Hi Florian,
I am curious if you ran a basic telnet test of your SSL config, trying to
connect over port 465 or 587 ?
Sorry for not reading your attachments.
I am attaching one file of the command and its output, showing example test
over both ports.
Does your postfix respond like my example or you are not even able to do that ?
-ALF
-Angelo Fazzina
Operating Systems Programmer / Analyst
University of Connecticut, UITS, SSG-Linux/ M&C
860-486-9075
-----Original Message-----
From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org]
On Behalf Of Florian Piekert
Sent: Thursday, November 3, 2016 7:48 AM
To: postfix-users@postfix.org
Subject: Ubuntu 16.04lts & ssl unknown states
Good morning everybody,
I was wondering for quite some weeks now how to fix this issue with my
postfix. I had a brief discussion with Ralf Hildebrandt and he suggested
asking via the users lists, that's what I am doing now.
I have the situation that the PF currently doesn't seem to get proper
information about the state of the SSL connection, as you can see below.
==> mail/mail.log <==
Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: CONNECT from
[2a01:111:f400:fe02::31f]:39552
Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: setting up TLS connection
from [2a01:111:f400:fe02::31f]:39552
Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]:
[2a01:111:f400:fe02::31f]:39552: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH:!aNULL"
Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: SSL_accept:before/accept
initialization
Nov 3 08:50:30 blueberry postfix/tlsproxy[8057]: SSL_accept:unknown state
Nov 3 08:50:30 blueberry postfix/tlsproxy[8057]: message repeated 5 times:
[ SSL_accept:unknown state]
Nov 3 08:50:30 blueberry postfix/tlsproxy[8057]: SSL_accept:failed in
unknown state
It doesn't matter if it is an IPv6 host, if the host is in mynetworks or not
(all postfixes with CACert issues certs and working properly between each of
the others finely).
Any pointers what to check/where to lock/what to fix are highly appreciated.
And I will probably drop another mail around another issue in conjunction
with dovecot virtual user delivery pf->dovecot... but first this SSL thing...
Thanks!
Florian
===========================================================================
Note: this message was send by me *only* if the eMail message contains a
correct pgp signature corresponding to my address at flo...@floppy.org. Do
you need my PGP public key? Check out http://www.floppy.org or send me an
email with the subject "send pgp public key" to this address of mine.Thx!
TEST 1
[ OK ]
[root@mta4 ~]# openssl s_client -connect mta4.example.com:465
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
= USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN =
InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = 06269, ST = Connecticut, L = Storrs, street = MSB,
O = University of Connecticut, OU = UITS, CN = mta4.example.com
verify return:1
---
Certificate chain
0 s:/C=US/postalCode=06269/ST=Connecticut/L=Storrs/street=MSB/O=University of
Connecticut/OU=UITS/CN=mta4.example.com
i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbTCCBFWgAwIBAgIQUUUM6kkQWQV8kesbMKoP2TANBgkqhkiG9w0BAQsFADB2
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNjAzMDEwMDAwMDBaFw0xOTAzMDEy
MzU5NTlaMIGjMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMDYyNjkxFDASBgNVBAgT
C0Nvbm5lY3RpY3V0MQ8wDQYDVQQHEwZTdG9ycnMxDDAKBgNVBAkTA01TQjEiMCAG
