Am 16.06.2013 05:00, schrieb Viktor Dukhovni:
> On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:
>
> > The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> > issue. Unfortunately now we see another problem with the outgoing
> > instance, trying to send to another partner with mandatory TLS:
>
> > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
> > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
>
> Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols
> attribute in the Postfix policy table.
Thanks, that worked (postfix 2.8.13):
policy_table:
[mxtls.allianz.com] verify protocols=SSLv3:TLSv1
# postqueue -c /etc/postfix/OUT -i 704A35DD5
Jun 16 10:31:04 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
Jun 16 10:31:05 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553
mail.info] Trusted TLS connection established to
mxtls.allianz.com[194.127.3.22]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
Jun 16 10:31:06 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553
mail.info] 704A35DD5: to=<xxx....@example.com>,
relay=mxtls.allianz.com[194.127.3.22]:25, delay=98794,
delays=98792/0/0.43/1.8, dsn=2.0.0, status=sent (250 2.0.0
r5G8V4q9023307 Message accepted for delivery)
> > # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
>
> Don't enable levels higher than 2 unless requested.
Yes, of course. Our normal setting is 1. Used this only for a second.
> Try adding "protocols=TLSv1" to the policy entry for this site,
> and if your Postfix is sufficiently new (and knows about TLSv1.1
> and TLSv1.2) all other protocols will be disabled, and you may find
> that TLS works for you again.
>
> You've sure had some wicked bad luck with picking TLS partner sites. :-(
Yep, that's what I thought, too ;)
Currently I fear, that other partners might be also affected about this.
Now the queues are almost empty but most traffic with other mandatory
TLS partner sites will start to continue during work hours Mo-Fr and
I'll be out of office for a week. What do you think about deactivating
v1.1 and v1.2 globally?
Currently:
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_protocols = !SSLv2
Suggestion:
smtp_tls_mandatory_protocols = !SSLv2 !TLSv1.1 !TLSv1.2
smtp_tls_protocols = !SSLv2
Will this work or are we expected to run into other compatibility issues
with that from your experience?
P.S.: On one machine I tried to switch to a shared openssl 1.0.1e build
which also seems to work fine:
# ldd /opt/vrnetze/postfix/libexec/smtpd|grep -i ssl
libssl.so.1.0.0 => /opt/vrnetze/openssl/lib/libssl.so.1.0.0
libcrypto.so.1.0.0 => /opt/vrnetze/openssl/lib/libcrypto.so.1.0.0
Am I right concluding that this won't require a postfix rebuild on new
openssl 1.0.x versions?
Again, thank you very much for your time and thoughts!
