On Tue 15.10.13 01:48:57 Viktor Dukhovni wrote:
> Obfuscating the target domain and IP address makes it much harder
> to help you. At the very least you MUST obfuscate using a 1-to-1
> function, so that each distinct domain or IP address is mapped to
> a distinct obfuscated value.
I see the problem. Here, I just replace the domain name of the organization
fom [organization].de to foo.de and replace the first IP block with 999 (it's
always the same actual value).
> You must post the relevant entries (unmangled except for any 1-to-1
> mapping) from your transport table that direct mail for the recipients
> in question via the problem relay.
Okay, I'll try to be comprehensive this time.
First, here is my postconf -n:
> alias_database = hash:/etc/aliases
> alias_maps = hash:/etc/aliases
> append_dot_mydomain = no
> biff = no
> config_directory = /etc/postfix
> home_mailbox = Maildir/
> inet_interfaces = all
> inet_protocols = ipv4
> mailbox_command =
> mailbox_size_limit = 0
> message_size_limit = 104857600
> mydestination = localhost, asterix, asterix.home, myself.dyndns.net
> myhostname = myself.dyndns.net
> mynetworks = 127.0.0.0/8
> readme_directory = no
> recipient_delimiter =
> sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
> smtp_sasl_auth_enable = yes
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_sasl_security_options = noanonymous
> smtp_sasl_type = cyrus
> smtp_sender_dependent_authentication = yes
> smtp_tls_mandatory_ciphers = high
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> smtp_tls_security_level = encrypt
> smtpd_banner = postfix on asterix
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_path = private/auth
> smtpd_sasl_type = dovecot
> smtpd_tls_cert_file = /etc/ssl/certs/my.crt
> smtpd_tls_key_file = /etc/ssl/private/my.key
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
Then, this is the relevant line from /etc/postfix/relayhost_map:
> michael.bue...@foo.de [smtp-auth.foo.de]:587
Which of course has an entry in /etc/postfix/sasl_passwd (win.foo.de belongs in
the username):
> michael.bue...@foo.de mbue...@win.foo.de:password
This is the line for that server in /etc/postfix/tls_policy:
> [smtp-auth.foo.de]:587 encrypt protocols=!TLSv1.1:!TLSv1.2
Now, sending mail from michael.bue...@foo.de gives the following postfix
errors:
> Oct 15 02:30:04 asterix postfix/qmgr[4428]: 42E021A0F44:
> from=<michael.bue...@foo.de>, size=551, nrcpt=1 (queue active)
>
> Oct 15 02:30:04 asterix postfix/smtp[4458]: warning: TLS library problem:
> 4458:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:337:
>
> Oct 15 02:30:04 asterix postfix/smtp[4458]: 42E021A0F44: to=<mb@michael-
> bueker.de>, relay=smtp-auth.foo.de[999.169.5.134]:587, delay=0.51,
> delays=0.08/0.03/0.4/0, dsn=4.4.2, status=deferred (lost connection with
> smtp-auth.foo.de[999.169.5.134] while performing the EHLO handshake)
Now, I _think_ the tls_policy entry is correct, because if I set if to
something absurd like "protocols=SSLv2", the connection fails predictably:
> Oct 15 11:55:20 asterix postfix/qmgr[15283]: 659DA1A11E1:
> from=<michael.bue...@foo.de>, size=550, nrcpt=1 (queue active)
>
> Oct 15 11:55:20 asterix postfix/smtp[15334]: SSL_connect error to
> smtp-auth.foo.de[999.169.5.134]:587: lost connection
>
> Oct 15 11:55:20
> asterix postfix/smtp[15334]: 659DA1A11E1: to=<m...@michael-bueker.de>,
> relay=smtp-auth.foo.de[999.169.5.134]:587, delay=0.29,
> delays=0.08/0.03/0.17/0, dsn=4.7.5, stat us=deferred (Cannot start TLS:
> handshake failure)
However, when I set "protocols=TLSv1", it gives the same error as above
("warning: TLS library problem: 18064:error:1408F10B:SSL
routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:" and "lost
connection with smtp-auth.foo.de[999.169.5.134] while performing the EHLO
handshake").
Even the seemingly absurd values "protocols=!TLSv1:!TLSv1.1:!TLSv1.2" and
"protocols=SSLv3" give that error ("warning: TLS library problem:
18064:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:" and "lost connection with smtp-
auth.foo.de[999.169.5.134] while performing the EHLO handshake"), so I'm not
sure about the tls_policy line anymore. I made sure to "postmap tls_policy"
and restart the server after every change.
Now, for command line openssl, first with -tls1_1:
> $ openssl s_client -connect smtp-auth.foo.de:587 -starttls smtp -tls1_1
> CONNECTED(00000003)
> 3077581000:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:337: ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 440 bytes and written 7 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.1
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1381831404
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> ---
The error is different for -tls1_2:
> $ openssl s_client -connect smtp-auth.foo.de:587 -starttls smtp -tls1_2
> CONNECTED(00000003)
> 3077904584:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
> failure:s3_pkt.c:596: ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 435 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1381831448
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> ---
However, connecting works fine with -tls1:
> $ openssl s_client -connect smtp-auth.foo.de:587 -starttls smtp -tls1
> CONNECTED(00000003)
> depth=2 C = DE, O = DFN-Verein, OU = DFN-PKI, CN = foo-cert -
> G01 verify error:num=20:unable to get local issuer certificate
> verify return:0
> ---
> Certificate chain
>
> [ … skipping lots of certificate info … ]
> ---
> SSL handshake has read 4414 bytes and written 570 bytes
> ---
> New, TLSv1/SSLv3, Cipher is RC4-MD5
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
>
> SSL-Session:
> Protocol : TLSv1
> Cipher : RC4-MD5
> Session-ID:
> C80700004DDE0E3E27FD4082227D82FBF991A97FABF3674E29C2FAA3B3CD5797
> Session-ID-ctx:
> Master-Key:
> 349E696910AD644B583ED97EA7FBE5B30251F681607A2E65E05DD02025FFC5ED31D03E6
> 397813BF8898581306536F0F7 Key-Arg : None
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1381831489
> Timeout : 7200 (sec)
> Verify return code: 20 (unable to get local issuer certificate)
>
> ---
> 250 OK
Again, also setting smth-auth.foo.de as the outgoing server in my MUA (kmail)
with the same credentials works fine for sending mails ("TLS" set for
security), but trying to relay with postfix fails.
I hope this was more useful now.
Cheers,
Michael
