On Wed, Feb 05, 2014 at 05:07:27PM +0000, Alan Munday wrote:
> Feb 5 16:01:21 mx1 postfix/smtpd[22789]:
> Anonymous TLS connection established
> from mail-db3lp0084.outbound.protection.outlook.com[213.199.154.84]:
> TLSv1 with cipher AES128-SHA (128/128 bits)
> Feb 5 16:01:21 mx1 postfix/smtpd[22789]:
> lost connection after EHLO
> from mail-db3lp0084.outbound.protection.outlook.com[213.199.154.84]
Your certificate chain on mx1 is somewhat unusual, the issuer CA
certificate has "CA:FALSE" in basic constraints:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=Suffolk, O=Brighthead Technology Limited,
OU=Mailserver,
CN=mx1.brightheadtechnology.com/[email protected]
Validity
Not Before: Feb 5 12:43:48 2014 GMT
Not After : Feb 4 12:43:48 2017 GMT
Subject: C=GB, ST=Suffolk, O=Brighthead Technology Limited,
OU=Mailserver,
CN=mx1.brightheadtechnology.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
AE:5D:0D:B0:6C:97:D5:A7:BE:D8:D3:AC:33:81:10:2D:65:55:CB:E5
X509v3 Authority Key Identifier:
keyid:AE:5D:0D:B0:6C:97:D5:A7:BE:D8:D3:AC:33:81:10:2D:65:55:CB:E5
...
-----BEGIN CERTIFICATE-----
MIIEZjCCA06gAwIBAgIBADANBgkqhkiG9w0BAQUFADCBtzELMAkGA1UEBhMCR0Ix
EDAOBgNVBAgMB1N1ZmZvbGsxJjAkBgNVBAoMHUJyaWdodGhlYWQgVGVjaG5vbG9n
eSBMaW1pdGVkMRMwEQYDVQQLDApNYWlsc2VydmVyMSUwIwYDVQQDDBxteDEuYnJp
Z2h0aGVhZHRlY2hub2xvZ3kuY29tMTIwMAYJKoZIhvcNAQkBFiNwb3N0bWFzdGVy
QGJyaWdodGhlYWR0ZWNobm9sb2d5LmNvbTAeFw0xNDAyMDUxMjQzNDhaFw0xNzAy
MDQxMjQzNDhaMIG3MQswCQYDVQQGEwJHQjEQMA4GA1UECAwHU3VmZm9sazEmMCQG
A1UECgwdQnJpZ2h0aGVhZCBUZWNobm9sb2d5IExpbWl0ZWQxEzARBgNVBAsMCk1h
aWxzZXJ2ZXIxJTAjBgNVBAMMHG14MS5icmlnaHRoZWFkdGVjaG5vbG9neS5jb20x
MjAwBgkqhkiG9w0BCQEWI3Bvc3RtYXN0ZXJAYnJpZ2h0aGVhZHRlY2hub2xvZ3ku
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2lsVr97XvgCinkTF
MBdHiBPZa1tVo2TEnTCJ1aEOGPNwQjrbFtHDtzFxTG3UuOBrG/4Z0hb2Q3pvVF1d
jh5xj+YJp+lBFpXaTb/xiLLRr063BNIXzLVded8Y8xo/8+9dxAX7BGa+0lm4wSuE
m/eG252Ejr+/5GOCz6CbX0gJbYiw7kIbA69Z4EW7VWrHXfyxzL8cHWox1WlaLUxH
lqU4UY559Ntp+4BCTqgJzej+w+WFPLO6I9nlgQ/c8UqkH97LSd41poK7ZuDbx7TH
5nHVAXIjGVqohxwo5P4xQtrq7KoUIZMNwhEQvM88qki8ErhfZrYSWOC1D/oWYb63
4tESdQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NM
IEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUrl0NsGyX1ae+2NOsM4EQ
LWVVy+UwHwYDVR0jBBgwFoAUrl0NsGyX1ae+2NOsM4EQLWVVy+UwDQYJKoZIhvcN
AQEFBQADggEBAEmJtvasouV0I6mXW0RReAg1OrKt/uxBm8W+ll92iTao6oci37/+
gfXe2xs2IG4BL8Rndg4Z6R0rM9hLCohleGLjEMU086OYB9UPsaSZUv0NAWPnNk9k
HjpW6UH/RNmnXD+6EE4io28MpCGtLEa2BHXWJcmqZlmBj/yDu8bIglNwemAm3IgH
sNA8FT2GibMw7UyG0rZdftZHydnmO2HcrxLoZ1oe2Q4EpG+2//ZzWGDcfHAQ9/zC
ZltUslDBXIeevDYJvmVwYYV4cPVv+KhrI/wVFlVLf4AKnw+vkSHR441/wMSEsGKF
Fr6/qIeVkfSWxsA0yZ8k0t34nl1DGosnCSA=
-----END CERTIFICATE-----
which may trigger fatal errors in Microsoft's TLS validation stack.
