate
verify return:1

depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See 
www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - 
RapidSSL(R)/CN=mail.network.com

verify error:num=27:certificate not trusted
verify return:1

depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See 
www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - 
RapidSSL(R)/CN=mail.network.com

verify error:num=21:unable to verify the first certificate
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDODCCAqGgAwIBAgIDDBRgMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNzIyMDY1ODA0WhcNMTAwNzI0MTMwNjAw

<--snip-->


subject=/C=CA/O=mail.network.com/OU=GT11322033/OU=See 
www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - 
RapidSSL(R)/CN=mail.network.com

issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:

RC4-MD5         EXP-RC4-MD5     RC2-CBC-MD5   
EXP-RC2-CBC-MD5 DES-CBC-MD5     DES-CBC3-MD5

---
SSL handshake has read 1172 bytes and written 271 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : SSLv2
   Cipher    : DES-CBC3-MD5
   Session-ID: 75F9B5C96A96710363065077390D449B
   Session-ID-ctx:
   Master-Key: 94D5D80849D4EBC3A89E13A25EEF4009499F04CDE5821EF8
   Key-Arg   : DC09C51C27AE4A04
   Start Time: 1248431958
   Timeout   : 300 (sec)
   Verify return code: 21 (unable to verify the first certificate)
---
250 DSN

<--end-->




This is why I am confused. I shouldn't need to turn it off, and I 
explicitly state to do so in the config, but it still allows SSLv2 
connections.
























					Reply via email to