On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:
> The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> issue. Unfortunately now we see another problem with the outgoing
> instance, trying to send to another partner with mandatory TLS:
> mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols
attribute in the Postfix policy table.
> > If you're interested, I now have another option for you, a Postfix
> > patch that will likely enable support for SHA-2 digests even when
> > Postfix is compiled and linked with OpenSSL 0.9.8.
>
> May I ask if this would have a chance to be included in future postfix
> releases? Just to know if postfix has to be patched again with updates.
My suggestion for Wietse was to include this in 2.10.1, and any
future updates for earlier releases. I'll also add another small
patch to solve bitrot with the server TLS session cache that is
triggered by OpenSSL enabling TLSv1 session tickets. (Basically,
just add SSL_OP_NO_TICKETS to the server-side session options).
> # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
Don't enable levels higher than 2 unless requested.
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B))
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] SSL_connect:SSLv2/v3 write client hello A
> Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
> mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
Server hangs up after client SSL hello. Perhaps too many ciphers,
or perhaps protocol compatibility issues, or something else entirely,
but what's new with 1.0.1e is mostly more ciphers and new protocols.
Try adding "protocols=TLSv1" to the policy entry for this site,
and if your Postfix is sufficiently new (and knows about TLSv1.1
and TLSv1.2) all other protocols will be disabled, and you may find
that TLS works for you again.
You've sure had some wicked bad luck with picking TLS partner sites. :-(
--
Viktor.
