[pfx] Re: Postfix refuses to accept email from video camera

[Viktor Dukhovni via Postfix-users]

On Sat, Apr 15, 2023 at 10:09:10PM +0300, Oleksandr wrote:
> Sorry, I temporarily changed the IP camera to 192.168.8.144, but it doesn't 
> affect anything.
> 
> So, I executed the command:
> 
>     # tcpdump -s0 -w file.pcap tcp port 465 and host 192.168.8.144
> 
> The result is in the attachment.

The client supports TLS 1.0 with a limited set of ciphersuites:

    Transport Layer Security
        SSLv3 Record Layer: Handshake Protocol: Client Hello
            Content Type: Handshake (22)
            Version: SSL 3.0 (0x0300)
            Length: 55
            Handshake Protocol: Client Hello
                Handshake Type: Client Hello (1)
                Length: 51
                Version: TLS 1.0 (0x0301)
                Random: 
643aedd813189fd74ec0ef915094bebebebb74c09b93cc7b9d984b33c28fd008
                    GMT Unix Time: Apr 15, 2023 14:32:56.000000000 EDT
                    Random Bytes: 
13189fd74ec0ef915094bebebebb74c09b93cc7b9d984b33c28fd008
                Session ID Length: 0
                Cipher Suites Length: 12
                Cipher Suites (6 suites)
                    Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                    Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                    Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                    Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_SHA (0x0005)
                    Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004)
                Compression Methods Length: 1
                Compression Methods (1 method)
                    Compression Method: null (0)

The server is willing to play along:

    Transport Layer Security
        TLSv1 Record Layer: Handshake Protocol: Server Hello
            Content Type: Handshake (22)
            Version: TLS 1.0 (0x0301)
            Length: 74
            Handshake Protocol: Server Hello
                Handshake Type: Server Hello (2)
                Length: 70                                                      
                                                                                
                                       Version: TLS 1.0 (0x0301)
                Random: 
0376d4184cd187ce744acee1fd1a08ff75d69a189ee42860444f574e47524400
                    GMT Unix Time: Nov  4, 1971 11:13:12.000000000 EST
                    Random Bytes: 
4cd187ce744acee1fd1a08ff75d69a189ee42860444f574e47524400
                Session ID Length: 32
                Session ID: 
37172fb3722f19f410f9820447f1f980e7809a69d0735e59e0ed86b43e8dc749
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Compression Method: null (0)

The server hello sent together with a self-signed certificate and
2048-bit DH key exchange message and the client hangs up (sends a TCP
RST).

The certificate issuer and subject names are:

    RDNSequence item: 1 item (id-at-countryName=CN)
    RDNSequence item: 1 item (id-at-stateOrProvinceName=GuangDong)
    RDNSequence item: 1 item (id-at-localityName=ShenZhen)
    RDNSequence item: 1 item (id-at-organizationName=mailserver.mail.lan)
    RDNSequence item: 1 item (id-at-organizationalUnitName=IT)
    RDNSequence item: 1 item (id-at-commonName=mailserver.mail.lan)
    RDNSequence item: 1 item (pkcs-9-at-emailAddress=r...@mailserver.mail.lan)

Perhaps the camera actually wants to verify the certificate (WebPKI CA
issued)?

The validity dates are:

    notBefore: utcTime (0)
        utcTime: 2023-04-14 17:12:00 (UTC)
    notAfter: utcTime (0)
        utcTime: 2033-04-11 17:12:00 (UTC)

The public key modulus is:

    e2356b12d6dfd18b4aae39cdbdef295d4a91d0b9d974543506377b1704c4145e
    d555df8c38d07d9a8f08e59cd4ba9831344ec3da0abcde707102c18626717512
    36dd38c6d34c7ef7763ffe36b036b0d89972156bf0ab8ec8e5dc2815765888cb
    2f3203425bc53f8d38d045da6a6ff37d69814f0cf87e4f6893abe7e4234eb35a
    2014688a644f15de8510b364b86e7c51d2f36d2a0a0e2b834241f2158f0ea9ec
    7645d4f8d0a92213a0494a6b60e71d0ad62ae03db6fd10b634bdd63ad212e965
    d25f31fc1c2cc2b4b3f28cedfc12007b4b4b4b6e53257db464373f8e53348064
    d82e7fb440d8bbf5e4d8d14e435ce6030b43afc8e121f7b0f35551993029ba57
    1245cce875eef43693bec5baa4ffb6d4b2d1575f95fdb6f136c98ef23510b1ba
    0e09dedd811267836bf6049359fd0a8a8b68929ef8ebade5d9aab0aafc9a4f6f
    81955b06b55f312106d46e589794ef941bc97fe728c16271fa1bb4dc38b7560a
    eb56f53a34bc635b6765978e3ef57d74e95a190603037b708b3b7cec618a3180
    6b166c303608a34bea95c2e3076690d4cdfddb3de9467eca902c12e8e4cba1d1
    739efb07e1f2a14588272dceaa844231a6cf4ef3ce78c6817e8e3545a2ccfbf1
    988ef459180e997933896e53d7d34c6bb64b175e3e4092a0106e50d1e599f166
    5343976f0a45104cce83cac3649f209f5f3fd86ec118d8204732c8965e1afb01

which at 4096 bits is both silly and perhaps too large for the camera to
support.  If you need that level of security, you shouldn't be using
RSA.  The self-signature is: sha256WithRSAEncryption, perhaps the camera
only supports SHA1?

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org