Re: Problem using TLS: lost connection after STARTTLS

Jan P. Kessler Sat, 15 Jun 2013 18:08:26 -0700

some additional information:

# /opt/vrnetze/openssl/bin/openssl s_client -connect
mxtls.allianz.com:25 -starttls smtp
CONNECTED(00000004)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=DE/ST=Bayern/L=Unterf\xC3\xB6hring/O=Allianz Managed Operations
& Services SE/OU=Allianz Group/CN=*.allianz.de
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
 3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFVzCCBD+gAwIBAgIQRje+sRdEDc8quKMQfyp3vTANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTMwMjE5
MDAwMDAwWhcNMTQwMjI0MjM1OTU5WjCBmDELMAkGA1UEBhMCREUxDzANBgNVBAgM
BkJheWVybjEWMBQGA1UEBwwNVW50ZXJmw7ZocmluZzExMC8GA1UECgwoQWxsaWFu
eiBNYW5hZ2VkIE9wZXJhdGlvbnMgJiBTZXJ2aWNlcyBTRTEWMBQGA1UECwwNQWxs
aWFueiBHcm91cDEVMBMGA1UEAwwMKi5hbGxpYW56LmRlMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA34vFk6ijdJ5H/IdHOPvyvFPa/I/CN0+NvhmgluJs
5p2IebxKNYZb+K7PiQSMD+aeFLw8EEbKdRIya7+KgKKkcrWKXMY68dZ3ehANvm7L
OEQgSy0DsGsWEH5HUUw2vzY9Se66LNwYausPWwEOP2dBCtPq6xISAzv0WmL89z4b
CuxjQV1pK9Qm7Ee5bm9gIpTRHm8NXxyRCg0G49e+cU8D2+8NaYO/N1kLhnXXGKFx
oo/wXEuqCD4SR0JDLq/Ues3o+pH/ObALlaZpl0DLOws4tCADGM36v8VmWA/PEMuT
kowK2RxlNG1YHpp8CJutta9Ah4JvX/p4J4XrjR8In8gw1QIDAQABo4IBfDCCAXgw
FwYDVR0RBBAwDoIMKi5hbGxpYW56LmRlMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
AgWgMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZl
cmlzaWduLmNvbS9TVlJTZWN1cmVHMy5jcmwwQwYDVR0gBDwwOjA4BgpghkgBhvhF
AQc2MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZT
RMGCfh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0
cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2Vj
dXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2VyMA0GCSqGSIb3
DQEBBQUAA4IBAQCTj4I2An6Sg02mjUwdNpbw+QwBZPnjixLFOTY02ehBGJ80eF1Y
HkyCJQXiyuL9yiqdDU0iB+HfPkz8ASAPKpH2GZqU57hq0GEADrqift/3XVg681UF
hvKBG6ciVrS2bgXpdBAE8XMMoLbbvruom4UrjphFMY4gNMkjFUn8kzNP8pFFuODx
/26V6m/VSuqUq9H51F1G4NpsfAWJMrPatmnKBLV2nGhTMXe1AOraDGKTEFiM4DLf
hOO3G/LjE0PLt1ALv3HagnWR5PbtSxVwaMHWdClHzWiwhaimtwiBZkbn1UN6FENI
mF7X2lcyxk5n5Q5mGCNQQaIxkre04F8oXtAM
-----END CERTIFICATE-----
subject=/C=DE/ST=Bayern/L=Unterf\xC3\xB6hring/O=Allianz Managed
Operations & Services SE/OU=Allianz Group/CN=*.allianz.de
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server
CA - G3
---
Acceptable client certificate CA names
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
SSL handshake has read 6159 bytes and written 566 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
27BA0212310594A9E6BFA40D0ECB0D11C6B5AC6C0D43262B551072C99AE6AEF6
    Session-ID-ctx:
    Master-Key:
00F84A8BEE171D1DD0DDE339984755CD253E804DDD7039A1C496D7348F03CF170F1B485133EFC1E67F5669279761A2D0
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 2c cb a1 28 60 8d dd ab-22 b3 fd 81 d4 bd 2d fd  
,..(`...".....-.
    0010 - 35 30 7e 80 4a ea 42 fd-2a 17 ec 73 3d b7 51 7d  
50~.J.B.*..s=.Q}
    0020 - 48 7b 70 69 eb ed 92 2b-df 11 af 10 7a 81 30 63  
H{pi...+....z.0c
    0030 - b1 04 54 a9 e3 e8 80 63-e4 72 a3 01 95 c4 56 e9  
..T....c.r....V.
    0040 - 32 b5 2e 55 8b ae 34 da-29 73 90 82 1f 4a e0 f7  
2..U..4.)s...J..
    0050 - ff f9 dd 3e d5 f1 33 6c-34 7a ed 59 4a 8f 38 ae  
...>..3l4z.YJ.8.
    0060 - 6b e0 49 5d 4b 1b bf 27-5b 64 86 a4 e5 38 3e 9b  
k.I]K..'[d...8>.
    0070 - e8 a7 81 75 92 78 02 10-5d e5 be a2 c8 f9 87 7b  
...u.x..]......{
    0080 - eb bb c7 90 c7 70 0f 63-83 cf 20 d5 b3 65 33 a4   .....p.c..
..e3.
    0090 - 65 34 18 75 10 6b 91 0f-73 af 9b 79 43 a4 a8 de  
e4.u.k..s..yC...


