SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

Since my upgrade to 2.12-20141013, I'm getting an unusual amount of those in my mailq output: 3jHGY70x2gzBs34 3230 Tue Oct 14 14:39:39 sen...@charite.de (TLS is required, but unavailable) cbsx...@ente

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

* Ralf Hildebrandt : > Since my upgrade to 2.12-20141013, I'm getting an unusual amount of those in > my mailq output: With 2.12-20141001 (same config!) Oct 15 11:05:34 mail2 postfix/smtp[5903]: Host offered STARTTLS: [smtp.entelnet.bo] Oct 15 11:05:35 mail2 postfix/smtp[5903]: 3jHGY70x2gzBs34:

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

Ralf Hildebrandt: When I have more time I can test other versions in between. you may force problematic destination to plaintext (smtp_tls_policy_maps) or ignore the STARTTLS announcement (smtp_discard_ehlo_keyword_address_maps) both not perfect but workarounds ... Andreas

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

* A. Schulze : > > Ralf Hildebrandt: > > >When I have more time I can test other versions in between. > > you may force problematic destination to plaintext (smtp_tls_policy_maps) or > ignore the STARTTLS announcement (smtp_discard_ehlo_keyword_address_maps) Well yes. > both not perfect but w

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

* Ralf Hildebrandt : > * Ralf Hildebrandt : > > Since my upgrade to 2.12-20141013, I'm getting an unusual amount of those > > in my mailq output: > > With 2.12-20141001 (same config!) I *JUST* found that the change was introduced between postfix-2.12-20141009 (working) and postfix-2.12-20141011

Re: Bare HELO/EHLO

On 10/14/2014 6:36 PM, Benny Pedersen wrote: > But post atleast postconf -n on pastebin please don't... Many people will not click on links to unknown things, and it breaks historical references (the links may/will not work forever). Always paste these things inline...

Re: mailboxes_search_base is missing

Thanks for the fast reply. You really helped me a lot.. 2014-10-14 23:04 GMT-03:00 Viktor Dukhovni : > On Tue, Oct 14, 2014 at 09:18:36PM -0300, T?ssio Fechine wrote: > > > I trying to configure postfix with ldap, and the howto I'm following uses > > the mailboxes_search_base parameter. > > See "

Re: MacOS X 10.7 (Darwin 11) makedefs patch

Viktor Dukhovni: > > This should fix compilation issues with MacOS X 10.7 aka Darwin > 11, for Postfix 2.11 and 2.12 snapshots. There is probably little > reason to retrofit 2.8--2.10, if you feel that's warranted to > include in some future patch release, these would need a patch > introducing t

SSL v3

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just to be on the safe side, is it worth to disable SSL v3 on STARTTLS-enabled Postfix configurations? If yes, what is the proper way to do it? Thank you in advance. Ciao, luigi - -- / +--[Luigi Rosa]-- \ Computer Engineers do it bit by bit. ---

Re: SSL v3

Am 15.10.2014 um 17:53 schrieb Luigi Rosa: Just to be on the safe side, is it worth to disable SSL v3 on STARTTLS-enabled Postfix configurations? If yes, what is the proper way to do it? if you don't need to support really old clients smtpd_tls_protocols = !SSLv2 !SSLv3

Re: SSL v3

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 li...@rhsoft.net wrote on 15/10/2014 17:57: > if you don't need to support really old clients smtpd_tls_protocols = > !SSLv2 !SSLv3 Thanks! Ciao, luigi - -- / +--[Luigi Rosa]-- \ God isn't dead, he just couldn't find a parking place. -BEGIN

Re: SSL v3

* on the Wed, Oct 15, 2014 at 05:53:31PM +0200, Luigi Rosa wrote: > Just to be on the safe side, is it worth to disable SSL v3 on STARTTLS-enabled > Postfix configurations? FWIW, I don't think POODLE would work against SMTP traffic. POODLE relies on a MITM being able to pursuade the client to sen

Re: SSL v3

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mike Cardwell wrote on 15/10/2014 19:08: > I'd be interested to hear figures regarding how much traffic would change > from being encrypted to plain text if SSLv3 was dropped for SMTP... My humble opinion about the delta: zero. I prefer to disable S

