On Thu, Jan 28, 2021 at 08:18:05PM +0000, Chu, Uy wrote:
> I am having trouble with one of our application server not being able
> to connect to send emails. I noticed the issue of connection lost
> after STARTTLS. Is it a configuration on the SMTP server or the
> application?
>
> Jan 28 10:19:04 mailgate15 postfix/smtpd[10717]: setting up TLS connection
> from crowd-prod02.slac.stanford.edu[134.79.98.190]
> Jan 28 10:19:04 mailgate15 postfix/smtpd[10717]:
> crowd-prod02.slac.stanford.edu[134.79.98.190]:
> TLS cipher list
> kEECDH +kEECDH+SHA
> kEDH +kEDH+SHA +kEDH+CAMELLIA
> kECDH +kECDH+SHA
> kRSA +kRSA+SHA +kRSA+CAMELLIA
> !aNULL !eNULL !SSLv2 !RC4 !MD5 !DES !EXP !SEED !IDEA !3DES
> !EXP !MEDIUM !LOW
> !DES !3DES !SSLv2 !RC4
> !aNULL
Reformatting your cipher list, it is obvious that someone who doesn't
exactly know what they're doing has customised the cipher list, in
ways I would not recommend, *but* not to the point where I'd expect
to see interoperability issues for most clients.
> Jan 28 10:19:04 mailgate15 postfix/smtpd[10717]: SSL_accept error from
> crowd-prod02.slac.stanford.edu[134.79.98.190]: 0
> Jan 28 10:19:04 mailgate15 postfix/smtpd[10717]: lost connection after
> STARTTLS from crowd-prod02.slac.stanford.edu[134.79.98.190]
So the above is not sufficient to identity the problem completing the
TLS handshake. As noted by Wietse, configuration data would be best.
FWIW, connections from "posttls-finger" appear to work:
$ posttls-finger -c -lmay "[mailgate15.slac.stanford.edu]"
posttls-finger: mailgate15.slac.stanford.edu[134.79.102.21]:25:
subject_CN=smtpout.slac.stanford.edu, issuer_CN=InCommon ECC Server CA,
fingerprint=B9:76:16:F3:63:08:EA:5D:2A:02:6A:B3:5D:2C:46:01:5F:36:13:52:03:8B:23:54:07:83:E3:72:80:C3:3F:14,
pkey_fingerprint=52:9D:09:15:67:89:1F:4D:6B:04:B4:D9:BF:27:62:2C:02:59:BC:99:40:4F:E4:A0:14:E6:3F:38:ED:B9:33:03
posttls-finger: Untrusted TLS connection established to
mailgate15.slac.stanford.edu[134.79.102.21]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Is the client configured to authenticate the server? The server
certificate chains appears to be missing the intermediate CA, or to be
directly signed by a root CA that's not in the usual trusted CA
bundles...
0 subject: /C=US/postalCode=94305/ST=California/L=Stanford/street=450 Jane
Stanford Way/O=Stanford University/OU=SLAC/CN=smtpout.slac.stanford.edu
issuer: /C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon ECC
Server CA
cert
digest=B9:76:16:F3:63:08:EA:5D:2A:02:6A:B3:5D:2C:46:01:5F:36:13:52:03:8B:23:54:07:83:E3:72:80:C3:3F:14
pkey
digest=52:9D:09:15:67:89:1F:4D:6B:04:B4:D9:BF:27:62:2C:02:59:BC:99:40:4F:E4:A0:14:E6:3F:38:ED:B9:33:03
