Re: Problem using TLS: lost connection after STARTTLS

Fri, 14 Jun 2013 08:54:37 -0700 



     Signature Algorithm: sha256WithRSAEncryption

It looks your OpenSSL library does not enable this via
OpenSSL_add_ssl_algorithms().

The use of certificates with signature algorithms other than MD5
and SHA-1 is supposed to be negotiated via TLSv1.2, plain SSLv3/TLSv1
do not have a way to negotiate these, and clients or servers that
use SHA-2 signatures will run into interoperability problems.
Can you report the output of "ldd /usr/libexec/postfix/smtpd" (smtpd
is in $daemon_directory, adjust as necessary).  That will help nail
down the exact OpenSSL version in use.  Also report the O/S
distribution and version of the package that contains the libssl
that smtpd depends on.

I would have expected SHA-2 support as of OpenSSL 1.0.0a.
Ok, so the problem seems to be clear. The system uses an ancient openssl version (sunfreeware package): 

# uname -a
SunOS rv-smtpext-201 5.10 Generic_148888-03 sun4v sparc SUNW,T5140

# ldd /opt/vrnetze/postfix/libexec/smtpd
        libdb-4.7.so => /usr/local/BerkeleyDB.4.7/lib/libdb-4.7.so
        libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8
        libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8
        libpcre.so.0 =>  /usr/local/lib/libpcre.so.0
        libresolv.so.2 =>        /lib/libresolv.so.2
        libsocket.so.1 =>        /lib/libsocket.so.1
        libnsl.so.1 =>   /lib/libnsl.so.1
        libc.so.1 =>     /lib/libc.so.1
        librt.so.1 =>    /usr/lib/librt.so.1
        libpthread.so.1 =>       /usr/lib/libpthread.so.1
        libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
        libdl.so.1 =>    /lib/libdl.so.1
        libdevinfo.so.1 =>       /usr/lib/libdevinfo.so.1
        libmp.so.2 =>    /lib/libmp.so.2
        libmd.so.1 =>    /lib/libmd.so.1
        libscf.so.1 =>   /lib/libscf.so.1
        libaio.so.1 =>   /lib/libaio.so.1
        libnvpair.so.1 =>        /lib/libnvpair.so.1
        libsec.so.1 =>   /lib/libsec.so.1
        libgen.so.1 =>   /lib/libgen.so.1
        libdoor.so.1 =>  /lib/libdoor.so.1
        libuutil.so.1 =>         /lib/libuutil.so.1
        libavl.so.1 =>   /lib/libavl.so.1
        libm.so.2 =>     /lib/libm.so.2
        /platform/SUNW,T5140/lib/libc_psr.so.1
        /platform/SUNW,T5140/lib/libmd_psr.so.1

# /usr/local/ssl/bin/openssl version
OpenSSL 0.9.8k 25 Mar 2009
Thank you very much for your help! Is it possible to deactivate the "smtpd_tls_ask_ccert = yes" setting for this special target? Ideally without deactivating the complete STARTTLS extension completely?
I understand that the correct solution is an openssl upgrade on our side (due to other security related reasons), but I need a maintenance window for this.

Reply via email to