Re: SSL v3

Am 15.10.2014 um 19:18 schrieb Luigi Rosa: Mike Cardwell wrote on 15/10/2014 19:08: I'd be interested to hear figures regarding how much traffic would change from being encrypted to plain text if SSLv3 was dropped for SMTP... My humble opinion about the delta: zero. I prefer to disable SSLv

Re: SSL v3

Am 15.10.2014 um 19:23 schrieb li...@rhsoft.net: > anybody expierience if Outlook 2003 at least unter Win7 speaks TLS1.0 > out of the box that should be an exotic combi, but wait and see i disabled today , perhaps sombody will want support Best Regards MfG Robert Schetterer -- [*] sys4 AG http

Re: SSL v3

li...@rhsoft.net: > > Am 15.10.2014 um 17:53 schrieb Luigi Rosa: > > Just to be on the safe side, is it worth to disable SSL v3 on > > STARTTLS-enabled > > Postfix configurations? > > > > If yes, what is the proper way to do it? > > if you don't need to support really old clients > smtpd_tls_pro

Re: SSL v3

* on the Wed, Oct 15, 2014 at 07:18:54PM +0200, Luigi Rosa wrote: >> I'd be interested to hear figures regarding how much traffic would change >> from being encrypted to plain text if SSLv3 was dropped for SMTP... > > My humble opinion about the delta: zero. > > I prefer to disable SSLv3 to prev

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

On Wed, Oct 15, 2014 at 11:08:19AM +0200, Ralf Hildebrandt wrote: > * Ralf Hildebrandt : > > Since my upgrade to 2.12-20141013, I'm getting an unusual amount of those > > in my mailq output: > > With 2.12-20141001 (same config!) > > Oct 15 11:05:34 mail2 postfix/smtp[5903]: Host offered STARTTL

Re: SSL v3

Am 15.10.2014 um 19:36 schrieb Robert Schetterer: Am 15.10.2014 um 19:23 schrieb li...@rhsoft.net: anybody expierience if Outlook 2003 at least unter Win7 speaks TLS1.0 out of the box that should be an exotic combi, but wait and see i disabled today , perhaps sombody will want support well

Re: SSL v3

On Wed, Oct 15, 2014 at 05:53:31PM +0200, Luigi Rosa wrote: > Just to be on the safe side, is it worth to disable SSL v3 on STARTTLS-enabled > Postfix configurations? The attacks in question are HTTP-specific, and apply primarily when clients employ SSLv3 fallback after failing with TLS 1.2 or TL

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

Viktor Dukhovni: > On Wed, Oct 15, 2014 at 11:08:19AM +0200, Ralf Hildebrandt wrote: > > > * Ralf Hildebrandt : > > > Since my upgrade to 2.12-20141013, I'm getting an unusual amount of those > > > in my mailq output: > > > > With 2.12-20141001 (same config!) > > > > Oct 15 11:05:34 mail2 postf

Re: SSL v3

Am 15.10.2014 um 19:55 schrieb li...@rhsoft.net: > > Am 15.10.2014 um 19:36 schrieb Robert Schetterer: >> Am 15.10.2014 um 19:23 schrieb li...@rhsoft.net: >>> anybody expierience if Outlook 2003 at least unter Win7 speaks TLS1.0 >>> out of the box >> >> that should be an exotic combi, but wait and

Re: SSL v3

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viktor Dukhovni wrote on 15/10/2014 19:58: > This might break support for older versions of Outlook/Outlook Express > (Windows XP?). That leads to another issue, probably a bit offtopic: is better a good backward compatibility or a good security? I

Re: SSL v3

Am 15.10.2014 um 19:58 schrieb Viktor Dukhovni: > If you disable SSL 3.0, you won't be able to complete TLS handshakes > with some older, but still in use email security appliances (recent > sightings of these at some banks on the list this year IIRC) should not harm too much in opportunistic mode

Re: SSL v3

Am 15.10.2014 um 20:04 schrieb Luigi Rosa: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Viktor Dukhovni wrote on 15/10/2014 19:58: This might break support for older versions of Outlook/Outlook Express (Windows XP?). That leads to another issue, probably a bit offtopic: is better a good b

Re: SSL v3

li...@rhsoft.net: > the problem is that way too much developers out there are unwilling to > draw a line between core functions / security and other changes > affecting the user expirience and postfix is *the* software project > which proves over many years that you don't need to break anything

