6-GCM-SHA384 (256/256 bits)
The TLS handshake was completed successfully. The problem may not be
TLS-related.
> Jan 12 14:01:02 home postfix/submission/smtpd[7046]:
> lost connection after STARTTLS from unknown[10.5.2.1]
> Jan 12 14:01:02 home postfix/submission/smtpd[7046]:
> disco
lost connection after
STARTTLS from unknown[10.5.2.1]
Jan 12 14:01:02 home postfix/submission/smtpd[7046]: disconnect from
unknown[10.5.2.1] ehlo=1 starttls=1 commands=2
Some related config info:
I run my server with letsencrypt certificates.
- certbot certonly -a apache --agree-tos --staple
On 12 Jun 2020, at 01:11, Fourhundred Thecat <400the...@gmx.ch> wrote:
> But, on the other hand, who is still sending plaintext these days?
Nearly everyone using STARTTLS?
Someone who fails STARTTLS may then use SMTPS
> And why can't legitimate client use reasonable ciphers?
Define legitimate c
On Fri, 2020-06-12 at 09:11 +0200, Fourhundred Thecat wrote:
> > On 2020-06-12 08:57, Jeroen Geilman wrote:
> > - too many errors after .* from .*
> > - warning: non-SMTP command from .*
> >
> > While these do indicate badly-behaved clients, there is no reason
> > to assume evil intent.
The se
y anyway.
- lost connection after STARTTLS
What if the client could not match the server version or ciphers, and
has to disconnect to try plain SMTP again ?
There is no down-step after STARTTLS.
ok I see.
But, on the other hand, who is still sending plaintext these days?
And why can't legitima
block IP based on above examples. These erros
clearly indicate evil intent.
I also see many errors such as:
lost connection after STARTTLS
is it safe to block this command as well, or can this happen to a
legitimate client? In other words, in what situation would a legitimate
clien generate
On Mon, Dec 17, 2018 at 01:28:56AM -0700, wp.rauchholz wrote:
> I am trying to get a webmail client up and running. It works fine w/o
> security settings. But when I try to implement SATARTTLS on port 587 I lose
> connection to localhost as described in Subject.
Note that the "lost connection to
Wolfgang Paul Rauchholz skrev den 2018-12-17 13:06:
Unfortunately not.
I am using roudcubemail, there is nothing in the log files.
$config['default_host'] = 'ssl://localhost';
$config['default_port'] = 993;
$config['imap_conn_options'] = array(
'ssl' => array(
'verify_peer' => false,
Unfortunately not.
I am using roudcubemail, there is nothing in the log files.
Woflgang
On Mon, Dec 17, 2018 at 12:48 PM Wietse Venema wrote:
> wp.rauchholz:
> > Good day.
> >
> > I am trying to get a webmail client up and running. It works fine w/o
> > security settings. But when I try to imp
wp.rauchholz:
> Good day.
>
> I am trying to get a webmail client up and running. It works fine w/o
> security settings. But when I try to implement SATARTTLS on port 587 I lose
> connection to localhost as described in Subject.
Does the webmail client provide any clues about why it is hanging u
Good day.
I am trying to get a webmail client up and running. It works fine w/o
security settings. But when I try to implement SATARTTLS on port 587 I lose
connection to localhost as described in Subject.
My config is the following:
CENTOS 7.6, postfix-2.10.1-7.el7.x86_64, dovecot-2.2.36-3.el7.x
On Sun, Jun 16, 2013 at 11:13:05AM +0200, Jan P. Kessler wrote:
> > Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols
> > attribute in the Postfix policy table.
>
> Thanks, that worked (postfix 2.8.13):
>
> policy_table:
> [mxtls.allianz.com] verify protocols=SSLv3
Beside the point, yet possibly of interest:
On Sun, Jun 16, 2013 at 03:07:01AM +0200, Jan P. Kessler wrote:
> # /opt/vrnetze/openssl/bin/openssl s_client -connect
> mxtls.allianz.com:25 -starttls smtp
> CONNECTED(0004)
snip
> ---
> 250 HELP
> HELO mail.EXAMPLE.COM
> 250 mailgw.allianz.de Hello
Am 16.06.2013 05:00, schrieb Viktor Dukhovni:
> On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:
>
> > The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> > issue. Unfortunately now we see another problem with the outgoing
> > instance, trying to send to another
On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:
> The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> issue. Unfortunately now we see another problem with the outgoing
> instance, trying to send to another partner with mandatory TLS:
> mail.info] setting up TL
some additional information:
# /opt/vrnetze/openssl/bin/openssl s_client -connect
mxtls.allianz.com:25 -starttls smtp
CONNECTED(0004)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify error:num=19:self signed certificate in certificate chain
verif
>> # openssl
>> ./Configure \
>> --prefix=${BASE}/openssl \
>> --openssldir=${BASE}/openssl \
>> solaris-sparcv9-cc
>> make; make install
>>
>> # postfix
>> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
>> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4
On Sat, Jun 15, 2013 at 12:07:26PM +0200, Jan P. Kessler wrote:
> # openssl
> ./Configure \
> --prefix=${BASE}/openssl \
> --openssldir=${BASE}/openssl \
> solaris-sparcv9-cc
> make; make install
>
> # postfix
> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
> -R/usr/lo
> The sender should replace their certificate, it is not compliant with
> TLSv1. This too may take time.
