Jake Vickers wrote:
Barney Desmond wrote:
2009/7/24 Jake Vickers <j...@v2gnu.com>:
I ma having a spot of trouble disabling SSLv2 on a Postfix 2.5.1
installation (from Fedora 9 repo). Here is my postconf:
$ postconf -n
<snip>
smtpd_tls_mandatory_protocols = !SSLv2
As documented, this shouldn't be necessary:
http://www.postfix.org/postconf.5.html#smtpd_tls_mandatory_protocols
And when I try and check (from another machine) to see if it's still active:
openssl s_client -connect 192.168.0.10:25 -ssl2
I get this:
CONNECTED(00000003)
That means it's still answering SSLv2 correct?
Does it? It means you're getting a connection, it doesn't mean you're
getting past that point. You really want to test for TLS anyway, so
use openssl's SMTP protocol support. An example from my own TLS setup
(seeing as you haven't been forthcoming with details of your own):
% openssl s_client -connect yoshino.meidokon.net:587 -starttls smtp -ssl2
CONNECTED(00000003)
write:errno=104
It works fine if you remove the "-ssl2".
That's where it confuses me on my end. You see that I have
smtpd_tls_mandatory = !SSLv2 in my config (even though the
documentation says I do not need it), but when I use your command I
get a connection and my certificate:
j...@jake-desktop:~$ openssl s_client -connect 270.271.204.26:587
-starttls smtp -ssl2
CONNECTED(00000003)
depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See
www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated -
RapidSSL(R)/CN=mail.network.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See
www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated -
RapidSSL(R)/CN=mail.network.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=CA/O=mail.network.com/OU=GT11322033/OU=See
www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated -
RapidSSL(R)/CN=mail.network.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDODCCAqGgAwIBAgIDDBRgMA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDkwNzIyMDY1ODA0WhcNMTAwNzI0MTMwNjAw
<--snip-->
subject=/C=CA/O=mail.network.com/OU=GT11322033/OU=See
www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated -
RapidSSL(R)/CN=mail.network.com
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
Ciphers common between both SSL endpoints:
RC4-MD5 EXP-RC4-MD5 RC2-CBC-MD5
EXP-RC2-CBC-MD5 DES-CBC-MD5 DES-CBC3-MD5
---
SSL handshake has read 1172 bytes and written 271 bytes
---
New, SSLv2, Cipher is DES-CBC3-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv2
Cipher : DES-CBC3-MD5
Session-ID: 75F9B5C96A96710363065077390D449B
Session-ID-ctx:
Master-Key: 94D5D80849D4EBC3A89E13A25EEF4009499F04CDE5821EF8
Key-Arg : DC09C51C27AE4A04
Start Time: 1248431958
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
250 DSN
<--end-->
This is why I am confused. I shouldn't need to turn it off, and I
explicitly state to do so in the config, but it still allows SSLv2
connections.
I also tried these settings (smtpd_tls_mandatory_protocols = !SSLv2) on
a Debian build (running 2.3.8) with a self-signed cert and am still
getting a SSLv2 connection. I'm sure I'm missing something glaringly
obvious...
