Am 26.06.2012 20:04, schrieb Daniel L. Miller: > After a recent Ubuntu server upgrade, the packaged versions of Postfix - > using Ubuntu's "Precise" version, as well as the "security", "updates", > and "backports" repositories - Postfix's TLS is broken with the known > SSL version issue: > > warning: TLS library problem: 4425:error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340: > > I've tried a couple different main.cf settings, including: > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > > but the only option that has given me temporary functionality is: > smtpd_tls_security_level=none > > Is there a way I can restore TLS functionality via configuration? Or is > an updated Postfix, possibly a self-compiled version, my only option?
have you read http://www.postfix.org/TLS_README.html ? in quantal http://packages.ubuntu.com/search?keywords=postfix&searchon=names&suite=quantal§ion=all postfix is 2.9.3-2: amd64 i386 there should be a lot of tls fixes ftp://ftp.fu-berlin.de/unix/mail/postfix/official/postfix-2.9.3.HISTORY i.e --snip 20120422 Bit-rot: OpenSSL 1.0.1 introduces new protocols. Update the known TLS protocol list so that protocols can be turned off selectively to work around implementation bugs. Based on a patch by Victor Duchovni. Files: proto/TLS_README.html, proto/postconf.proto, tls/tls.h, tls/tls_misc.c, tls/tls_client.c, tls/tls_server.c. --snip recompile it on oneric or wait till backport there was a thread http://comments.gmane.org/gmane.mail.postfix.user/229196 --snip That will be a solution for Postfix 2.10. Meanwhile, for earlier Postfix releases, how much of the problem can be solved by changing from: mumble_tls_mandatory_protocols = SSLv3, TLSv1 (i.e. the current default) to: mumble_tls_mandatory_protocols = !SSLv2 I don't mind that the older Postfix versions would not be able to turn on/off protocols that didn't exist at the time Postfix was released. Wietse --snipend http://www.postfix.org/postconf.5.html --snip smtp_tls_mandatory_protocols (default: !SSLv2) List of SSL/TLS protocols that the Postfix SMTP client will use with mandatory TLS encryption. In main.cf the values are separated by whitespace, commas or colons. In the policy table "protocols" attribute (see smtp_tls_policy_maps) the only valid separator is colon. An empty value means allow all protocols. The valid protocol names, (see SSL_get_version(3)), are "SSLv2", "SSLv3" and "TLSv1". Note: As of OpenSSL 1.0.1 two new protocols are defined, "TLSv1.1" and "TLSv1.2". If an older Postfix version is linked against OpenSSL 1.0.1 or later, these, or any other new protocol versions, are unconditionally enabled. With Postfix ≥ 2.5 the parameter syntax is expanded to support protocol exclusions. One can now explicitly exclude SSLv2 by setting "smtp_tls_mandatory_protocols = !SSLv2". To exclude both SSLv2 and SSLv3 set "smtp_tls_mandatory_protocols = !SSLv2, !SSLv3". Listing the protocols to include, rather than protocols to exclude, is supported, but not recommended. The exclusion form more closely matches the behaviour when the OpenSSL library is newer than Postfix. Since SSL version 2 has known protocol weaknesses and is now deprecated, the default setting excludes "SSLv2". This means that by default, SSL version 2 will not be used at the "encrypt" security level and higher. See the documentation of the smtp_tls_policy_maps parameter and TLS_README for more information about security levels. Example: # Preferred form with Postfix ≥ 2.5: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 # Alternative form. smtp_tls_mandatory_protocols = TLSv1 --snipend but i am not really up2date with this issue but i am sure others are and will answer -- Best Regards MfG Robert Schetterer
