On Tue, 24 Apr 2012 10:21:32 -0400 (EDT)
Wietse Venema articulated:
>Jerry:
>> $ ldd /usr/local/libexec/postfix/smtp
>> /usr/local/libexec/postfix/smtp:
>...
>> libssl.so.8 => /usr/local/lib/libssl.so.8 (0x800b2f000)
>> libcrypto.so.8 => /usr/local/lib/libcrypto.so.8 (0x800c93000)
>
>That looks like the right OpenSSL version.
>
>Can you connect from the same FreeBSD box to the same hotmail server
>with "openssl s_client"?
>
> $ openssl s_client -starttls smtp -connect 65.55.96.11:25
>
>Somewhere in the output will be a protocol version, something like:
>
> SSL-Session:
> Protocol : TLSv1
> Cipher : RC4-MD5
>
>If "openssl s_client" fails, try adding the protocol:
>
> $ openssl s_client -tls1 ...
>
>Meanwhile I'll set up openssl-1.01a on a box that has
>access to remote port 25.
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
The entire output is:
$ openssl s_client -starttls smtp -connect 65.55.96.11:25
CONNECTED(00000003)
depth=2 CN = Microsoft Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=smtp.live.com
i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server
Authority
1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server
Authority
i:/CN=Microsoft Internet Authority
2 s:/CN=Microsoft Internet Authority
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF1DCCBLygAwIBAgIKaFbF6wAIAAIDTDANBgkqhkiG9w0BAQUFADCBizETMBEG
CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG
CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD
VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMTEwMzMw
MjIzNDAyWhcNMTMwMzI5MjIzNDAyWjAYMRYwFAYDVQQDEw1zbXRwLmxpdmUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjGxU92NJ0KORM2WGRdd9
nAwQqyRuZT4m1SeNe1Ds4ti9nPCmhcvPDYuWA0BkNLoIXQnVzASHycIeYSbM1iJN
lO1btDUUnXh6fZSUZCwHi9D1pVshxrXsJ7n8J3UtHF+Ct3Cg1/6gRL6WfL9hmptE
G0k9K6J3xp9rzfIBygtSIYo/nGQwLWRHPJnrR58JHOGXqi98B244n7GbyKXUGyDT
WTk4YMHkIVMNIgLOhMaFD9jVhGSvXWdMSwCqpIIrWu9/godYGxqC8U4RkxeEYBOQ
GV/hojmn/I8szJyFTqCZAB562WJnqwwEDW82U7BkK7mAdIC1J9gcuaNCjysvz4+o
OQIDAQABo4ICqjCCAqYwPwYJKwYBBAGCNxUHBDIwMAYoKwYBBAGCNxUIg8+JTa3y
AoWhnwyC+sp9geH7dIFPg8LthQiOqdKFYwIBZAIBCjAdBgNVHSUEFjAUBggrBgEF
BQcDAgYIKwYBBQUHAwEwCwYDVR0PBAQDAgSwMCcGCSsGAQQBgjcVCgQaMBgwCgYI
KwYBBQUHAwIwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFMn0iI49Zjq0gJYP/6Zh091V
5CeEMB8GA1UdIwQYMBaAFAhC49tOEWbztQjFQNtVfDNGEYM4MIIBCgYDVR0fBIIB
ATCB/jCB+6CB+KCB9YZYaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21z
Y29ycC9jcmwvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5
KDgpLmNybIZWaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3Js
L01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg4KS5jcmyG
QWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIl
MjBBdXRob3JpdHkoOCkuY3JsMIG/BggrBgEFBQcBAQSBsjCBrzBeBggrBgEFBQcw
AoZSaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9zb2Z0
JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDgpLmNydDBNBggrBgEFBQcw
AoZBaHR0cDovL2NvcnBwa2kvYWlhL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZl
ciUyMEF1dGhvcml0eSg4KS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAIfSKo0Q3ilH
8I725bZHASbscVaAMB7hnkvhZhfnQirrdKwc121Idj6jiALacSdRy5mQ09OZA3j6
omz1BvHoIx+jxE3zsLeSraHdwA5A1srRc3cXwl7qHbhgZEJsY/wANLLxoZk0nse5
WJI7wBeypAnATgb7DF0++QxOfOj5VV4GrSvcO+lQ0abSCI8gJRAcI58fjFj0yGkE
LPSw1QMa5IANfnO7TuTlyBs75qhIew7TFM5Rnu7thW+wuKGLeFpXYsVLeZoWPlfe
yTsAqYF5BADhsB+Vc1Lzv2RA6MfrS3UrP1enpXVlNwnB8+LxW9X01gpX2m/Ql/4j
4DeDko8OMGw=
-----END CERTIFICATE-----
subject=/CN=smtp.live.com
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server
Authority
---
No client certificate CA names sent
---
SSL handshake has read 4881 bytes and written 675 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: 5F0E0000E79C81128490E44FF015B884CDFBD04609B30BC19813195B3C8ECA84