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:f6:2c:5e:21:7e:bc:37:23:02:38:9d:10:8d:64:49
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon,
CN = InCommon ECC Server CA
Validity
Not Before: Oct 1 00:00:00 2020 GMT
Not After : Oct 1 23:59:59 2021 GMT
Subject: C = US, postalCode = 94305, ST = California, L = Stanford,
street = 450 Jane Stanford Way, O = Stanford University, OU = SLAC, CN =
smtpout.slac.stanford.edu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:dc:7b:cc:82:61:27:1d:d0:3e:6b:ff:8e:e4:96:
00:91:07:c5:f8:71:8e:fa:14:ff:c5:d7:1b:28:bf:
dd:ed:50:7a:69:a7:fb:fa:b8:40:bb:7d:65:6d:4d:
a7:66:e7:ca:ae:e8:8a:3d:ef:28:a2:00:10:02:d4:
2d:20:cc:fd:2d:9f:47:25:d7:30:8b:de:40:b5:af:
fc:00:2e:a8:c1:d0:4e:19:9c:71:13:11:c6:e7:18:
a9:b2:43:93:a2:be:f9:1c:be:ea:ae:86:a0:9b:b5:
64:c4:bc:9a:c4:26:15:95:42:8a:f8:0e:f0:9d:e6:
f2:dc:57:ca:cc:fe:59:25:27:b0:a2:19:73:e1:90:
60:7c:bd:32:d6:36:cb:49:9a:d3:cc:ec:43:58:1a:
c7:8f:c0:23:f1:3d:ea:fb:92:9f:82:e9:35:68:f8:
54:4f:4c:21:db:27:58:0c:99:21:4e:79:ce:b0:6f:
e0:4a:8e:5c:29:92:18:0f:68:38:e1:22:f6:d3:97:
66:f9:0d:80:b2:2c:50:4d:bc:d7:50:2c:38:b3:39:
77:00:e9:2e:b3:42:fd:ce:85:59:30:35:c4:43:b4:
00:bd:14:a2:e6:19:36:bd:9f:24:4b:83:b5:5a:af:
bc:47:be:69:15:1d:c5:b5:5e:d6:30:76:73:f8:46:
98:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:E4:B7:CF:CB:0A:94:74:A7:9C:AD:A8:12:04:3A:D0:29:5D:2E:FC:EE
X509v3 Subject Key Identifier:
A7:C1:08:7E:76:0D:D4:B6:61:1E:7A:2C:74:99:C6:8B:4F:B7:88:15
X509v3 Key Usage: critical
Digital Signature
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.5923.1.4.3.1.1
CPS: https://www.incommon.org/cert/repository/cps_ssl.pdf
Policy: 2.23.140.1.2.2
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.incommon-ecc.org/InCommonECCServerCA.crl
Authority Information Access:
CA Issuers -
URI:http://cert.incommon-ecc.org/InCommonECCServerCA.crt
OCSP - URI:http://ocsp.incommon-ecc.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 7D:3E:F2:F8:8F:FF:88:55:68:24:C2:C0:CA:9E:52:89:
79:2B:C5:0E:78:09:7F:2E:6A:97:68:99:7E:22:F0:D7
Timestamp : Oct 1 22:01:54.987 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:63:5E:03:D5:47:95:37:8D:5D:70:B0:76:
0F:59:A1:9A:41:32:64:3F:EA:D0:82:E4:04:B4:B5:8A:
04:83:B4:2E:02:21:00:EB:72:C8:AD:20:D5:AE:66:61:
C6:94:B1:36:42:00:22:11:65:BE:2D:8C:0B:25:93:01:
A2:D9:FB:DA:38:99:0B
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 94:20:BC:1E:8E:D5:8D:6C:88:73:1F:82:8B:22:2C:0D:
D1:DA:4D:5E:6C:4F:94:3D:61:DB:4E:2F:58:4D:A2:C2
Timestamp : Oct 1 22:01:55.311 2020 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:8E:4A:77:BF:2F:33:7C:D4:ED:9D:A5:
70:C2:6B:C0:88:68:6A:61:E7:91:01:EF:22:9B:E2:99:
C6:2C:4B:E7:04:02:21:00:F0:BA:AF:FD:97:64:F3:98:
4F:10:D3:8E:68:32:3A:46:A3:A4:44:F1:59:EC:4C:7C:
