On Mon, December 21, 2020 13:46, Wietse Venema wrote:
> James B. Byrne:
>> > Dec 21 12:25:21 mx32 postfix-p25/smtpd[62565]: warning: TLS library
>> problem:
>> > error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
>> > unknown:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:SSL alert
>> number
>> > 46:
>> > Dec 21 12:25:21 mx32 postfix-p25/smtpd[62565]: lost connection after
>> STARTTLS
>> > from accounting-2.internal.harte-lyne.ca[192.168.216.88]
>
> Results from A web search suggest that this may be a certificate
> verification problem.
That is what I have been trying to confirm. And after a lot of poking around
with Java's keystore/cacrets implementation I think that I have ruled that out:
JAVA_VERSION="12" java
-Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore
-Djavax.net.ssl.trustStorePassword=idempiere-2020-ksadmin SSLPoke
192.168.216.32 465
Successfully connected
The file /opt/idempiere/idempiere-server/jettyhome/etc/keystore is the java
keystore used by the Jetty application. 192.168.216.32 is the host that the
application is trying to send email through. I cannot connect to TCP25 with
SSLPoke because SSLPoke does not do STARTTLS. Likewise for TCP587. But TCP465
does not do STARTTLS and so the certificate handshake gets initiated and
accepted by the client:
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]: SSL_accept:before SSL
initialization
Dec 21 14:19:45 mx32 syslogd: last message repeated 1 times
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]: SSL_accept:SSLv3/TLS read
client hello
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]: SSL_accept:SSLv3/TLS write
server hello
. . .
Dec 21 14:19:45 mx32 syslogd: last message repeated 1 times
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]: SSL_accept:SSLv3/TLS read
finished
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]:
accounting-2.internal.harte-lyne.ca[192.168.216.88]: Issuing session ticket,
key expiration: 1608578588
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]:
accounting-2.internal.harte-lyne.ca[192.168.216.88]: save session
7E720D7E3D4A5307C7CB9D260FCD393FA066ED895E350B36F67322E61C0F0C32&s=smtps&l=269488207
to smtpd cache
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]: send attr request = update
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]: send attr cache_type = smtpd
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]: send attr cache_id =
7E720D7E3D4A5307C7CB9D260FCD393FA066ED895E350B36F67322E61C0F0C32&s=smtps&l=269488207
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]: send attr session = [data 119
bytes]
Dec 21 14:19:45 mx32 postfix/tlsmgr[93660]: put smtpd session
id=7E720D7E3D4A5307C7CB9D260FCD393FA066ED895E350B36F67322E61C0F0C32&s=smtps&l=269488207
[data 119 bytes]
Dec 21 14:19:45 mx32 postfix/tlsmgr[93660]: write smtpd TLS cache entry
7E720D7E3D4A5307C7CB9D260FCD393FA066ED895E350B36F67322E61C0F0C32&s=smtps&l=269488207:
time=1608578385 [data 119 bytes]
. . .
Dec 21 14:19:45 mx32 postfix-p465/smtpd[38338]: SSL_accept:SSLv3/TLS write
session ticket
>
> What is the output from these commands:
>
> postconf -n |grep 'smtpd.*tls'
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx32.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_exclude_ciphers = MD5, aDSS, kECDH, kDH, 3DES, RC4, SEED, IDEA, RC2,
RC5
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_key_file = /usr/local/etc/pki/tls/private/ca.harte-lyne.mx32.key
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, !SSLv2
smtpd_tls_protocols = TLSv1.3, TLSv1.2, TLSv1.1, TLSv1, SSLv3, !SSLv2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3
Note that SSLv3 has only been enabled to carry out these tests. Ihe
application would not successfully connect otherwise.
> postconf -P |grep 'smtpd.*tls'
smtp/inet/smtpd_tls_security_level = may
submission/inet/smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
submission/inet/smtpd_sender_restrictions =
permit_sasl_authenticated,permit_tls_clientcerts,reject
submission/inet/smtpd_tls_security_level = encrypt
smtps/inet/smtpd_recipient_restrictions =
permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
smtps/inet/smtpd_sender_restrictions =
permit_sasl_authenticated,permit_tls_clientcerts,reject_unauth_destination
smtps/inet/smtpd_tls_wrappermode = yes
localhost:2626/inet/smtpd_tls_security_level = none
>
> Which of your three smtpd services is the client connecting to?
> How can you tell that from Postfix logging?
>
> In master.cf we recommend using a distinct syslog_name setting:
>
> master.cf:
> submission inet n - n - - smtpd
> -o syslog_name=postfix/submission
> ...
> smtps inet n - n - - smtpd
> -o syslog_name=postfix/smtps
> ...
>
> Taking some of the mystery out of Postfix troubleshooting.
>
> Wietse
>
We use the actual connection port to id the log entries:
grep syslog /usr/local/etc/postfix/master.cf
-o syslog_name=postfix-p25
-o syslog_name=postfix-p587
-o syslog_name=postfix-p465
-o syslog_name=postfix-p2626
TCP2626 DKIM.
I do not believe that this issue is fundamentally a Postfix problem. But to
get any traction with the application development team I have to narrow down
what exactly is going on between their application and Postfix.
The SSLv3 requirement is likely indicative respecting other possible variances
from expected behaviour in their email client. Although there is a reference
given to a tweak-ssl.xml file which is supposed to allow alterations to SSL
protocols and Cyphers the URL to the example given in the documentation is
defunct.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
