[pfx] Re: Accepting mail from old Dell iDRAC

Charles Sprickman via Postfix-users Wed, 02 Aug 2023 20:29:23 -0700

Hi Viktor and everyone else - replying with more information inline...

> On Aug 2, 2023, at 9:33 AM, Viktor Dukhovni via Postfix-users 
> <postfix-users@postfix.org> wrote:
> 
> On Wed, Aug 02, 2023 at 01:26:43AM -0400, Charles Sprickman via Postfix-users 
> wrote:
> 
>> [root@mail /usr/local/etc/postfix]# postconf -n |grep smtpd_tls
>> smtpd_tls_auth_only = no
>> smtpd_tls_cert_file = /usr/local/etc/dehydrated/certs/foo/fullchain.pem
>> smtpd_tls_key_file = /usr/local/etc/dehydrated/certs/foo/privkey.pem
>> smtpd_tls_loglevel = 1
>> smtpd_tls_received_header = yes
>> smtpd_tls_security_level = may
> 
> Any tweaks to OpenSSL fine-tuning 'tls_*' variables?


Nope, expanding the grep:

[root@mail /usr/local/etc/postfix]# postconf -n |grep tls
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /usr/local/etc/dehydrated/certs/ANON/fullchain.pem
smtpd_tls_key_file = /usr/local/etc/dehydrated/certs/ANON/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
[root@mail /usr/local/etc/postfix]#

> 
>> Aug  2 01:18:56 mail postfix/smtpd[28114]: < 
>> pool-ANON.fios.verizon.net[10.10.10.2]: STARTTLS
>> Aug  2 01:18:56 mail postfix/smtpd[28114]: > 
>> pool-ANON.fios.verizon.net[10.10.10.2]: 220 2.0.0 Ready to start TLS
>> Aug  2 01:18:56 mail postfix/smtpd[28114]: SSL_accept error from 
>> pool-ANON.fios.verizon.net[10.10.10.2]: -1
>> Aug  2 01:18:56 mail postfix/smtpd[28114]: warning: TLS library
>>  problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:
>>  no shared cipher:/usr/src/crypto/openssl/ssl/statem/statem_srvr.c:2285:
>> 
>> I'm lost here - Dell doesn't really document what they're trying to do
>> and the OpenSSL stuff doesn't seem to be coughing up a whole lot of
>> info to give me a hint as to what cipher is being tried so I can allow
>> it...
> 
> Most likely RC4-SHA or RC4-MD5 (if even more ancient).  A tcpdump
> full packet capture PCAP file + tshark will tell the whole story.

I grabbed this, then trimmed out the higher level stuff just leaving the TLS 
section.

Client Hello:

Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.2 (0x0303)
        Length: 108
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 104
            Version: TLS 1.2 (0x0303)
            Random: 
64cb1779c96a5caa9f2658d70585b88e14f1d93e05d2c2e3f2a46dc79e338a21
                GMT Unix Time: Aug  2, 2023 22:56:57.000000000 EDT
                Random Bytes: 
c96a5caa9f2658d70585b88e14f1d93e05d2c2e3f2a46dc79e338a21
            Session ID Length: 0
            Cipher Suites Length: 42
            Cipher Suites (21 suites)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)
                Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041)
                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)
                Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045)
                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)
                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)
                Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044)
                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
            Compression Methods Length: 1
            Compression Methods (1 method)
                Compression Method: null (0)
            Extensions Length: 21
            Extension: renegotiation_info (len=1)
                Type: renegotiation_info (65281)
                Length: 1
                Renegotiation Info extension
                    Renegotiation info extension length: 0
            Extension: signature_algorithms (len=12)
                Type: signature_algorithms (13)
                Length: 12
                Signature Hash Algorithms Length: 10
                Signature Hash Algorithms (5 algorithms)
                    Signature Algorithm: rsa_pkcs1_sha256 (0x0401)
                        Signature Hash Algorithm Hash: SHA256 (4)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha384 (0x0501)
                        Signature Hash Algorithm Hash: SHA384 (5)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: rsa_pkcs1_sha512 (0x0601)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: RSA (1)
                    Signature Algorithm: SHA1 DSA (0x0202)
                        Signature Hash Algorithm Hash: SHA1 (2)
                        Signature Hash Algorithm Signature: DSA (2)
            [JA3 Fullstring: 
771,53-61-132-47-60-65-10-57-107-136-51-103-69-22-56-106-135-50-64-68-19,65281-13,,]
            [JA3: 8fcb0c5cce95e7066eb265f48042f93c]

Server response:

Transport Layer Security
    TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
        Content Type: Alert (21)
        Version: TLS 1.2 (0x0303)
        Length: 2
        Alert Message
            Level: Fatal (2)
            Description: Handshake Failure (40)

Seems like the client is offering a ton of options... but I'm a little hazy on 
TLS overall.

>> How can I troubleshoot this a bit more?
> 
> What version of OpenSSL is Postfix linked with?  ($ openssl version -v)
> Sufficiently new OpenSSL may have dropped support for RC4 in TLS.

[root@mail /usr/local/etc/postfix]# ldd /usr/local/sbin/postfix |grep ssl
        libssl.so.111 => /usr/lib/libssl.so.111 (0x80131e000)

[root@mail /usr/local/etc/postfix]# openssl version
OpenSSL 1.1.1l-freebsd  24 Aug 2021

> 
> On Wed, Aug 02, 2023 at 04:56:40PM +1000, Phil Biggs via Postfix-users wrote:
> 
>> I read somewhere recently that alert encryption is only supported on
>> the iDRAC9 and later and only after a firmware update.
> 
> The iDRAC is trying to use STARTTLS, so encrypted SMTP transport appears
> to be supported.  As noted by others, it may be simplest to not offer
> it STARTTLS (smtpd_discard_ehlo_keyword_address_maps).

I'll use that as a fallback, but I still kind of hate sending my relay 
account's user/pass cleartext across the internet...

Thanks,

Charles



> 
> -- 
>    Viktor.
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Accepting mail from old Dell iDRAC

Reply via email to