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

On Wed, Oct 15, 2014 at 02:00:35PM -0400, Wietse Venema wrote: > This means the host announced STARTTLS, smtp_tls_ctx was non-null, and > the TLS level was "none". Oops, ignoring a STARTTLS offer with "level = none" misfires as a local configuration error: diff --git a/src/smtp/smtp_trouble.c b

POODLE: smtpd_tls_mandatory_protocols question

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 The above is said to work with: smtpd_tls_security_level = encrypt but does it work with: smtpd_tls_security_level = may smtpd_tls_auth_only = yes - Grant

Re: POODLE: smtpd_tls_mandatory_protocols question

On Wed, Oct 15, 2014 at 11:27:04AM -0700, Grant wrote: > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > > The above is said to work with: > > smtpd_tls_security_level = encrypt Correct, since at that security level TLS is mandatory. > but does it work with: > > smtpd_tls_security_level = ma

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

Viktor Dukhovni: > On Wed, Oct 15, 2014 at 02:00:35PM -0400, Wietse Venema wrote: > > > This means the host announced STARTTLS, smtp_tls_ctx was non-null, and > > the TLS level was "none". > > Oops, ignoring a STARTTLS offer with "level = none" misfires as a > local configuration error: > > dif

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

On Wed, Oct 15, 2014 at 04:06:11PM -0400, Wietse Venema wrote: > > Oops, ignoring a STARTTLS offer with "level = none" misfires as a > > local configuration error: > > > > diff --git a/src/smtp/smtp_trouble.c b/src/smtp/smtp_trouble.c > > index c323a91..044ab3a 100644 > > --- a/src/smtp/smtp_trou

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

Viktor Dukhovni: > On Wed, Oct 15, 2014 at 04:06:11PM -0400, Wietse Venema wrote: > > Does this mean that smtp_trouble() is called when TLS is "none"? > > Yes, unfortunately when STARTTLS is offered, but not used. As a > safety measure we could add an early return to smtp_trouble and > not call

Re: POODLE: smtpd_tls_mandatory_protocols question

Viktor Dukhovni: POODLE is not an SMTP attack. No need to panic. Disabling SSL 3.0 may feel good, but the net effect is slightly negative, since you'll now use cleartext with SSLv3-only SMTP peers. to calculate the damage, count: < inbound > # grep 'TLS connection established from' /var/lo

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

Wietse Venema: > Viktor Dukhovni: > > On Wed, Oct 15, 2014 at 04:06:11PM -0400, Wietse Venema wrote: > > > Does this mean that smtp_trouble() is called when TLS is "none"? > > > > Yes, unfortunately when STARTTLS is offered, but not used. As a > > safety measure we could add an early return to s

Re: POODLE: smtpd_tls_mandatory_protocols question

Am 15.10.2014 um 22:44 schrieb A. Schulze: > > Viktor Dukhovni: > >> POODLE is not an SMTP attack. No need to panic. Disabling SSL >> 3.0 may feel good, but the net effect is slightly negative, since >> you'll now use cleartext with SSLv3-only SMTP peers. > > to calculate the damage, count: >

Re: POODLE: smtpd_tls_mandatory_protocols question

On 15 October 2014 17:06, Robert Schetterer wrote: > > doesnt look loosing much here > > 4 SSLv3 > 22353 TLSv1 > > 2 SSLv3 > 17664 TLSv1 > > When I did this I saw about the same number of SSLv3 connections so I looked at them in detail and every one was a SPAM attempt. (RC4 on the other hand

Re: POODLE: smtpd_tls_mandatory_protocols question

Am 15.10.2014 um 23:11 schrieb Harald Koch: > On 15 October 2014 17:06, Robert Schetterer > wrote: > > > doesnt look loosing much here > > 4 SSLv3 > 22353 TLSv1 > > 2 SSLv3 > 17664 TLSv1 > > > When I did this I saw about the same number of SSLv3 c

Re: POODLE: smtpd_tls_mandatory_protocols question

On Wed, Oct 15, 2014 at 11:06:14PM +0200, Robert Schetterer wrote: > > Viktor Dukhovni: > > > >> POODLE is not an SMTP attack. No need to panic. Disabling SSL > >> 3.0 may feel good, but the net effect is slightly negative, since > >> you'll now use cleartext with SSLv3-only SMTP peers. > > >

Re: POODLE: smtpd_tls_mandatory_protocols question

Harald Koch: (RC4 on the other hand - Google and Yahoo are both still using it by default... *sigh.) If *you* disable RC4, they *will* use other ciphers ...