29:EF:51:C7:97:90:92:DF
X509v3 Subject Alternative Name:
DNS:smtpout.slac.stanford.edu,
DNS:mailgate15.slac.stanford.edu, DNS:mailgate16.slac.stanford.edu,
DNS:mailgate17.slac.stanford.edu
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:93:62:b2:c4:fe:39:5c:61:55:11:a3:db:d4:
ae:02:24:a1:cc:48:1f:d2:04:34:8a:8d:cb:96:79:12:4f:73:
02:02:20:3e:83:0d:1f:d6:8c:c6:b4:e9:cc:21:ce:c2:1c:15:
82:95:c1:6f:ed:87:d9:2d:aa:0e:fc:77:b5:9e:e0:1f:1f
-----BEGIN CERTIFICATE-----
MIIGLTCCBdOgAwIBAgIQBPYsXiF+vDcjAjidEI1kSTAKBggqhkjOPQQDAjB2MQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAG
A1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5D
b21tb24gRUNDIFNlcnZlciBDQTAeFw0yMDEwMDEwMDAwMDBaFw0yMTEwMDEyMzU5
NTlaMIG2MQswCQYDVQQGEwJVUzEOMAwGA1UEERMFOTQzMDUxEzARBgNVBAgTCkNh
bGlmb3JuaWExETAPBgNVBAcTCFN0YW5mb3JkMR4wHAYDVQQJExU0NTAgSmFuZSBT
dGFuZm9yZCBXYXkxHDAaBgNVBAoTE1N0YW5mb3JkIFVuaXZlcnNpdHkxDTALBgNV
BAsTBFNMQUMxIjAgBgNVBAMTGXNtdHBvdXQuc2xhYy5zdGFuZm9yZC5lZHUwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDce8yCYScd0D5r/47klgCRB8X4
cY76FP/F1xsov93tUHppp/v6uEC7fWVtTadm58qu6Io97yiiABAC1C0gzP0tn0cl
1zCL3kC1r/wALqjB0E4ZnHETEcbnGKmyQ5OivvkcvuquhqCbtWTEvJrEJhWVQor4
DvCd5vLcV8rM/lklJ7CiGXPhkGB8vTLWNstJmtPM7ENYGsePwCPxPer7kp+C6TVo
+FRPTCHbJ1gMmSFOec6wb+BKjlwpkhgPaDjhIvbTl2b5DYCyLFBNvNdQLDizOXcA
6S6zQv3OhVkwNcRDtAC9FKLmGTa9nyRLg7Var7xHvmkVHcW1XtYwdnP4Rph5AgMB
AAGjggM1MIIDMTAfBgNVHSMEGDAWgBTkt8/LCpR0p5ytqBIEOtApXS787jAdBgNV
HQ4EFgQUp8EIfnYN1LZhHnosdJnGi0+3iBUwDgYDVR0PAQH/BAQDAgeAMAwGA1Ud
EwEB/wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGcGA1UdIARg
MF4wUgYMKwYBBAGuIwEEAwEBMEIwQAYIKwYBBQUHAgEWNGh0dHBzOi8vd3d3Lmlu
Y29tbW9uLm9yZy9jZXJ0L3JlcG9zaXRvcnkvY3BzX3NzbC5wZGYwCAYGZ4EMAQIC
MEQGA1UdHwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwuaW5jb21tb24tZWNjLm9yZy9J
bkNvbW1vbkVDQ1NlcnZlckNBLmNybDB6BggrBgEFBQcBAQRuMGwwQAYIKwYBBQUH
MAKGNGh0dHA6Ly9jZXJ0LmluY29tbW9uLWVjYy5vcmcvSW5Db21tb25FQ0NTZXJ2
ZXJDQS5jcnQwKAYIKwYBBQUHMAGGHGh0dHA6Ly9vY3NwLmluY29tbW9uLWVjYy5v
cmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdgB9PvL4j/+IVWgkwsDKnlKJeSvF
DngJfy5ql2iZfiLw1wAAAXTmL6ArAAAEAwBHMEUCIGNeA9VHlTeNXXCwdg9ZoZpB
MmQ/6tCC5AS0tYoEg7QuAiEA63LIrSDVrmZhxpSxNkIAIhFlvi2MCyWTAaLZ+9o4
mQsAdwCUILwejtWNbIhzH4KLIiwN0dpNXmxPlD1h204vWE2iwgAAAXTmL6FvAAAE
AwBIMEYCIQCOSne/LzN81O2dpXDCa8CIaGph55EB7yKb4pnGLEvnBAIhAPC6r/2X
ZPOYTxDTjmgyOkajpETxWexMfCnvUceXkJLfMH4GA1UdEQR3MHWCGXNtdHBvdXQu
c2xhYy5zdGFuZm9yZC5lZHWCHG1haWxnYXRlMTUuc2xhYy5zdGFuZm9yZC5lZHWC
HG1haWxnYXRlMTYuc2xhYy5zdGFuZm9yZC5lZHWCHG1haWxnYXRlMTcuc2xhYy5z
dGFuZm9yZC5lZHUwCgYIKoZIzj0EAwIDSAAwRQIhAJNissT+OVxhVRGj29SuAiSh
zEgf0gQ0io3LlnkST3MCAiA+gw0f1ozGtOnMIc7CHBWClcFv7YfZLaoO/He1nuAf
Hw==
-----END CERTIFICATE-----
--
Viktor.
