Package: postfix Version: 2.7.1-1 Severity: normal Hi,
I can use smtp.gmail.com:submission as a smarthost without any problems, but when I try to use smtp.live.com:submission I get the following messages from postfix posted to /var/log/mail/mail.log, Feb 21 11:34:43 l2 postfix/smtp[7280]: setting up TLS connection to smtp.live.com[65.55.162.200]:587 Feb 21 11:34:43 l2 postfix/smtp[7280]: certificate verification failed for smtp.live.com[65.55.162.200]:587: untrusted issuer /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root Feb 21 11:34:43 l2 postfix/smtp[7280]: Untrusted TLS connection established to smtp.live.com[65.55.162.200]:587: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) Feb 21 11:34:43 l2 postfix/smtp[7280]: warning: TLS library problem: 7280:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:293: Feb 21 11:34:43 l2 postfix/smtp[7280]: 7FE1B5962D: to=<jeff...@live.com>, relay=smtp.live.com[65.55.162.200]:587, delay=2254, delays=2254/0.03/0.26/0, dsn=4.4.2, status=deferred (lost connection with smtp.live.com[65.55.162.200] while performing the EHLO handshake) The above sequence repeats every time postfix retrys the deferred message, eventually, I just deleted the message (it was just a test anyway to see if I could use smtp.live.com as a smarthost). Needless to say, I could use SSL on smtp.live.com as a smarthost from the Windows-7 Live Mail Client! I tried the following openssl session and got the same "lost connection" as postfix did, $ time openssl s_client -connect smtp.live.com:587 -starttls smtp -state CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=2 /CN=Microsoft Internet Authority verify error:num=20:unable to get local issuer certificate verify return:0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A --- Certificate chain 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=Windows Live Mail/CN=smtp.live.com i:/CN=Microsoft Secure Server Authority 1 s:/CN=Microsoft Secure Server Authority i:/CN=Microsoft Internet Authority 2 s:/CN=Microsoft Internet Authority i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root --- Server certificate -----BEGIN CERTIFICATE----- MIIFmjCCBIKgAwIBAgIKeVyvrQAHAAGFuTANBgkqhkiG9w0BAQUFADAsMSowKAYD VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMTAwNTA3 MTczMDUzWhcNMTEwNTA3MTczMDUzWjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMK V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0 MRowGAYDVQQLExFXaW5kb3dzIExpdmUgTWFpbDEWMBQGA1UEAxMNc210cC5saXZl LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGcjjCNWgjEVDlOwK8IJ 09sf6VXOReDn0bJIuTx+RNtJKkQ79aLKpuFx0VQnh4m/VTXhuFvr4/P00c/FyHws XLM3BTuHvzlXTdPTUgvKaE9cYNFwiwd5nY17Iv2CdoeBKbtM+BUgrA2RrlQQWUIc raiubq4igJm3gP/+jiiEvT0CAwEAAaOCAvAwggLsMAsGA1UdDwQEAwIEsDBEBgkq hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB MB0GA1UdDgQWBBTt443j6sYZKq7RLArjMz/FPHCjoDAfBgNVHSMEGDAWgBTvzrNl 8qNgadUC2IQCFsoCIcX5zzCCAQoGA1UdHwSCAQEwgf4wgfuggfiggfWGWGh0dHA6 Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUy MFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg3KS5jcmyGVmh0dHA6Ly9jcmwu bWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUl MjBTZXJ2ZXIlMjBBdXRob3JpdHkoNykuY3JshkFodHRwOi8vY29ycHBraS9jcmwv TWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDcpLmNybDCB vwYIKwYBBQUHAQEEgbIwga8wXgYIKwYBBQUHMAKGUmh0dHA6Ly93d3cubWljcm9z b2Z0LmNvbS9wa2kvbXNjb3JwL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUy MEF1dGhvcml0eSg3KS5jcnQwTQYIKwYBBQUHMAKGQWh0dHA6Ly9jb3JwcGtpL2Fp YS9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNykuY3J0 MD8GCSsGAQQBgjcVBwQyMDAGKCsGAQQBgjcVCIPPiU2t8gKFoZ8MgvrKfYHh+3SB T4PC7YUIjqnShWMCAWQCAQkwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAK BggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAdJ+cp8Cu/ko+4LvSMvkutXbp nN05yQYMuDdSA7RSjL8LVe/7kyqU1qQCVP/i3w2E/e6go/0GqDp/t6Mf91Aqz0gm