A1UEChMZVW5pdmVyc2l0eSBvZiBDb25uZWN0aWN1dDENMAsGA1UECxMEVUlUUzEc
MBoGA1UEAxMTbXRhNC51aXRzLnVjb25uLmVkdTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKXs5Mhq4l4c+nMdwxFY3lndze/40SAuVhLUA2oiQ1j359tA
xu6UPoE5XaeYDevTSm7kG/GiTRrNJRWXqWcGAfqxU2smopOP1ybLSqYno8JG6bq7
IzQzOpUaT9jhqXhxYLwC7gNkw6FfFTwH3dzUCqMEDiceBf7Sbgu3cw53WeoXjYOD
4sLaidh4ZLRXTYGoTcrFUAosyM4GhNs9DFbRYJxYMTN/FLFHGi62EfLdWnynKHHm
ewsvOWTRwcC+mVxXOOrD24fNsX9PKshYbX+jBLXI/HCHgT8zx7MZUSYbk/tOjf5O
tm2R9pV7gRC+zOyTkH8EHDh+pFIXSGhDfJrjBG0CAwEAAaOCAccwggHDMB8GA1Ud
IwQYMBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBR8EYFOpcMjQElK
gL+vSCi32DwmUzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQD
AQEwQjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQv
cmVwb3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDeg
NYYzaHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVy
Q0EuY3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51
c2VydHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUH
MAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHgYDVR0RBBcwFYITbXRhNC51
aXRzLnVjb25uLmVkdTANBgkqhkiG9w0BAQsFAAOCAQEAeqhoiQgP/ImkEPOpiIvd
ccMu57YVROANAWr5SP6FZ1HV3G+Imyj91aTMFmH+x5EDs44RsRJ99MFsGPxZ4ZY0
JVMQWf8IMC6YDaeR9h7WWzFxZayHiS9jcGiFUvfUe4km43mOu76zclev6RIN0LDD
7a2+YyFVl5aSC5laq5YaFKMy5vGpOD/3ekGEbThPQMdqBo1UDYaP+kvXmrNsT3uz
5upmyKIz/nZ0JZBT7REptDzKaMWc0pAZbSUjC73SFpSpNmD5A+2UlGVnL/bTT/Lc
ACmajluZWpNxzqLSjORj1N4Z+yikyyzjwY4hOZgJXMsIXoQ6V++xiu9SVppNGNgP
8g==
-----END CERTIFICATE-----
subject=/C=US/postalCode=06269/ST=Connecticut/L=Storrs/street=MSB/O=University
of Connecticut/OU=UITS/CN=mta4.example.com
issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 6265 bytes and written 437 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 37EFC3B6AADA10665B39635369E49CD3BEA2C1E7C125E75375D4554884E0DC65
Session-ID-ctx:
Master-Key:
357719298449E180CBB7EB95FAEA57DF55804DB7D63140E120ADA54BA1C9FEEB01CAE4CCFC2FF8DB2C2D0152182D41E8
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - e3 48 84 5d 1a 67 4b 5f-0b bb e5 84 6e 3c 2c 9c .H.].gK_....n<,.
0010 - f3 92 f2 71 ed 53 d5 1a-38 c8 75 dc 0d 88 ff 46 ...q.S..8.u....F
0020 - dc b3 e3 b7 bb 83 3b 50-73 5e e1 e6 01 08 24 f5 ......;Ps^....$.
0030 - 37 89 71 b8 30 db 18 98-84 12 a1 03 09 0e 7e d4 7.q.0.........~.
0040 - 44 79 e5 c7 a1 48 42 62-41 2e c6 04 7d e1 5f 8c Dy...HBbA...}._.
0050 - 84 ea c9 f0 b4 d6 a9 d7-e7 eb a9 3b ce 24 f7 ee ...........;.$..
0060 - d1 2f 0e d5 7b 50 2f 78-f8 fe 18 2a 59 c8 46 c5 ./..{P/x...*Y.F.
0070 - a7 54 c3 12 49 e8 de 00-91 8a 85 23 67 0f 07 e0 .T..I......#g...
0080 - 19 0d 00 cf ef 75 23 c3-d5 42 5e 97 aa 0b 53 d7 .....u#..B^...S.
0090 - a3 32 96 7e 83 c5 87 a3-4f ba 8d 54 ea 32 02 2c .2.~....O..T.2.,
Start Time: 1478179093
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
220 mta4.example.com ESMTP Postfix (Debian/GNU)
quit
221 2.0.0 Bye
closed
[root@mta4 ~]#
TEST2
[root@mta4 ~]# openssl s_client -starttls smtp -connect mta4.example.com:587
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
verify return:1
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN
= USERTrust RSA Certification Authority
verify return:1
depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN =
InCommon RSA Server CA
verify return:1
depth=0 C = US, postalCode = 06269, ST = Connecticut, L = Storrs, street = MSB,
O = University of Connecticut, OU = UITS, CN = mta4.example.com
verify return:1
---
Certificate chain
0 s:/C=US/postalCode=06269/ST=Connecticut/L=Storrs/street=MSB/O=University of