    Start Time: 1371343913
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
250 HELP
HELO mail.EXAMPLE.COM
250 mailgw.allianz.de Hello mail.EXAMPLE.COM [91.235.236.8], pleased to
meet you
MAIL FROM:j...@example.com
250 2.1.0 j...@example.com... Sender ok
RCPT TO:xxx....@example.com
RENEGOTIATING
[CTRL+C]



Am 16.06.2013 01:58, schrieb Jan P. Kessler:
> >> # openssl
> >> ./Configure \
> >>     --prefix=${BASE}/openssl \
> >>     --openssldir=${BASE}/openssl \
> >>     solaris-sparcv9-cc
> >> make; make install
> >>
> >> # postfix
> >> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
> >> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
> >> -L/usr/local/lib"
> >> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
> >> -I/usr/local/include"
> >>
> >> make tidy; make makefiles \
> >>     CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
> >>     AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
> >> make; make upgrade
>
> The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> issue. Unfortunately now we see another problem with the outgoing
> instance, trying to send to another partner with mandatory TLS:
>
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.21] said: 403
> 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:28:55 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] 704A35DD5: to=<xxx....@example.com>,
> relay=mxtls.allianz.com[194.127.3.22]:25, delay=62663,
> delays=62662/0/0.54/0.01, dsn=4.7.0, status=deferred (host
> mxtls.allianz.com[194.127.3.22] said: 403 4.7.0 encryption too weak 0
> less than 256 (in reply to MAIL FROM command))
>
> BEFORE UPGRADE:
> Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] certificate verification failed for
> mxtls.allianz.com[194.127.3.21]:25: untrusted issuer /C=US/O=VeriSign,
> Inc./OU=Class 3 Public Primary Certification Authority
> Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] Untrusted TLS connection established to
> mxtls.allianz.com[194.127.3.21]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
> (256/256 bits)
> Jun 14 11:43:42 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
> mail.info] 19688599D: to=<xxx....@example.com>,
> relay=mxtls.allianz.com[194.127.3.21]:25, delay=0.94,
> delays=0.03/0/0.48/0.43, dsn=2.0.0, status=sent (250 2.0.0
> r5E9hfN2006147 Message accepted for delivery)
>
> Other outgoing TLS connections seem to work fine:
>
> Jun 16 00:29:52 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] setting up TLS connection to
> gmail-smtp-in.l.google.com[173.194.70.26]:25
> Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] Trusted TLS connection established to
> gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher
> ECDHE-RSA-RC4-SHA (128/128 bits)
> Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
> mail.info] CBF8256AD: to=<aaa....@example.com>,
> relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.85,
> delays=0.01/0/0.18/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1371335393
> b5si7050738eew.190 - gsmtp)
>
> Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
> setting up TLS connection to smail2-neu.mailintern.local[10.221.24.22]:25
> Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
> Trusted TLS connection established to
> smail2-neu.mailintern.local[10.221.24.22]:25: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> Jun 16 00:29:55 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
> 6195A56F4: to=<ccc....@example.com>,
> relay=smail2-neu.mailintern.local[10.221.24.22]:25, delay=11,
> delays=11/0/0.14/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
> 98BABC6DA0)
>
> Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] setting up TLS connection to smtpcl3.fiducia.de[195.200.34.38]:25
> Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] smtpcl3.fiducia.de[195.200.34.38]:25: re-using session with
> untrusted certificate, look for details earlier in the log
> Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] Untrusted TLS connection established to
> smtpcl3.fiducia.de[195.200.34.38]:25: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
> Jun 16 00:29:58 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
> mail.info] 932B356AF: to=<eee....@example.com>,
> relay=smtpcl3.fiducia.de[195.200.34.38]:25, delay=2.1,
> delays=0.58/0.07/0.26/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
> as 7C5731C8C89)
>
> I have already tried to wipe the smtp_scache.db without success. Could
> you give me another hint? Verbose logs and configuration follow at the
> end of this mail.
>
> > If you're interested, I now have another option for you, a Postfix
> > patch that will likely enable support for SHA-2 digests even when
> > Postfix is compiled and linked with OpenSSL 0.9.8.
>
> May I ask if this would have a chance to be included in future postfix
> releases? Just to know if postfix has to be patched again with updates.
>
> > Keep in mind that that latest OpenSSL 0.9.8 patch level is now
> > 0.9.8y, and I seem to recall that you had 0.9.8k which likely
> > various unpatched bugs.  So you should probably upgrade the system's