>
> I never enabled ask_ccert on port 25, I had used 587 for that (on a
> machine that nevertheless was not an MSA), and clients with special
> access configured via ccerts had to use a transpo
On Fri, Jun 14, 2013 at 05:53:03PM +0200, Jan P. Kessler wrote:
> >I would have expected SHA-2 support as of OpenSSL 1.0.0a.
>
> Ok, so the problem seems to be clear. The system uses an ancient
> openssl version (sunfreeware package):
>
> libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0
Signature Algorithm: sha256WithRSAEncryption
It looks your OpenSSL library does not enable this via
OpenSSL_add_ssl_algorithms().
The use of certificates with signature algorithms other than MD5
and SHA-1 is supposed to be negotiated via TLSv1.2, plain SSLv3/TLSv1
do not have a way to neg
On Fri, Jun 14, 2013 at 12:24:39PM +0200, Jan P. Kessler wrote:
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
> mail.info] mail.dgverlag.de[145.253.80.6]: Untrusted:
> subject_CN=DGVDEX.DGVERLAG.DE, issuer=VR IDENT SSL CA 2011,
> fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:8
>> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
>> mail.info] certificate verification failed for
>> mail.dgverlag.de[145.253.80.6]: untrusted issuer
>> /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
> Why do you check client certificates?
Because we authenticate/w
On Fri, Jun 14, 2013 at 12:24:39PM +0200, Jan P. Kessler wrote:
> currently we are experiencing problems with an incoming SMTP/TLS
> connection. Remote side is an Ironport device, we are using postfix
> 2.8.13 on solaris 10.
Please show "postconf -n".
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtp
Jan P. Kessler:
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731
> mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1
> encoding routines:ASN1_item_verify:unknown message digest
> algorithm:a_verify.c:146:
> Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID
:error:0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown message digest
algorithm:a_verify.c:146:
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] lost connection after STARTTLS from
mail.dgverlag.de[145.253.80.6]
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]:
Am 07.12.2012 20:55, schrieb Wietse Venema:
> Robert Schetterer:
>> ---snip
> [bunch of end-user IP addresses]
>> Dec 7 19:41:34 mail02 postfix/smtpd[8315]: lost connection after
>> STARTTLS from host-111-184-248-207.dynamic.kbtelecom.net[111.184.248.207]
>> --snipe
Robert Schetterer:
> ---snip
[bunch of end-user IP addresses]
> Dec 7 19:41:34 mail02 postfix/smtpd[8315]: lost connection after
> STARTTLS from host-111-184-248-207.dynamic.kbtelecom.net[111.184.248.207]
> --snipend
>
> anyone else with this ?
> what might best to do , con
Hi , since days i have a lot of
lost connection after STARTTLS log entires, ips looks like a botnet
i.e
---snip
Dec 7 19:36:22 mail01 postfix/smtpd[32324]: lost connection after
STARTTLS from ip-77-221-82-102.kava.lt[77.221.82.102]
Dec 7 19:36:32 mail01 postfix/smtpd[2243]: lost connection
smtpd[2918]: SSL_accept error from
> ipxx.xxx.xxx.xx.cox.net[xx.xxx.xxx.xx]: -1
> Feb 16 20:39:41 mail postfix/smtpd[2918]: lost connection after
> STARTTLS from ipxx.xxx.xxx.xx.cox.net[xx.xxx.xxx.xx]
>
>
> *
> installed
> *
> Ubuntu 9.10
> postfix
t[xx.xxx.xxx.xx]: -1
Feb 16 20:39:41 mail postfix/smtpd[2918]: lost connection after
STARTTLS from ipxx.xxx.xxx.xx.cox.net[xx.xxx.xxx.xx]
*
installed
*
Ubuntu 9.10
postfix 2.6.5-3
libsasl2-2 2.1.23.dfsg1-1ubunt
dovecot-common 1:1.1.11-0ubuntu11
dovecot-imapd
31 matches
Mail list logo