It is a shame that they abort connections with a malformed chain
even though otherwise self-signed or unverifiable chains are fine.
For the record the corresponding leaf certificate is:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=GB, ST=Suffolk, O=Brighthead Technology Limited,
OU=Mailserver,
CN=mx1.brightheadtechnology.com/[email protected]
Validity
Not Before: Feb 5 12:44:04 2014 GMT
Not After : Feb 5 12:44:04 2015 GMT
Subject: C=GB, ST=Suffolk, L=IPSWICH, O=Brighthead Technology
Limited, OU=Mailserver,
CN=mx1.brightheadtechnology.com/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
83:FD:9E:9E:0C:8C:35:16:9C:32:74:D8:1B:94:2F:97:80:72:8F:79
X509v3 Authority Key Identifier:
keyid:AE:5D:0D:B0:6C:97:D5:A7:BE:D8:D3:AC:33:81:10:2D:65:55:CB:E5
...
-----BEGIN CERTIFICATE-----
MIIEeDCCA2CgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBtzELMAkGA1UEBhMCR0Ix
EDAOBgNVBAgMB1N1ZmZvbGsxJjAkBgNVBAoMHUJyaWdodGhlYWQgVGVjaG5vbG9n
eSBMaW1pdGVkMRMwEQYDVQQLDApNYWlsc2VydmVyMSUwIwYDVQQDDBxteDEuYnJp
Z2h0aGVhZHRlY2hub2xvZ3kuY29tMTIwMAYJKoZIhvcNAQkBFiNwb3N0bWFzdGVy
QGJyaWdodGhlYWR0ZWNobm9sb2d5LmNvbTAeFw0xNDAyMDUxMjQ0MDRaFw0xNTAy
MDUxMjQ0MDRaMIHJMQswCQYDVQQGEwJHQjEQMA4GA1UECAwHU3VmZm9sazEQMA4G
A1UEBwwHSVBTV0lDSDEmMCQGA1UECgwdQnJpZ2h0aGVhZCBUZWNobm9sb2d5IExp
bWl0ZWQxEzARBgNVBAsMCk1haWxzZXJ2ZXIxJTAjBgNVBAMMHG14MS5icmlnaHRo
ZWFkdGVjaG5vbG9neS5jb20xMjAwBgkqhkiG9w0BCQEWI3Bvc3RtYXN0ZXJAYnJp
Z2h0aGVhZHRlY2hub2xvZ3kuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAp/XQmaZzh1fw/JJRrJDWSbNFrT4/Ucz86edeT22xr3UnYrgegHOti40e
uOpYvolbRhQh4/8HC7jv4U4HP30AYDQbNnOBfdcqr+4tp/g36Hf6UvpBdS+JjlJf
JRcvhNB/j48arVYMy3xr4OcUcoaXwhyqygftHZ8fHTAvq7YDnaMb3ggZPJ+tQxDq
lq+eoXTMTxvqBdCODFKWTQuYVhteXl8jUwRaAHXiHGHt7dCCSus+ua8DnQgqIz+u
fAFSxarfsI5TEdEaxlfj9UYDjTFoj8CfZPNaKSD2LVU54ygD5qXUvUr8aiZNlb43
5/YSaQytNJ6pr2TIkRQoYnxoAk2F8QIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
FgQUg/2engyMNRacMnTYG5Qvl4Byj3kwHwYDVR0jBBgwFoAUrl0NsGyX1ae+2NOs
M4EQLWVVy+UwDQYJKoZIhvcNAQEFBQADggEBAJVBa8TXfmbtgwnK7V9owKPMfRYJ
rVk/H3ayyNqb2I1yho6z860rQmHDQ8yTGaJXGt1sBLKJ1sX3VtX68ud/ZYD91aPW
0y58m2FHni6Q8VuZEeJEhZf1Hw5cpilWHcq5wvtvPcmGqRqFDiOqyJ7cz8mhIsN6
cbHvq4hQYFWQ3KQhb9YALkW6lNBGvvKu7TPdlRw8RZdCPrSdnMlGyPEncjXTa6Bw
