Re: Supporting legacy clients

Wed, 08 Mar 2017 07:54:13 -0800 

> On Mar 8, 2017, at 5:51 AM, KSB <list...@ksb.id.lv> wrote:
> 
> After upgrading to postfix 3.1 (from 2.9), one of our clients said, it cannot 
> send mail anymore(he has OE6 on XP and said it's planned to upgrade, but not 
> now).
> 
> What we got in log's:
> postfix/smtpd[16747]: connect from CLIENTIP
> postfix/smtpd[16747]: setting up TLS connection from CLIENTIP
> postfix/smtpd[16747]: CLIENTIP: TLS cipher list 
> "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
> postfix/smtpd[16747]: SSL_accept:before SSL initialization
> postfix/smtpd[16747]: SSL_accept:before SSL initialization
> postfix/smtpd[16747]: SSL3 alert write:fatal:handshake failure
> postfix/smtpd[16747]: SSL_accept:error in error
> postfix/smtpd[16747]: SSL_accept error from CLIENTIP: -1
> postfix/smtpd[16747]: warning: TLS library problem: error:1417A0C1:SSL 
> routines:tls_post_process_client_hello:no shared 
> cipher:../ssl/statem/statem_srvr.c:1422:

I would expect XP systems to use RC4-SHA or RC4-MD5, both of which
are still included in the medium cipherlist, *provided* that the
OpenSSL library you're using still supports RC4.  Did you happen
to also upgrade OpenSSL (not just Postfix)?

Post the output of:

   $ openssl ciphers -v 'RSA+RC4'

making sure that "ldd openssl" reports the same libraries
that the Postfix "smtpd" is linked with.

When I try to use RC4 to connect to your server, I get:

   $ posttls-finger -c -Lsummary -o tls_medium_cipherlist="RC4" ksb.id.lv
   posttls-finger: SSL_connect error to mail.awtech.lv[94.101.232.12]:25: -1
   posttls-finger: warning: TLS library problem: error:14077410:SSL 
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:769:

while 3DES works:

   $ posttls-finger -c -Lsummary -o tls_medium_cipherlist="3DES" ksb.id.lv
   posttls-finger: certificate verification failed for 
mail.awtech.lv[94.101.232.12]:25: untrusted issuer /O=Digital Signature Trust 
Co./CN=DST Root CA X3
   posttls-finger: Untrusted TLS connection established to 
mail.awtech.lv[94.101.232.12]:25: TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA 
(112/168 bits)

So it looks like your OpenSSL library has dropped RC4 support, or
contrary to claim of "default" ciphers, you've in fact disabled RC4
in Postfix.

-- 
        Viktor.

Reply via email to