On Sat, Oct 15, 2022 at 03:32:15PM +0200, Gerald Galster wrote:
> Just wanted to let you know that Outlook users might run into problems
> submitting mails after Microsoft's latest Windows update.
>
> Oct 15 14:49:42 mx1 postfix/submission/smtpd[25067]: connect from <redacted>
> Oct 15 14:49:42 mx1 postfix/submission/smtpd[25067]: SSL_accept error from
> <redacted>: lost connection
> Oct 15 14:49:42 mx1 postfix/submission/smtpd[25067]: lost connection after
> STARTTLS from <redacted>
>
> This occurs on submission port 587 (STARTTLS) and smtps port 465 (TLS).
>
> Since deinstalling the update no submission errors have occured:
>
> - Update KB5018418 on Windows 11 (verified)
> - Update KB5018410 on Windows 10
>
> As an alternative disabling session tickets seems to help:
What does the Postfix server log for successful TLS handshakes with
updated clients when session tickets are disabled? Something like
either of:
Anonymous TLS connection established from ...: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Anonymous TLS connection established from ...: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature
RSA-PSS (2048 bits) server-digest SHA256
Any chance you could provide (off-list if you prefer) a PCAP recording
of a good and a problem TLS session?
# tcpdump -s 0 -w /tmp/pick-a-name.pcap tcp port 587
^C (after trying a client connection)
#
Then look for TCP SYN packets to list individual connections captured,
and figure out which connection matches the client test, noting its
TCP source port number:
# tcpdump -nr /tmp/pick-a-name.pcap 'tcp[13] & 0x12 == 0x2'
Then extract just that connection from the capture:
# port=...the actual number...
# cd /tmp
# tcpdump -s0 -r pick-a-name.pcap -w wanted.pcap tcp port $port
Share the "wanted.pcap" (or whatever you named it) file. The only
potentially "sensitive" information from the client will be its IP
address and EHLO name. The server reply will contain its certificate.
--
Viktor.