f4ccOr3f5fdmqySpzdn7SJrpnqS0Z7LIhPJyFDDqUyRhkeKu1UPmUC4MLIrKrvs0
Fus/9PC/SAkwAkesjZIWuKqOLKEqxMibHD2sT2MKMNhfbznpWnjMIG/2M0o=
-----END CERTIFICATE-----
> While on mx3 I'm always seeing SSL_accept error. (master.cf and
> main.cf are the same on both mx's.)
When I try to complete a TLS handshake with mx3 from my machine,
it also fails (hangs after the client SSL HELLO).
$ posttls-finger -Ldebug -C "[mx3.brightheadtechnology.com]"
posttls-finger: initializing the client-side TLS engine
posttls-finger: Connected to mx3.brightheadtechnology.com[88.97.147.157]:25
posttls-finger: < 220 mx3.brightheadtechnology.com SMTP
posttls-finger: > EHLO mournblade.imrryr.org
posttls-finger: < 250-mx3.brightheadtechnology.com
posttls-finger: < 250-STARTTLS
posttls-finger: < 250 8BITMIME
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: setting up TLS connection to
mx3.brightheadtechnology.com[88.97.147.157]:25
posttls-finger: mx3.brightheadtechnology.com[88.97.147.157]:25: TLS cipher
list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
posttls-finger: SSL_connect:before/connect initialization
posttls-finger: SSL_connect:SSLv2/v3 write client hello A
... <long delay> ...
posttls-finger: SSL_connect error to
mx3.brightheadtechnology.com[88.97.147.157]:25: Connection timed out
That problem is not outlook.com specific.
> Feb 5 16:00:58 mx3 postfix/smtpd[14898]: SSL_accept:SSLv3 write
> server done A
> Feb 5 16:00:58 mx3 postfix/smtpd[14898]: SSL_accept:SSLv3 flush data
> Feb 5 16:05:58 mx3 postfix/smtpd[14898]: SSL_accept error from
> mail-db3lp0084.outbound.protection.outlook.com[213.199.154.84]:
> Connection timed out
> Feb 5 16:05:58 mx3 postfix/smtpd[14898]: lost connection after
> STARTTLS from
Some sort of network layer problem, any firewalls/load-balancers
that mishandle TLS? Or path MTU problems? Perhaps you're filtering
ICMP too aggressively. Have you tried disabling TCP window scaling?
> I've searched the archives and not yet found anything to point me
> towards what's going on or if the problem is my end.
>
>
> I thought I'd start by asking if anyone else is seeing/has seen
> problems like this?
No problem with inbound TLS from outlook.com reported here IIRC.
--
Viktor.