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

On Wed, Oct 15, 2014 at 04:54:55PM -0400, Wietse Venema wrote: > > > + } else if (session->tls->level != TLS_LEV_NONE) { > > That should be: session->tls->level > TLS_LEV_MAY, i.e. the condition > that "TLS is required". Actually, we also need to call smtp_tls_trouble with MAY, when the failure

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

Viktor Dukhovni: > On Wed, Oct 15, 2014 at 04:54:55PM -0400, Wietse Venema wrote: > > > > > + } else if (session->tls->level != TLS_LEV_NONE) { > > > > That should be: session->tls->level > TLS_LEV_MAY, i.e. the condition > > that "TLS is required". > > Actually, we also need to call smtp_

Re: SSL Problem with 2.12-20141013 (TLS is required, but unavailable)

On Wed, Oct 15, 2014 at 05:38:55PM -0400, Wietse Venema wrote: > Viktor Dukhovni: > > On Wed, Oct 15, 2014 at 04:54:55PM -0400, Wietse Venema wrote: > > > > > > > + } else if (session->tls->level != TLS_LEV_NONE) { > > > > > > That should be: session->tls->level > TLS_LEV_MAY, i.e. the condit

Re: POODLE: smtpd_tls_mandatory_protocols question

Am 15.10.2014 um 23:06 schrieb Robert Schetterer: Am 15.10.2014 um 22:44 schrieb A. Schulze: Viktor Dukhovni: POODLE is not an SMTP attack. No need to panic. Disabling SSL 3.0 may feel good, but the net effect is slightly negative, since you'll now use cleartext with SSLv3-only SMTP peers.

Feature backed out (SSL Problem with 2.12-20141013...)

I have backed out the TLS fall-back feature that is having problems. postfix-2.12-20141015 should be OK. In the mean time, Viktor and I will iron out the wrinkles starting with postfix-2.12-20141015-nonprod. Wietse

Re: limit sender based on IP and email address

On Sep 23, 2014, at 3:40 AM, Robert Schetterer wrote: > Am 23.09.2014 um 09:28 schrieb CSS: >> Im having a hard time copying something I did in qmail (using some >> random patch). >> >> Ive got four postfix instances, two used exclusively for submission >> (all outbound email from us), two as m

Re: SSL v3

On 15 Oct 2014, at 11:08 , Mike Cardwell wrote: > I'd be interested to hear figures regarding how much traffic would > change from being encrypted to plain text if SSLv3 was dropped for > SMTP... Well, my server has it enabled and it's used. I don't think there's a problem with it for smtpd. Th

Re: SSL v3

On Wed, Oct 15, 2014 at 10:11:55PM -0600, LuKreme wrote: > This is what my home connection to my server looks like: > > submit-tls/smtpd[10060]: xx.xx.xx.xx: reloaded session > EB75...&s=submission&l=268439711 from smtpd cache > submit-tls/smtpd[10060]: SSL_accept:SSLv3 read client hello A > sub

Re: POODLE: smtpd_tls_mandatory_protocols question

Am 15.10.2014 um 23:32 schrieb Viktor Dukhovni: > On Wed, Oct 15, 2014 at 11:06:14PM +0200, Robert Schetterer wrote: > >>> Viktor Dukhovni: >>> POODLE is not an SMTP attack. No need to panic. Disabling SSL 3.0 may feel good, but the net effect is slightly negative, since you'll no

Re: POODLE: smtpd_tls_mandatory_protocols question

On Thu, Oct 16, 2014 at 07:14:52AM +0200, Robert Schetterer wrote: > >> 4 SSLv3 > >> 22353 TLSv1 > >> > >> 2 SSLv3 > >> 17664 TLSv1 > > > > Yep, "slightly negative". The magnitude of the effect will vary > > from site to site. > > Yes you're right My own small server, had six SSLv3 inbound