Connecticut/OU=UITS/CN=mta4.example.com
i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA
Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFbTCCBFWgAwIBAgIQUUUM6kkQWQV8kesbMKoP2TANBgkqhkiG9w0BAQsFADB2
MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES
MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW
SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNjAzMDEwMDAwMDBaFw0xOTAzMDEy
MzU5NTlaMIGjMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMDYyNjkxFDASBgNVBAgT
C0Nvbm5lY3RpY3V0MQ8wDQYDVQQHEwZTdG9ycnMxDDAKBgNVBAkTA01TQjEiMCAG
A1UEChMZVW5pdmVyc2l0eSBvZiBDb25uZWN0aWN1dDENMAsGA1UECxMEVUlUUzEc
MBoGA1UEAxMTbXRhNC51aXRzLnVjb25uLmVkdTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKXs5Mhq4l4c+nMdwxFY3lndze/40SAuVhLUA2oiQ1j359tA
xu6UPoE5XaeYDevTSm7kG/GiTRrNJRWXqWcGAfqxU2smopOP1ybLSqYno8JG6bq7
IzQzOpUaT9jhqXhxYLwC7gNkw6FfFTwH3dzUCqMEDiceBf7Sbgu3cw53WeoXjYOD
4sLaidh4ZLRXTYGoTcrFUAosyM4GhNs9DFbRYJxYMTN/FLFHGi62EfLdWnynKHHm
ewsvOWTRwcC+mVxXOOrD24fNsX9PKshYbX+jBLXI/HCHgT8zx7MZUSYbk/tOjf5O
tm2R9pV7gRC+zOyTkH8EHDh+pFIXSGhDfJrjBG0CAwEAAaOCAccwggHDMB8GA1Ud
IwQYMBaAFB4Fo3ePbJbiW4dLprSGrHEADOc4MB0GA1UdDgQWBBR8EYFOpcMjQElK
gL+vSCi32DwmUzAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZwYDVR0gBGAwXjBSBgwrBgEEAa4jAQQD
AQEwQjBABggrBgEFBQcCARY0aHR0cHM6Ly93d3cuaW5jb21tb24ub3JnL2NlcnQv
cmVwb3NpdG9yeS9jcHNfc3NsLnBkZjAIBgZngQwBAgIwRAYDVR0fBD0wOzA5oDeg
NYYzaHR0cDovL2NybC5pbmNvbW1vbi1yc2Eub3JnL0luQ29tbW9uUlNBU2VydmVy
Q0EuY3JsMHUGCCsGAQUFBwEBBGkwZzA+BggrBgEFBQcwAoYyaHR0cDovL2NydC51
c2VydHJ1c3QuY29tL0luQ29tbW9uUlNBU2VydmVyQ0FfMi5jcnQwJQYIKwYBBQUH
MAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wHgYDVR0RBBcwFYITbXRhNC51
aXRzLnVjb25uLmVkdTANBgkqhkiG9w0BAQsFAAOCAQEAeqhoiQgP/ImkEPOpiIvd
ccMu57YVROANAWr5SP6FZ1HV3G+Imyj91aTMFmH+x5EDs44RsRJ99MFsGPxZ4ZY0
JVMQWf8IMC6YDaeR9h7WWzFxZayHiS9jcGiFUvfUe4km43mOu76zclev6RIN0LDD
7a2+YyFVl5aSC5laq5YaFKMy5vGpOD/3ekGEbThPQMdqBo1UDYaP+kvXmrNsT3uz
5upmyKIz/nZ0JZBT7REptDzKaMWc0pAZbSUjC73SFpSpNmD5A+2UlGVnL/bTT/Lc
ACmajluZWpNxzqLSjORj1N4Z+yikyyzjwY4hOZgJXMsIXoQ6V++xiu9SVppNGNgP
8g==
-----END CERTIFICATE-----
subject=/C=US/postalCode=06269/ST=Connecticut/L=Storrs/street=MSB/O=University
of Connecticut/OU=UITS/CN=mta4.example.com
issuer=/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 6489 bytes and written 472 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
Session-ID: 40F7480E09FA599843303779A48899DCFC2EC849CD4813A99E1F421A34957F27
Session-ID-ctx:
Master-Key:
641570970CC88DA3EADA574D958547DF43ECB5FED97BDCC06E629C3AE17CCB137A9EEB4AAAC5716F86394E87FF25B3D6
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 3600 (seconds)
TLS session ticket:
0000 - 02 d5 a7 be c9 e1 47 ce-85 52 09 27 b6 b3 ac 4a ......G..R.'...J
0010 - bf ac 15 25 bc 9a 1f 3a-34 d0 a8 41 6d 95 6e 53 ...%...:4..Am.nS
0020 - 72 f4 04 ec 21 e7 ea aa-1e f1 c8 04 83 94 b2 0f r...!...........
0030 - cf 6b 45 09 c9 c8 67 84-cc d4 91 9a a4 c9 6b 6b .kE...g.......kk
0040 - ba bb 84 75 f0 c7 e1 d3-21 b8 8d 64 4e aa 14 41 ...u....!..dN..A
0050 - f8 1f 60 23 41 15 66 97-48 ba b6 2d e6 e7 d9 c8 ..`#A.f.H..-....
0060 - 94 c8 04 6e 0a d0 c0 3c-0a 37 af dd 3e 82 e4 bc ...n...<.7..>...
0070 - c2 a4 7f 43 88 2e 01 a3-5b f4 f7 55 68 f2 3a d7 ...C....[..Uh.:.
0080 - 29 8a a9 6f d1 31 f5 fe-3d 9d d5 28 81 3d 45 7e )..o.1..=..(.=E~
0090 - e2 24 b9 b2 c3 69 ab 5b-f7 a4 dd 01 00 98 69 f0 .$...i.[......i.
Start Time: 1478179286
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 DSN
quit
221 2.0.0 Bye
closed
[root@mta4 ~]#
