Cannot start TLS: handshake failure when relaying through Exchange 2007

fleon Thu, 15 Sep 2016 04:39:02 -0700

After two years of successful emails sent by postfix through our exchange
2007 server i have started having problems. I did update debian 7  to debian
8, so i don't know what postfix/openssl version i had back then.


Postfix itself gives out these errors:

Sep 14 11:52:52 mar-zabbix postfix/pickup[3886]: 0891F5006D1: uid=33
from=<www-data>
Sep 14 11:52:52 mar-zabbix postfix/cleanup[10371]: 0891F5006D1:
message-id=<rt-4.4.1-8629-1473868370-726.44-...@helpdesk.mydomain.com>
Sep 14 11:52:52 mar-zabbix postfix/qmgr[1454]: 0891F5006D1:
from=<www-d...@mar-zabbix.mydomain.com>, size=2779, nrcpt=1 (queue active)
Sep 14 11:52:53 mar-zabbix postfix/pickup[10376]: 32D975004EE: uid=33
from=<www-data>
Sep 14 11:52:53 mar-zabbix postfix/cleanup[10371]: 32D975004EE:
message-id=<rt-4.4.1-8629-1473868370-210.44-...@helpdesk.mydomain.com>
Sep 14 11:52:53 mar-zabbix postfix/qmgr[1454]: 32D975004EE:
from=<www-d...@mar-zabbix.mydomain.com>, size=3019549, nrcpt=1 (queue
active)
Sep 14 11:52:53 mar-zabbix postfix/pickup[10376]: A4DA150056C: uid=33
from=<www-data>
Sep 14 11:52:53 mar-zabbix postfix/cleanup[10371]: A4DA150056C:
message-id=<rt-4.4.1-8629-1473868370-111.44-...@helpdesk.mydomain.com>
Sep 14 11:52:54 mar-zabbix postfix/qmgr[1454]: A4DA150056C:
from=<www-d...@mar-zabbix.mydomain.com>, size=3017969, nrcpt=1 (queue
active)
Sep 14 11:52:54 mar-zabbix postfix/smtp[10382]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.223]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10382]: 32D975004EE: Cannot start
TLS: handshake failure
Sep 14 11:52:54 mar-zabbix postfix/smtp[10375]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.223]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10375]: 0891F5006D1: Cannot start
TLS: handshake failure
Sep 14 11:52:54 mar-zabbix postfix/smtp[10382]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.222]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10375]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.222]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10383]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.222]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10383]: A4DA150056C: Cannot start
TLS: handshake failure
Sep 14 11:52:54 mar-zabbix postfix/smtp[10383]: SSL_connect error to
mar-exch01.mydomain.com[192.168.100.223]:25: lost connection
Sep 14 11:52:54 mar-zabbix postfix/smtp[10375]: 0891F5006D1:
to=<myu...@mydomain.com>, relay=mar-exch01.mydomain.com[192.168.100.222]:25,
delay=2.5, delays=0.9/1.3/0.31/0, dsn=4.7.5, status=deferred (Cannot start
TLS: handshake failure)
Sep 14 11:52:54 mar-zabbix postfix/smtp[10383]: A4DA150056C:
to=<myu...@mydomain.com>, relay=mar-exch01.mydomain.com[192.168.100.223]:25,
delay=0.94, delays=0.83/0.05/0.05/0, dsn=4.7.5, status=deferred (Cannot
start TLS: handshake failure)
Sep 14 11:52:54 mar-zabbix postfix/smtp[10382]: 32D975004EE:
to=<myu...@mydomain.com>, relay=mar-exch01.mydomain.com[192.168.100.222]:25,
delay=2.2, delays=1.7/0.23/0.26/0, dsn=4.7.5, status=deferred (Cannot start
TLS: handshake failure)

I try to connect through openssl and i get the following (never mind our
self signed certificate):

openssl s_client -starttls smtp -crlf -connect mar-exch01.mydomain.com:25
CONNECTED(00000003)
depth=0 CN = mar-exch01.mydomain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = mar-exch01.mydomain.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = mar-exch01.mydomain.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=mar-exch01.mydomain.com
   i:/DC=com/DC=mydomain/CN=seguros
---
Server certificate
-----BEGIN CERTIFICATE-----
[OMITTED]
-----END CERTIFICATE-----
subject=/CN=mar-exch01.mydomain.com
issuer=/DC=com/DC=mydomain/CN=seguros
---
No client certificate CA names sent
---
SSL handshake has read 2073 bytes and written 506 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID:
880400007C4AC8A71A35AB320EBEADAFF6A58AE184D2A17B675A2B42254E03E9
    Session-ID-ctx:
    Master-Key:
8FF1A6884F0E831516914A94CB678BAF011CA2E2078472E9286713404C078484967AAF3CB66607058D4218EBCC26EE0E
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1473881827
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 XRDST
EHLO
250-mar-exch01.mydomain.com Hello [192.168.3.11]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST
AUTH LOGIN [user in base64]
334 UGFzc3dvcmQ6
[password in base 64]
RENEGOTIATING
3073844924:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake
failure:s3_pkt.c:637:

Postfix is 2.11.3 and openssl 1.0.1t. Is this an openssl bug?

Here's the postfix configuration that used to work:
main.cf:

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no
append_dot_mydomain = no
readme_directory = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

relayhost = [mar-exch01.mydomain.com]
smtp_sasl_tls_security_options =
smtp_sasl_mechanism_filter = login !ntlm
smtp_use_tls = yes
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_timeout = 3600s
smtp_tls_CAfile =
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
broken_sasl_auth_clients = yes
smtp_always_send_ehlo = yes
debug_peer_level = 5
debug_peer_list = [192.168.100.222]
##

myhostname = mar-zabbix.mydomain.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mar-zabbix.mydomain.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.100.0/24
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

/etc/postfix/generic:
r...@mar-zabbix.mydomain.com myu...@mydomain.com

/etc/postfix/sasl/sasl_passwd/:
[mar-exch01.seguroscatatumbo.com] DOMAIN\user:password

Note that while the server is called mar-zabbix.mydomain.com, we have a dns
entry called helpdesk.mydomain.com which points to the same ip of the
server.





--
View this message in context: 
http://postfix.1071664.n5.nabble.com/Cannot-start-TLS-handshake-failure-when-relaying-through-Exchange-2007-tp86243.html
Sent from the Postfix Users mailing list archive at Nabble.com.

Cannot start TLS: handshake failure when relaying through Exchange 2007

Reply via email to