Re: tls_policy

Wed, 29 Apr 2015 23:47:48 -0700 

On 30/04/2015 09:36, DTNX Postmaster wrote:

On 30 Apr 2015, at 08:25, Birta Levente <blevi.li...@gmail.com> wrote:


On 29/04/2015 20:56, Viktor Dukhovni wrote:

On Wed, Apr 29, 2015 at 03:53:00PM +0300, Birta Levente wrote:
I see many SSL_connect error for different domains which mail service hosted 
at microsoft:

Apr 28 10:32:12 srv1 postfix/smtp[18296]: SSL_connect error to
irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection
Apr 28 10:32:12 srv1 postfix/smtp[18296]: 3lbZRv0VXQz1lvjB:
to=<xxxxx...@irs.ro>, relay=irs-ro.mail.eo.outlook.com[213.199.154.87]:25, delay=1.1, delays=0.14/0.37/0.56/0, dsn=4.7.5, status=deferred (Cannot start 
TLS: handshake failure)
I don't see this problem, here's logging for "sendmail -bv postmas...@irs.ro": 

     pickup[23826]: 4486C283032: uid=1000 from=<user>
     cleanup[10530]: 4486C283032:
    message-id=<20150429174125.4486C283032@amnesiac.example>
     qmgr[8720]: 4486C283032: from=<u...@example.org>,
    size=295, nrcpt=1 (queue active)
     smtp[10884]: Untrusted TLS connection established to
    irs-ro.mail.eo.outlook.com[213.199.154.23]:25:
    TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
     smtp[10884]: 4486C283032: to=<postmas...@irs.ro>,
    relay=irs-ro.mail.eo.outlook.com[213.199.154.23]:25,
    delay=6.5, delays=0.06/0.02/1.3/5.2, dsn=5.4.1,
    status=undeliverable
    (host irs-ro.mail.eo.outlook.com[213.199.154.23] said:
    550 5.4.1 [postmas...@irs.ro]: Recipient address rejected:
    Access denied (in reply to RCPT TO command))
     qmgr[8720]: 4486C283032: removed

So TLS was established, and worked at least as far as "RCPT TO:"
and the negative reply.

Perhaps some sort of middle-box is interfering with TLS on your
end.  Also, what version of OpenSSL are you using?

Centos 6.6 up to date: openssl-1.0.1e-30.el6.8.x86_64
If something is in the middle, saddly, is out of my control.
I make a test on another server which is in totally other location, other city, other ISP, but same OS, openssl and postfix.3.1.20150421
Apr 30 08:55:05 srv2 postfix/pickup[31818]: 3lcmBx5stxz7wX4: uid=0 from=<root> Apr 30 08:55:05 srv2 postfix/cleanup[4359]: 3lcmBx5stxz7wX4: message-id=<3lcmbx5stxz7...@email.xxxxxxxxx.ro> Apr 30 08:55:05 srv2 opendkim[1223]: 3lcmBx5stxz7wX4: DKIM-Signature field added (s=epsilon201504, d=xxxxxxx.ro) Apr 30 08:55:05 srv2 postfix/qmgr[13449]: 3lcmBx5stxz7wX4: from=<r...@email.xxxxxxxxxx.ro>, size=322, nrcpt=1 (queue active) Apr 30 08:55:06 srv2 postfix/smtp[4367]: SSL_connect error to irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection Apr 30 08:55:06 srv2 postfix/smtp[4367]: 3lcmBx5stxz7wX4: Cannot start TLS: handshake failure Apr 30 08:55:06 srv2 postfix/smtp[4367]: SSL_connect error to irs-ro.mail.eo.outlook.com[213.199.154.23]:25: lost connection Apr 30 08:55:06 srv2 postfix/smtp[4367]: 3lcmBx5stxz7wX4: to=<postmas...@irs.ro>, relay=irs-ro.mail.eo.outlook.com[213.199.154.23]:25, delay=1.1, delays=0.18/0.01/0.9/0, dsn=4.7.5, status=undeliverable (Cannot start TLS: handshake failure)
It's hard to believe the problem is on my side, because other microsoft domain work and many-many domain with TLSv1.2... but on your side it's works...so I don't know
Apr 29 15:04:46 srv1 postfix/smtp[5398]: Untrusted TLS connection established to mx4.hotmail.com[65.55.33.119]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) Apr 29 15:04:47 srv1 postfix/smtp[5398]: 3lcJRw1t3lz1lvk7: to=<xxxxx...@hotmail.com>, relay=mx4.hotmail.com[65.55.33.119]:25, delay=3.4, delays=0.08/0.13/1.9/1.3, dsn=2.0.0, status=sent (250 <5540c8dc.1000...@yyyyyyyyyyyy.ro> Queued mail for delivery)
Looked at the mailing list archive I resolved with smtp_tls_policy_maps = hash:/etc/postfix/tls_policy: 

tls_policy:
irs.ro          may protocols=TLSv1 ciphers=medium exclude=3DES:MD5

Instead of forcing "TLSv1" (I would recomment specific exclusions).

    protocols=!SSLv2:!SSLv3

I tried this too, but same result.

Have you tried completely disabling it yet? I am assuming you do not
have a TLS policy override for 'hotmail.com', and that works just fine
in your tests. Try it without the override, and post the results for
that.


Disabling what? The tls_policy?
Initially I have no tls_policy at all. Then I see the TLS handshake failure in the log and tried to override encryption setting to problematic recipient domains. 

--
           Levi

Reply via email to