Re: selective disable of smtpd opportunistic TLS

Thu, 14 Jan 2016 09:07:53 -0800 

In message <88031027-d5b8-4f48-947d-294302fac...@dukhovni.org>
Viktor Dukhovni writes:
> 
> > On Jan 13, 2016, at 8:52 PM, Curtis Villamizar <cur...@orleans.occnc.com> 
> > wrote:
> > 
> > The logs revealed something about the nature of the problem.  A few of
> > these sort of messages were found.
> > 
> > Jan 13 17:08:22 mta3 postfix/smtpd[15958]:
> >   warning: TLS library problem:
> >   error:1408A0C1:SSL
> >   routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1411:
> > Jan 13 17:08:22 mta3 postfix/smtpd[15958]:
> >   lost connection after STARTTLS
> >   from resqmta-po-05v.sys.comcast.net[2001:558:fe16:19:96:114:154:164]
>  
> Post the output of "postconf -n | grep tls".
> Post the output of "openssl version -a"
>  
> Post a PCAP file of a single failed TLS handshake.  I know the person
> at comcast in charge of their email transport security.   I can probably
> get them to fix it once we nail down the problem, assuming it is not overly
> aggressive settings on your end.
>  
> -- 
>       Viktor.


Hello Viktor,

The output you asked for is below for both MX servers.  Both fail in
the same way if I leave smtpd_tls_security_level = may which is why on
the secondary it was changed to smtpd_tls_security_level = none.  I
get debugging on the primary, mail delivered on the secondary.

btw - Now that I have debugging on I can see that IETF is using TLS
and I've been getting lots of IETF mailing list mail.  This indicates
that others are using TLS successfully.

  # egrep \
      'Trusted TLS connection from|TLS connection established from' \
      /var/log/maillog | awk '{print $6, $11, $12, $15;}' \
      | sort | uniq -c | sort -rn \
      | awk '{printf " %2d %s %s\n    %s  %s\n", $1, $2, $3, $4, $5;}'
  6 Anonymous mail.ietf.org[2001:1900:3001:11::2c]:
    TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
  4 Anonymous unknown[72.13.58.7]:
    TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
  3 Trusted msa3.somerville.occnc.com[2001:4830:c400:203::172]:
    TLSv1  ECDHE-ECDSA-AES256-SHA
  3 Trusted msa1-em1.orleans.occnc.com[2001:470:88e6:1::140]:
    TLSv1  ECDHE-ECDSA-AES256-SHA
  3 Anonymous mail.ietf.org[4.31.198.44]:
    TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
  2 Anonymous ml18tv7c8.sritis.lt[31.193.197.232]:
    TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
  1 Trusted mda37-em1.somerville.occnc.com[2001:4830:c400:203::1037]:
    TLSv1  ECDHE-ECDSA-AES256-SHA
  1 Trusted mda31-em1.somerville.occnc.com[2001:4830:c400:203::1031]:
    TLSv1  ECDHE-ECDSA-AES256-SHA
  1 Anonymous vm0157.cs03.seeweb.it[85.94.216.210]:
    TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
  1 Anonymous unknown[67.227.187.156]:
    TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384
  1 Anonymous unknown[2a01:7c8:aab4:45e::1]:
    TLSv1.2  ECDHE-ECDSA-AES256-GCM-SHA384

The above output is reformated (by awk) for readability.  It seems
some spammers (rDNS = unknown) are running more recent software than
comcast.  But a lot more spammers are running old code and get tossed
out here.  Thats the prior 11 hours (not much mail here).

btw - I just added "!TLSv1.0" to get only TLSv1.2.  I wasn't sure I
could specify !TLSv1.0 so I just tried it.

Curtis


mta3 (primary MX)

/usr/local/sbin/postconf -c /etc/postfix -n | grep tls

smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL MD5 DES
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1.1
smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
smtp_tls_security_level = dane
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_always_issue_session_ids = no
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 5
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL MD5 DES
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1.1
smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 300
tls_dane_digest_agility = on
tls_dane_digests = sha512 sha256
tls_dane_trust_anchor_digest_enable = yes
tls_disable_workarounds = 0xFFFFFFFF
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
tls_wildcard_matches_multiple_labels = yes

/usr/local/bin/openssl version -a

OpenSSL 1.0.2e 3 Dec 2015
built on: reproducible build, date unspecified
platform: BSD-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int)
blowfish(idx)
compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED
-DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -O3 -Wall -O2 -pipe
-fstack-protector -fno-strict-aliasing -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM
-DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/openssl"

mta1 (secondary MX)

/usr/local/sbin/postconf -c /etc/postfix -n | grep tls

smtp_tls_CAfile = /etc/postfix/CAcert.pem
smtp_tls_cert_file = /etc/postfix/cert.pem
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL MD5 DES
smtp_tls_key_file = /etc/postfix/key.pem
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1.1
smtp_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
smtp_tls_security_level = dane
smtpd_tls_CAfile = /etc/postfix/CAcert.pem
smtpd_tls_always_issue_session_ids = no
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 1
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_ciphers = high
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aNULL MD5 DES
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 !TLSv1.1
smtpd_tls_protocols = !SSLv2 !SSLv3 !TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level = none
smtpd_tls_session_cache_timeout = 300
tls_dane_digest_agility = on
tls_dane_digests = sha512 sha256
tls_dane_trust_anchor_digest_enable = yes
tls_disable_workarounds = 0xFFFFFFFF
tls_ssl_options = NO_COMPRESSION
tls_wildcard_matches_multiple_labels = yes

/usr/local/bin/openssl version -a

OpenSSL 1.0.2d 9 Jul 2015
built on: reproducible build, date unspecified
platform: BSD-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int)
blowfish(idx)
compiler: cc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DZLIB_SHARED
-DZLIB -DOPENSSL_THREADS -pthread -D_THREAD_SAFE -D_REENTRANT
-DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -O3 -Wall -O2 -pipe
-fstack-protector -fno-strict-aliasing -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM
-DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/openssl"

Reply via email to