On Thu, Nov 03, 2016 at 06:05:50PM +0100, Florian Piekert wrote: > Since there is no tlsproxy running at the moment (removed the modifications > from Wietse and restarted pf, let's wait...?) I can't provide that output > at the moment. Or do you have a suggestion how to get one up & running?
You could go back to the previous configuration, but read on... > On the other hand, my pf is the snapshot from 1101 and not any longer the > default package that ubuntu delivered. > > root@blueberry:/var/lib/postfix# l /usr/sbin/post* > -rwxr-xr-x 1 root root 45160 Nov 1 22:04 /usr/sbin/postalias* > -rwxr-xr-x 1 root root 34216 Nov 1 22:04 /usr/sbin/postcat* > -rwxr-xr-x 1 root root 422752 Nov 1 22:04 /usr/sbin/postconf* > -rwxr-sr-x 1 root postdrop 34504 Nov 1 22:04 /usr/sbin/postdrop* > -rwxr-xr-x 1 root root 28960 Nov 1 22:04 /usr/sbin/postfix* > -rwxr-xr-x 1 root root 5017 Apr 13 2016 /usr/sbin/postfix-add-filter* > -rwxr-xr-x 1 root root 3923 Apr 13 2016 /usr/sbin/postfix-add-policy* > -rwxr-xr-x 1 root root 37856 Okt 26 2014 /usr/sbin/postgrey* > -rwxr-xr-x 1 root root 20696 Nov 1 22:04 /usr/sbin/postkick* > -rwxr-xr-x 1 root root 22608 Nov 1 22:04 /usr/sbin/postlock* > -rwxr-xr-x 1 root root 22384 Nov 1 22:04 /usr/sbin/postlog* > -rwxr-xr-x 1 root root 48512 Nov 1 22:04 /usr/sbin/postmap* > -rwxr-xr-x 1 root root 69928 Nov 1 22:04 /usr/sbin/postmulti* > -rwxr-sr-x 1 root postdrop 54304 Nov 1 22:04 /usr/sbin/postqueue* > -rwxr-xr-x 1 root root 60552 Nov 1 22:04 /usr/sbin/postsuper* > -rwxr-xr-x 1 root root 34768 Apr 13 2016 /usr/sbin/posttls-finger* Perhaps "posttls-finger" is left over from an earlier install? Did you build and install Postfix from source? The OpenSSL version looks typical enough, is that "/usr/bin/openssl" or some other version? What does "ldd" show for this binary? # openssl version -a OpenSSL 1.0.2g 1 Mar 2016 built on: reproducible build, date unspecified platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/usr/lib/ssl" Here we see that the same "unknown state" issue happens with Postfix out of the picture. Both for local connections and connections to Gmail. So this should be pursued on a suitable Ubuntu forum. # (sleep 1; printf "quit\r\n") | openssl s_client -quiet -state -starttls smtp -connect localhost:25 SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:unknown state depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = supp...@cacert.org verify return:1 depth=0 CN = yabba.dadd-do.de verify return:1 SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state 250 DSN 221 2.0.0 Bye SSL3 alert read:warning:close notify SSL3 alert write:warning:close notify # (sleep 1; printf "quit\r\n") | openssl s_client -quiet -state -starttls smtp -connect smtp.gmail.com:587 SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:unknown state depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com verify return:1 SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state 250 SMTPUTF8 221 2.0.0 closing connection g9sm9596385wjk.25 - gsmtp read:errno=0 SSL3 alert write:warning:close notify > postconf mail_version > -> mail_version = 3.2-20161101 I very much doubt that Ubuntu shipped this Postfix version. Looks like you've built your own, and installed it on top of Ubuntu's package. That requires some care and skill. You're typically better off sticking with the bundled package or a "backport". > root@blueberry:/etc/postfix# posttls-finger > posttls-finger: symbol lookup error: posttls-finger: undefined symbol: > midna_domain_to_ascii Not surprising, that's left over from the Ubuntu package. -- Viktor.