Hi Doug, I did a quick Google and it looks like you posted the same issue about a year ago:
http://www.zimbra.com/forums/administrators/63140-sslv3-alert-bad-record-mac.html Do you recall what you did to resolve it then? From the other hits out there is seems that postfix can be particuraly unforgiving to AES connections (there are other people talking about having problems receiving email from Google via AES with Postfix). I had RC4-SHA:HIGH as my preferred cipher after the beast SSL attacks, however with some of the latest revelations I should probably look at bringing AES back in. Anyone else care to share their cipher lists and a quick explanation of why they picked it? Mine is currently the following and this way because it was the only way to gain PCI compliance after the beast SSL attack. RC4-SHA:HIGH:!ADH:!AES256-SHA:!ECDHE-RSA-AES256-SHA384:!AES128-SHA:!DES-CBC3-SHA:!DES-CBC3-MD5:!IDEA-CBC-SHA:!RC4-MD5:!IDEA-CBC-MD5:!RC2-CBC-MD5:!MD5:!aNULL:!EDH:!AESGCM All the best, Colin Waring. On 20/07/2014 14:09, Doug Lytle wrote: > I have a very old install of ASSPv2 "2.3.4(13136)" running on Debian > GNU/Linux 6.0.3 (squeeze). > > This is for our Zimbra mail server that is also outdated, running on > Ubuntu 10.04 64bit. I'd like to update the mail server, but won't > attempt it until I get the ASSP2 issues resolved. > > When building another VM to house the upgraded ASSP and putting it into > place, I get attachment corruption. Following the logs on the Zimbra > side, I see a change in what is being used for the SSL cipher. It goes > from the normal: > > postfix/smtpd[12152]: Anonymous TLS connection established from > assp.inet[10.0.0.10]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) > > To: > > postfix/smtpd[11502]: Anonymous TLS connection established from > assp.inet[10.0.0.10]: TLSv1 with cipher AES128-SHA (128/128 bits) > > So, > > Reviewing a previous post from Thomas > > http://sourceforge.net/p/assp/mailman/message/31259064/ > > I started playing around with the cipher options on ASSP. I forced: > > AES256:SHA256:RC4-SHA:HIGH:!ADH > > Now my logs on the Zimbra server so AES256 and I no longer have > attachment corruption, but I now am experiencing two different issues. > > 1.) Sending test email from Seamonkey, I may have to hit send a couple > times before it goes. > 2.) I'm seeing the below logs in my Zimbra server: > > postfix/smtpd[22112]: warning: TLS library problem: > 22112:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record > mac:s3_pkt.c:1199:SSL alert number 20 > > Would this be because I'm missing a required cipher? > > Any suggestions would be appreciated. > > Doug > > ------------------------------------------------------------------------------ > Want fast and easy access to all the code in your enterprise? Index and > search up to 200,000 lines of code with a free copy of Black Duck > Code Sight - the same software that powers the world's largest code > search on Ohloh, the Black Duck Open Hub! Try it now. > http://p.sf.net/sfu/bds > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