nzVKc0DyPlM7w/St5NWsnBh8NIPMhcBtJubCFsd5Axs00zN8rC0nLNPe1ErowdoB aEqbtPCdFdDpQ8yvbKzwIv+psrDQuf+dhBVG/kxHjcKSc37Na6PXxHdLNfTWfclk epj1QxU4LB2O7Ek1aDk/pqaLWOwU4KcJ99pZubEWt6IvTwo1DTDLCJIBKykA4ikD +nNRF4w8PtHBtpZzmMlebcrQSI3eBsp6sUBncQQx82RDdb4zSps4R2QyKNgPbw== -----END CERTIFICATE----- subject=/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=Windows Live Mail/CN=smtp.live.com issuer=/CN=Microsoft Secure Server Authority --- No client certificate CA names sent --- SSL handshake has read 4742 bytes and written 338 bytes --- New, TLSv1/SSLv3, Cipher is RC4-MD5 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : RC4-MD5 Session-ID: 371D0000C390CC301CDC08932E3363F03471FE7DD7283B3A6B7CFA7AF72E1A43 Session-ID-ctx: Master-Key: 77AA2E9D3B846342164412EC5AD737CD7F230E16741E4D6A90E33423F6666A7224AFB06D26925DF8259ACFF30E24270D Key-Arg : None Start Time: 1298490132 Timeout : 300 (sec) Verify return code: 20 (unable to get local issuer certificate) --- 250 OK quit read:errno=104 1m15.16s elapsed, 0m0.00s user, 0m0.00s system, 0.02% cpu $ errno 104 including: <errno.h> <errno.h> 986:#define ECONNRESET 104 /* Connection reset by peer */ I would venture a guess that this problem has more to do with libssl0.9.8 than with postfix, but I wanted to see your expert response first. Thanks, Jeffrey Sheinberg -- System Information: Debian Release: 6.0 APT prefers squeeze-updates APT policy: (500, 'squeeze-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: i386 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages postfix depends on: ii adduser 3.112+nmu2 add and remove users and groups ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy ii dpkg 1.15.8.10 Debian package management system ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [ ii libsasl2-2 2.1.23.dfsg1-7 Cyrus SASL - authentication abstra ii libssl0.9.8 0.9.8o-4squeeze1 SSL shared libraries ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii netbase 4.45 Basic TCP/IP networking system ii ssl-cert 1.0.28 simple debconf wrapper for OpenSSL Versions of packages postfix recommends: ii python 2.6.6-3+squeeze6 interactive high-level object-orie Versions of packages postfix suggests: ii bsd-mailx [mail-re 8.1.2-0.20100314cvs-1 simple mail user agent ii emacs23 [mail-read 23.2+1-7 The GNU Emacs editor (with GTK+ us ii jed [mail-reader] 1:0.99.19-2 editor for programmers (textmode v ii libsasl2-modules 2.1.23.dfsg1-7 Cyrus SASL - pluggable authenticat ii mutt [mail-reader] 1.5.20-9+squeeze1 text-based mailreader supporting M pn postfix-cdb <none> (no description available) pn postfix-ldap <none> (no description available) pn postfix-mysql <none> (no description available) pn postfix-pcre <none> (no description available) pn postfix-pgsql <none> (no description available) ii procmail 3.22-19 Versatile e-mail processor ii resolvconf 1.46 name server information handler ii sasl2-bin 2.1.23.dfsg1-7 Cyrus SASL - administration progra pn ufw <none> (no description available) -- Configuration Files: /etc/init.d/postfix changed: PATH=/bin:/usr/bin:/sbin:/usr/sbin DAEMON=/usr/sbin/postfix NAME=Postfix TZ= unset TZ SYNC_CHROOT="y" test -f /etc/default/postfix && . /etc/default/postfix test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0 . /lib/lsb/init-functions running() { queue=$(postconf -h queue_directory 2>/dev/null || echo /var/spool/postfix) if [ -f ${queue}/pid/master.pid ]; then pid=$(sed 's/ //g' ${queue}/pid/master.pid) # what directory does the executable live in. stupid prelink systems. dir=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* -> //; s/\/[^\/]*$//') if [ "X$dir" = "X/usr/lib/postfix" ]; then echo y fi fi } if grep -q -E -e '^sasl:' </etc/group ; then if grep -q -E -e ':postfix($|:)' </etc/group ; then : "ok, user postfix is already