On 30 Apr 2015, at 08:25, Birta Levente <blevi.li...@gmail.com> wrote:
> On 29/04/2015 20:56, Viktor Dukhovni wrote: >> On Wed, Apr 29, 2015 at 03:53:00PM +0300, Birta Levente wrote: >> >>> I see many SSL_connect error for different domains which mail service hosted >>> at microsoft: >>> >>> Apr 28 10:32:12 srv1 postfix/smtp[18296]: SSL_connect error to >>> irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection >>> Apr 28 10:32:12 srv1 postfix/smtp[18296]: 3lbZRv0VXQz1lvjB: >>> to=<xxxxx...@irs.ro>, relay=irs-ro.mail.eo.outlook.com[213.199.154.87]:25, >>> delay=1.1, delays=0.14/0.37/0.56/0, dsn=4.7.5, status=deferred (Cannot start >>> TLS: handshake failure) >> I don't see this problem, here's logging for "sendmail -bv >> postmas...@irs.ro": >> >> pickup[23826]: 4486C283032: uid=1000 from=<user> >> cleanup[10530]: 4486C283032: >> message-id=<20150429174125.4486C283032@amnesiac.example> >> qmgr[8720]: 4486C283032: from=<u...@example.org>, >> size=295, nrcpt=1 (queue active) >> smtp[10884]: Untrusted TLS connection established to >> irs-ro.mail.eo.outlook.com[213.199.154.23]:25: >> TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) >> smtp[10884]: 4486C283032: to=<postmas...@irs.ro>, >> relay=irs-ro.mail.eo.outlook.com[213.199.154.23]:25, >> delay=6.5, delays=0.06/0.02/1.3/5.2, dsn=5.4.1, >> status=undeliverable >> (host irs-ro.mail.eo.outlook.com[213.199.154.23] said: >> 550 5.4.1 [postmas...@irs.ro]: Recipient address rejected: >> Access denied (in reply to RCPT TO command)) >> qmgr[8720]: 4486C283032: removed >> >> So TLS was established, and worked at least as far as "RCPT TO:" >> and the negative reply. >> >> Perhaps some sort of middle-box is interfering with TLS on your >> end. Also, what version of OpenSSL are you using? > > Centos 6.6 up to date: openssl-1.0.1e-30.el6.8.x86_64 > If something is in the middle, saddly, is out of my control. > > I make a test on another server which is in totally other location, other > city, other ISP, but same OS, openssl and postfix.3.1.20150421 > > Apr 30 08:55:05 srv2 postfix/pickup[31818]: 3lcmBx5stxz7wX4: uid=0 from=<root> > Apr 30 08:55:05 srv2 postfix/cleanup[4359]: 3lcmBx5stxz7wX4: > message-id=<3lcmbx5stxz7...@email.xxxxxxxxx.ro> > Apr 30 08:55:05 srv2 opendkim[1223]: 3lcmBx5stxz7wX4: DKIM-Signature field > added (s=epsilon201504, d=xxxxxxx.ro) > Apr 30 08:55:05 srv2 postfix/qmgr[13449]: 3lcmBx5stxz7wX4: > from=<r...@email.xxxxxxxxxx.ro>, size=322, nrcpt=1 (queue active) > Apr 30 08:55:06 srv2 postfix/smtp[4367]: SSL_connect error to > irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection > Apr 30 08:55:06 srv2 postfix/smtp[4367]: 3lcmBx5stxz7wX4: Cannot start TLS: > handshake failure > Apr 30 08:55:06 srv2 postfix/smtp[4367]: SSL_connect error to > irs-ro.mail.eo.outlook.com[213.199.154.23]:25: lost connection > Apr 30 08:55:06 srv2 postfix/smtp[4367]: 3lcmBx5stxz7wX4: > to=<postmas...@irs.ro>, relay=irs-ro.mail.eo.outlook.com[213.199.154.23]:25, > delay=1.1, delays=0.18/0.01/0.9/0, dsn=4.7.5, status=undeliverable (Cannot > start TLS: handshake failure) > > > It's hard to believe the problem is on my side, because other microsoft > domain work and many-many domain with TLSv1.2... but on your side it's > works...so I don't know > > Apr 29 15:04:46 srv1 postfix/smtp[5398]: Untrusted TLS connection established > to mx4.hotmail.com[65.55.33.119]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-SHA384 (256/256 bits) > Apr 29 15:04:47 srv1 postfix/smtp[5398]: 3lcJRw1t3lz1lvk7: > to=<xxxxx...@hotmail.com>, relay=mx4.hotmail.com[65.55.33.119]:25, delay=3.4, > delays=0.08/0.13/1.9/1.3, dsn=2.0.0, status=sent (250 > <5540c8dc.1000...@yyyyyyyyyyyy.ro> Queued mail for delivery) > > >> >>> Looked at the mailing list archive I resolved with smtp_tls_policy_maps = >>> hash:/etc/postfix/tls_policy: >>> >>> tls_policy: >>> irs.ro may protocols=TLSv1 ciphers=medium exclude=3DES:MD5 >> Instead of forcing "TLSv1" (I would recomment specific exclusions). >> >> protocols=!SSLv2:!SSLv3 > > I tried this too, but same result. Have you tried completely disabling it yet? I am assuming you do not have a TLS policy override for 'hotmail.com', and that works just fine in your tests. Try it without the override, and post the results for that. Mvg, Joni
