RE: STARTTLS / DANE difficulties?

Fazzina, Angelo Tue, 10 Jul 2018 10:07:01 -0700

When you test connecting to your servers yourself do you get any errors ?
Not sure if sslv3 is ok to see if using TLS ???


Commands to try, just replace with your server name
openssl s_client  -connect mta5.uits.uconn.edu:465
openssl s_client -starttls smtp -connect mta5.uits.uconn.edu:587

openssl s_client  -connect <yourname>:465
openssl s_client -starttls smtp -connect <yourname>:587


good luck.



-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

ang...@uconn.edu
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

-----Original Message-----
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On 
Behalf Of James B. Byrne
Sent: Tuesday, July 10, 2018 12:56 PM
To: postfix-users@postfix.org
Subject: STARTTLS / DANE difficulties?

We are migrating our Postfix MX services and in the process have
disrupted a setup which has been very stable for the past couple of
years.  One of the remaining items is this sort of message which only
started very recently:


Jul 10 11:55:29 mx31 postfix-p25/smtpd[70030]: connect from
hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: warning: TLS library
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate:/usr/src/crypto/openssl/ssl/s3_pkt.c:1493:SSL alert number
42:
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: lost connection after
STARTTLS from hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: disconnect from
hr1.samba.org[144.76.82.147] ehlo=1 starttls=1 commands=2

I thought that these errors were the result of a misconfigured
certificate or private key for the postfix service.  However, I have
examined these and they appear to be correct:

postconf -n | grep -i tls
smtp_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
IDEA, RC2, RC5
smtp_tls_key_file = /usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_key_file =
/usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom


# ll /usr/local/etc/pki/tls/private/
total 18
-rw-------  1 root  wheel  3243 Jun  7 15:37 2016003E.key
lrwxr-xr-x  1 root  wheel    12 Jul 10 12:19 ca.harte-lyne.mx31.key ->
2016003E.key

ll /usr/local/etc/pki/tls/certs
total 565
-rw-r--r--  1 root  wheel   10164 Jun  7 15:37 2016003E.pem
-rw-r--r--  1 root  wheel  822512 Jul 10 12:05 ca-bundle.crt
lrwxr-xr-x  1 root  wheel      22 Jul 10 12:07 ca.harte-lyne.mx31.crt
-> ca.harte-lyne.mx31.pem
lrwxr-xr-x  1 root  wheel      12 Jul 10 12:06 ca.harte-lyne.mx31.pem
-> 2016003E.pem

# openssl x509 -noout -text -in
/usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 538312766 (0x2016003e)
    Signature Algorithm: sha512WithRSAEncryption
        Issuer: CN=CA_HLL_ISSUER_2016, OU=Networked Data Services,
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=harte-lyne, DC=ca
        Validity
            Not Before: Jun  1 00:00:00 2018 GMT
            Not After : Jun 30 23:59:59 2023 GMT
        Subject: CN=mx31.harte-lyne.ca, OU=Networked Data Services,
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=hamilton, DC=harte-lyne, DC=ca
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
. . .

Can someone interpret for me what these messages are telling me?  Is
samba.org misconfigured or me?


-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited          
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.harte-lyne.ca&amp;data=02%7C01%7Cangelo.fazzina%40uconn.edu%7C6922a5cc8abd4ad2f16608d5e6863894%7C17f1a87e2a254eaab9df9d439034b080%7C0%7C0%7C636668386513643202&amp;sdata=uwMebM%2BjRmEqZjkTTbuMggiZED7kKeYUaf8iX7dH32Q%3D&amp;reserved=0
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

RE: STARTTLS / DANE difficulties?

Reply via email to