Session-ID-ctx:
Master-Key:
9EF71DE096C86138838E0FE74CA391BBD9579E5F7B577B8061B1351B52996742E2D6916B663BB3DD3A5168C4E166D6E0
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1335280936
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 OK
When adding the "-tls1" flag:
New, TLSv1/SSLv3, Cipher is RC4-MD5
The entire output:
$ openssl s_client -starttls smtp -connect 65.55.96.11:25 -tls1
CONNECTED(00000003)
depth=2 CN = Microsoft Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/CN=smtp.live.com
i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server
Authority
1 s:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server
Authority
i:/CN=Microsoft Internet Authority
2 s:/CN=Microsoft Internet Authority
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF1DCCBLygAwIBAgIKaFbF6wAIAAIDTDANBgkqhkiG9w0BAQUFADCBizETMBEG
CgmSJomT8ixkARkWA2NvbTEZMBcGCgmSJomT8ixkARkWCW1pY3Jvc29mdDEUMBIG
CgmSJomT8ixkARkWBGNvcnAxFzAVBgoJkiaJk/IsZAEZFgdyZWRtb25kMSowKAYD
VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMTEwMzMw
MjIzNDAyWhcNMTMwMzI5MjIzNDAyWjAYMRYwFAYDVQQDEw1zbXRwLmxpdmUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjGxU92NJ0KORM2WGRdd9
nAwQqyRuZT4m1SeNe1Ds4ti9nPCmhcvPDYuWA0BkNLoIXQnVzASHycIeYSbM1iJN
lO1btDUUnXh6fZSUZCwHi9D1pVshxrXsJ7n8J3UtHF+Ct3Cg1/6gRL6WfL9hmptE
G0k9K6J3xp9rzfIBygtSIYo/nGQwLWRHPJnrR58JHOGXqi98B244n7GbyKXUGyDT
WTk4YMHkIVMNIgLOhMaFD9jVhGSvXWdMSwCqpIIrWu9/godYGxqC8U4RkxeEYBOQ
GV/hojmn/I8szJyFTqCZAB562WJnqwwEDW82U7BkK7mAdIC1J9gcuaNCjysvz4+o
OQIDAQABo4ICqjCCAqYwPwYJKwYBBAGCNxUHBDIwMAYoKwYBBAGCNxUIg8+JTa3y
AoWhnwyC+sp9geH7dIFPg8LthQiOqdKFYwIBZAIBCjAdBgNVHSUEFjAUBggrBgEF
BQcDAgYIKwYBBQUHAwEwCwYDVR0PBAQDAgSwMCcGCSsGAQQBgjcVCgQaMBgwCgYI
KwYBBQUHAwIwCgYIKwYBBQUHAwEwHQYDVR0OBBYEFMn0iI49Zjq0gJYP/6Zh091V
5CeEMB8GA1UdIwQYMBaAFAhC49tOEWbztQjFQNtVfDNGEYM4MIIBCgYDVR0fBIIB
ATCB/jCB+6CB+KCB9YZYaHR0cDovL21zY3JsLm1pY3Jvc29mdC5jb20vcGtpL21z
Y29ycC9jcmwvTWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5
KDgpLmNybIZWaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3Js
L01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg4KS5jcmyG
QWh0dHA6Ly9jb3JwcGtpL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIl
MjBBdXRob3JpdHkoOCkuY3JsMIG/BggrBgEFBQcBAQSBsjCBrzBeBggrBgEFBQcw
AoZSaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTWljcm9zb2Z0
JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDgpLmNydDBNBggrBgEFBQcw
AoZBaHR0cDovL2NvcnBwa2kvYWlhL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZl
ciUyMEF1dGhvcml0eSg4KS5jcnQwDQYJKoZIhvcNAQEFBQADggEBAIfSKo0Q3ilH
8I725bZHASbscVaAMB7hnkvhZhfnQirrdKwc121Idj6jiALacSdRy5mQ09OZA3j6
omz1BvHoIx+jxE3zsLeSraHdwA5A1srRc3cXwl7qHbhgZEJsY/wANLLxoZk0nse5
WJI7wBeypAnATgb7DF0++QxOfOj5VV4GrSvcO+lQ0abSCI8gJRAcI58fjFj0yGkE
LPSw1QMa5IANfnO7TuTlyBs75qhIew7TFM5Rnu7thW+wuKGLeFpXYsVLeZoWPlfe
yTsAqYF5BADhsB+Vc1Lzv2RA6MfrS3UrP1enpXVlNwnB8+LxW9X01gpX2m/Ql/4j
4DeDko8OMGw=
-----END CERTIFICATE-----
subject=/CN=smtp.live.com
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server
Authority
---
No client certificate CA names sent
---
SSL handshake has read 4880 bytes and written 573 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 131B000078AD187C4A61112B1CED7249BFD911F68456CE54A4D755DC61655827
Session-ID-ctx:
Master-Key:
488EC71B476E68ABF2B00D62F022A1D3F63D872E6BB61D6BBC5C5F2BD3CEC0B9AA131F7275E9B193306063099BEAF13A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1335280833
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 OK
I hope this helps.
--
Jerry ✌
postfix-u...@seibercom.net
_____________________________________________________________________
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
