Re: tls_policy

Wed, 29 Apr 2015 10:57:10 -0700 

On Wed, Apr 29, 2015 at 03:53:00PM +0300, Birta Levente wrote:

> I see many SSL_connect error for different domains which mail service hosted
> at microsoft:
> 
> Apr 28 10:32:12 srv1 postfix/smtp[18296]: SSL_connect error to
> irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection
> Apr 28 10:32:12 srv1 postfix/smtp[18296]: 3lbZRv0VXQz1lvjB:
> to=<xxxxx...@irs.ro>, relay=irs-ro.mail.eo.outlook.com[213.199.154.87]:25,
> delay=1.1, delays=0.14/0.37/0.56/0, dsn=4.7.5, status=deferred (Cannot start
> TLS: handshake failure)

I don't see this problem, here's logging for "sendmail -bv postmas...@irs.ro":

    pickup[23826]: 4486C283032: uid=1000 from=<user>
    cleanup[10530]: 4486C283032:
        message-id=<20150429174125.4486C283032@amnesiac.example>
    qmgr[8720]: 4486C283032: from=<u...@example.org>,
        size=295, nrcpt=1 (queue active)
    smtp[10884]: Untrusted TLS connection established to
        irs-ro.mail.eo.outlook.com[213.199.154.23]:25:
        TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
    smtp[10884]: 4486C283032: to=<postmas...@irs.ro>,
        relay=irs-ro.mail.eo.outlook.com[213.199.154.23]:25,
        delay=6.5, delays=0.06/0.02/1.3/5.2, dsn=5.4.1,
        status=undeliverable
        (host irs-ro.mail.eo.outlook.com[213.199.154.23] said:
        550 5.4.1 [postmas...@irs.ro]: Recipient address rejected:
        Access denied (in reply to RCPT TO command))
    qmgr[8720]: 4486C283032: removed

So TLS was established, and worked at least as far as "RCPT TO:"
and the negative reply.

Perhaps some sort of middle-box is interfering with TLS on your
end.  Also, what version of OpenSSL are you using?

> Looked at the mailing list archive I resolved with smtp_tls_policy_maps = 
> hash:/etc/postfix/tls_policy:
> 
> tls_policy:
> irs.ro          may protocols=TLSv1 ciphers=medium exclude=3DES:MD5

Instead of forcing "TLSv1" (I would recomment specific exclusions).

        protocols=!SSLv2:!SSLv3

> But all this domains have MX record pointed to
> something.othersomething.outlook.com, so I wonder if there is a method to
> apply this policy like that:
> 
> [.outlook.com]:25 may protocols=TLSv1 ciphers=medium exclude=3DES:MD5

Postfix TLS policy is nexthop based.  There are no lookups based
on the MX host name.  As the vast majority of MX RRsets are not
DNSSEC validated, setting TLS policy based on untrusted data would
enable rather serious downgrade attacks.

-- 
        Viktor.

Reply via email to