> > OpenSSL 0.9.8 libraries to 0.9.8y.
>
> Thanks, but the 0.9.8k openssl lib is anyway not the solaris 10 default.
> It was installed separately some time ago from a different source
> (sunfreeware) to compile postfix. I'd prefer to drop it completely. It
> is not used by other software on these systems.
>
> # postconf -c /etc/postfix/OUT mail_version
> mail_version = 2.8.13
> # /opt/vrnetze/openssl/bin/openssl version
> OpenSSL 1.0.1e 11 Feb 2013
>
> # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
> # postqueue -c /etc/postfix/OUT -i 704A35DD5
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] mxtls.allianz.com[194.127.3.22]:25: TLS cipher list
> "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] looking for session
> smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> in smtp cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] lookup smtp session
> id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:before/connect initialization
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B))
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 b7 
> ....f... b..Q....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0010 a5 91 88 61 35 5b 04 b0|16 00 7a 15 84 3c b5 0b 
> ...a5[.. ..z..<..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0020 59 23 37 d6 e4 7d 6f 15|82 8f c6 00 00 ca c0 19 
> Y#7..}o. ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28  .
> ...m.: ...0.,.(
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b 
> .$....." .!.....k
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a 
> .j.9.8.. ...2...*
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17 
> .&...... .=.5....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34 
> ........ .....l.4
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09 
> ...F./.+ .'.#....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32 
> ........ .g.@.3.2
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25 
> .....E.D .1.-.).%
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07 
> .......< ./...A..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04 
> ........ ...o....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19 
> .......4 .2......
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00 
> ........ .....#..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02  ...".
> .. ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01                
> ........ ...
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:SSLv2/v3 write client hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
> Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:error in SSLv2/v3 read server hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] remove session
> smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> from client cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] delete smtp session
> id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.22] said: 403
> 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] mxtls.allianz.com[194.127.3.21]:25: TLS cipher list
> "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] looking for session
> smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> in smtp cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] lookup smtp session
> id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:before/connect initialization
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] write to 000A3418 [000F6020] (363 bytes => 363 (0x16B))
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 70 
> ....f... b..Q...p
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0010 e9 dc 5b a9 11 c3 47 1e|77 5b 4a a8 81 81 26 40 
> ..[...G. w[J...&@
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0020 e2 0a 41 b0 2e b9 96 2c|2e 63 e4 00 00 ca c0 19 
> ..A...., .c......
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28  .
> ...m.: ...0.,.(
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b 
> .$....." .!.....k
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a 
> .j.9.8.. ...2...*
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17 
> .&...... .=.5....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34 
> ........ .....l.4
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09 
> ...F./.+ .'.#....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32 
> ........ .g.@.3.2
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25 
> .....E.D .1.-.).%
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07 
> .......< ./...A..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04 
> ........ ...o....
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19 
> .......4 .2......
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00 
> ........ .....#..
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02  ...".
> .. ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01 
> ........ ........
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01                
> ........ ...
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:SSLv2/v3 write client hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] read from 000A3418 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
> Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:error in SSLv2/v3 read server hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] remove session
> smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> from client cache
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
> mail.info] delete smtp session
> id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: Cannot start TLS: handshake failure
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] 704A35DD5: to=<xxx....@example.com>,
> relay=mxtls.allianz.com[194.127.3.21]:25, delay=64211,
> delays=64211/0/0.54/0.01, dsn=4.7.0, status=deferred (host
> mxtls.allianz.com[194.127.3.21] said: 403 4.7.0 encryption too weak 0
> less than 256 (in reply to MAIL FROM command))
>
>
> # egrep -v "^#" /etc/postfix/OUT/master.cf
> smtp26  inet    n       -       n       -       200     smtpd
>   -o smtpd_client_connection_count_limit=100
> cryptosmtp      unix    -       -       n       -       50      smtp
>   -o smtp_data_done_timeout=1200
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> pickup    fifo  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      fifo  n       -       n       300     1       qmgr
> rewrite   unix  -       -       n       -       -       trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache
> maildrop  unix  -       n       n       -       -       pipe
>   flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
> old-cyrus unix  -       n       n       -       -       pipe
>   flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
> cyrus     unix  -       n       n       -       -       pipe
>   user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
> uucp      unix  -       n       n       -       -       pipe
>   flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
> ($recipient)
> ifmail    unix  -       n       n       -       -       pipe
>   flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp     unix  -       n       n       -       -       pipe
>   flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
> $recipient
>
> # postconf -c /etc/postfix/OUT -n
> alias_database = hash:/etc/postfix/aliases
> alias_maps = $alias_database
> body_checks = pcre:/etc/postfix/OUT/body_checks
> body_checks_size_limit = 512000
> bounce_queue_lifetime = 3d
> bounce_template_file = /etc/postfix/bounce.cf
> command_directory = /opt/vrnetze/postfix/sbin
> config_directory = /etc/postfix/OUT
> daemon_directory = /opt/vrnetze/postfix/libexec
> data_directory = /var/spool/postfix-OUT/DATA
> debug_peer_level = 2
> default_privs = nobody
> default_process_limit = 200
> disable_vrfy_command = yes
> fast_flush_domains = $relay_domains
> header_checks = pcre:/etc/postfix/OUT/header_checks
> html_directory = no
> inet_interfaces = all
> luser_relay = g_cna...@example.com
> mail_name = Mailservice
> mail_owner = postfix
> mailbox_size_limit = 56000001
> mailq_path = /usr/bin/mailq
> manpage_directory = /opt/vrnetze/postfix/man
> maximal_queue_lifetime = 3d
> message_size_limit = 56000000
> mime_header_checks = pcre:/etc/postfix/OUT/mime_header_checks
> mydestination = $myhostname, localhost.$mydomain
> mydomain = EXAMPLE.COM
> myhostname = mail.EXAMPLE.COM
> mynetworks = /etc/postfix/relay_from_networks
> myorigin = $myhostname
> newaliases_path = /usr/bin/newaliases
> proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9
> queue_directory = /var/spool/postfix-OUT
> readme_directory = /opt/vrnetze/postfix/doc
> receive_override_options = no_address_mappings
> relay_domains = /etc/postfix/relay_to_domains
> sample_directory = /etc/postfix
> sender_canonical_maps = btree:/etc/postfix/sender_canonical
> sendmail_path = /usr/lib/sendmail
> setgid_group = postdrop
> smtp_enforce_tls = no
> smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
> smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem
> smtp_tls_key_file = /etc/postfix/CERTS/key.pem
> smtp_tls_loglevel = 1
> smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER
> smtp_tls_scert_verifydepth = 8
> smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
> smtp_tls_session_cache_timeout = 3600s
> smtp_use_tls = yes
> smtpd_banner = $myhostname ESMTP Mailservice
> smtpd_enforce_tls = no
> smtpd_recipient_restrictions = reject_non_fqdn_recipient,      
> reject_non_fqdn_sender, permit_mynetworks,      reject
> smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
> smtpd_tls_ask_ccert = yes
> smtpd_tls_ccert_verifydepth = 8
> smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem
> smtpd_tls_key_file = /etc/postfix/CERTS/key.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_req_ccert = no
> smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes
> soft_bounce = no
> syslog_name = postfix-OUT
> transport_maps = btree:/etc/postfix/fehlerdomains,
> btree:/etc/postfix/transport
> unknown_address_reject_code = 554
> unknown_local_recipient_reject_code = 550
>
>

Re: Problem using TLS: lost connection after STARTTLS

Reply via email to