in group sasl" else adduser postfix sasl fi fi case "$1" in start) log_daemon_msg "Starting Postfix Mail Transport Agent" postfix RUNNING=$(running) if [ -n "$RUNNING" ]; then log_end_msg 0 else # if you set myorigin to 'ubuntu.com' or 'debian.org', it's wrong, and annoys the admins of # those domains. See also sender_canonical_maps. MYORIGIN=$(postconf -h myorigin | tr 'A-Z' 'a-z') if [ "X${MYORIGIN#/}" != "X${MYORIGIN}" ]; then MYORIGIN=$(tr 'A-Z' 'a-z' < $MYORIGIN) fi if [ "X$MYORIGIN" = Xubuntu.com ] || [ "X$MYORIGIN" = Xdebian.org ]; then log_failure_msg "Invalid \$myorigin ($MYORIGIN), refusing to start" log_end_msg 1 exit 1 fi # see if anything is running chrooted. NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y"; exit}' /etc/postfix/master.cf) if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then # Make sure that the chroot environment is set up correctly. oldumask=$(umask) umask 022 cd $(postconf -h queue_directory) # if we're using tls, then we need to add etc/ssl/certs/ca-certificates.crt. if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then smtp_use_tls=$(postconf -h smtp_use_tls) smtp_enforce_tls=$(postconf -h smtp_enforce_tls) smtpd_use_tls=$(postconf -h smtpd_use_tls) smtpd_enforce_tls=$(postconf -h smtpd_use_tls) case :$smtp_use_tls:$smtp_enforce_tls:$smtpd_use_tls:$smtpd_enforce_tls: in *:yes:*) mkdir -p etc/ssl/certs cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/ esac fi # if we're using unix:passwd.byname, then we need to add etc/passwd. local_maps=$(postconf -h local_recipient_maps) if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ]; then if [ "X$local_maps" = "X${local_maps#*proxy:unix:passwd.byname}" ]; then sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd chmod a+r etc/passwd fi fi FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \ etc/nsswitch.conf etc/nss_mdns.config" for file in $FILES; do [ -d ${file%/*} ] || mkdir -p ${file%/*} if [ -f /${file} ]; then rm -f ${file} && cp /${file} ${file}; fi if [ -f ${file} ]; then chmod a+rX ${file}; fi done rm -f usr/lib/zoneinfo/localtime mkdir -p usr/lib/zoneinfo ln -sf /etc/localtime usr/lib/zoneinfo/localtime rm -f lib/libnss_*so* tar cf - /lib/libnss_*so* 2>/dev/null |tar xf - umask $oldumask fi if start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start; then log_end_msg 0 else log_end_msg 1 fi fi ;; stop) RUNNING=$(running) log_daemon_msg "Stopping Postfix Mail Transport Agent" postfix if [ -n "$RUNNING" ]; then if ${DAEMON} quiet-stop; then log_end_msg 0 else log_end_msg 1 fi else log_end_msg 0 fi ;; restart) $0 stop $0 start ;; force-reload|reload) log_action_begin_msg "Reloading Postfix configuration" if ${DAEMON} quiet-reload; then log_action_end_msg 0 else log_action_end_msg 1 fi ;; status) RUNNING=$(running) if [ -n "$RUNNING" ]; then log_success_msg "postfix is running" exit 0 else log_success_msg "postfix is not running" exit 3 fi ;; flush|check|abort) ${DAEMON} $1 ;; *) log_action_msg "Usage: /etc/init.d/postfix {start|stop|restart|reload|flush|check|abort|force-reload}" exit 1 ;; esac exit 0 -- debconf information: * postfix/mailname: l2.bsrd.net postfix/tlsmgr_upgrade_warning: * postfix/recipient_delim: + * postfix/main_mailer_type: Internet with smarthost postfix/retry_upgrade_warning: postfix/kernel_version_warning: * postfix/relayhost: smtp.bsrd.net * postfix/procmail: true postfix/bad_recipient_delimiter: * postfix/chattr: false * postfix/root_address: rootmail postfix/rfc1035_violation: false postfix/mydomain_warning: * postfix/mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 * postfix/destinations: $myhostname, localhost.$mydomain localhost, $mydomain postfix/not_configured: * postfix/mailbox_limit: 51200000 * postfix/protocols: ipv4 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org