Package: postfix
Version: 2.7.1-1
Severity: normal
Hi,
I can use smtp.gmail.com:submission as a smarthost without any problems,
but when I try to use smtp.live.com:submission I get the following messages
from postfix posted to /var/log/mail/mail.log,
Feb 21 11:34:43 l2 postfix/smtp[7280]: setting up TLS connection to
smtp.live.com[65.55.162.200]:587
Feb 21 11:34:43 l2 postfix/smtp[7280]: certificate verification failed for
smtp.live.com[65.55.162.200]:587: untrusted issuer /C=US/O=GTE
Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
Feb 21 11:34:43 l2 postfix/smtp[7280]: Untrusted TLS connection established
to smtp.live.com[65.55.162.200]:587: TLSv1 with cipher DES-CBC3-SHA (168/168
bits)
Feb 21 11:34:43 l2 postfix/smtp[7280]: warning: TLS library problem:
7280:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:293:
Feb 21 11:34:43 l2 postfix/smtp[7280]: 7FE1B5962D: to=<jeff...@live.com>,
relay=smtp.live.com[65.55.162.200]:587, delay=2254, delays=2254/0.03/0.26/0,
dsn=4.4.2, status=deferred (lost connection with smtp.live.com[65.55.162.200]
while performing the EHLO handshake)
The above sequence repeats every time postfix retrys the deferred message,
eventually, I just deleted the message (it was just a test anyway to see if
I could use smtp.live.com as a smarthost).
Needless to say, I could use SSL on smtp.live.com as a smarthost from the
Windows-7 Live Mail Client!
I tried the following openssl session and got the same "lost connection"
as postfix did,
$ time openssl s_client -connect smtp.live.com:587 -starttls smtp -state
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 /CN=Microsoft Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
---
Certificate chain
0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=Windows Live
Mail/CN=smtp.live.com
i:/CN=Microsoft Secure Server Authority
1 s:/CN=Microsoft Secure Server Authority
i:/CN=Microsoft Internet Authority
2 s:/CN=Microsoft Internet Authority
i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE
CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFmjCCBIKgAwIBAgIKeVyvrQAHAAGFuTANBgkqhkiG9w0BAQUFADAsMSowKAYD
VQQDEyFNaWNyb3NvZnQgU2VjdXJlIFNlcnZlciBBdXRob3JpdHkwHhcNMTAwNTA3
MTczMDUzWhcNMTEwNTA3MTczMDUzWjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDESMBAGA1UEChMJTWljcm9zb2Z0
MRowGAYDVQQLExFXaW5kb3dzIExpdmUgTWFpbDEWMBQGA1UEAxMNc210cC5saXZl
LmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuGcjjCNWgjEVDlOwK8IJ
09sf6VXOReDn0bJIuTx+RNtJKkQ79aLKpuFx0VQnh4m/VTXhuFvr4/P00c/FyHws
XLM3BTuHvzlXTdPTUgvKaE9cYNFwiwd5nY17Iv2CdoeBKbtM+BUgrA2RrlQQWUIc
raiubq4igJm3gP/+jiiEvT0CAwEAAaOCAvAwggLsMAsGA1UdDwQEAwIEsDBEBgkq
hkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYF
Kw4DAgcwCgYIKoZIhvcNAwcwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MB0GA1UdDgQWBBTt443j6sYZKq7RLArjMz/FPHCjoDAfBgNVHSMEGDAWgBTvzrNl
8qNgadUC2IQCFsoCIcX5zzCCAQoGA1UdHwSCAQEwgf4wgfuggfiggfWGWGh0dHA6
Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL01pY3Jvc29mdCUy
MFNlY3VyZSUyMFNlcnZlciUyMEF1dGhvcml0eSg3KS5jcmyGVmh0dHA6Ly9jcmwu
bWljcm9zb2Z0LmNvbS9wa2kvbXNjb3JwL2NybC9NaWNyb3NvZnQlMjBTZWN1cmUl
MjBTZXJ2ZXIlMjBBdXRob3JpdHkoNykuY3JshkFodHRwOi8vY29ycHBraS9jcmwv
TWljcm9zb2Z0JTIwU2VjdXJlJTIwU2VydmVyJTIwQXV0aG9yaXR5KDcpLmNybDCB
vwYIKwYBBQUHAQEEgbIwga8wXgYIKwYBBQUHMAKGUmh0dHA6Ly93d3cubWljcm9z
b2Z0LmNvbS9wa2kvbXNjb3JwL01pY3Jvc29mdCUyMFNlY3VyZSUyMFNlcnZlciUy
MEF1dGhvcml0eSg3KS5jcnQwTQYIKwYBBQUHMAKGQWh0dHA6Ly9jb3JwcGtpL2Fp
YS9NaWNyb3NvZnQlMjBTZWN1cmUlMjBTZXJ2ZXIlMjBBdXRob3JpdHkoNykuY3J0
MD8GCSsGAQQBgjcVBwQyMDAGKCsGAQQBgjcVCIPPiU2t8gKFoZ8MgvrKfYHh+3SB
T4PC7YUIjqnShWMCAWQCAQkwJwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDAjAK
BggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAdJ+cp8Cu/ko+4LvSMvkutXbp
nN05yQYMuDdSA7RSjL8LVe/7kyqU1qQCVP/i3w2E/e6go/0GqDp/t6Mf91Aqz0gm
nzVKc0DyPlM7w/St5NWsnBh8NIPMhcBtJubCFsd5Axs00zN8rC0nLNPe1ErowdoB
aEqbtPCdFdDpQ8yvbKzwIv+psrDQuf+dhBVG/kxHjcKSc37Na6PXxHdLNfTWfclk
epj1QxU4LB2O7Ek1aDk/pqaLWOwU4KcJ99pZubEWt6IvTwo1DTDLCJIBKykA4ikD
+nNRF4w8PtHBtpZzmMlebcrQSI3eBsp6sUBncQQx82RDdb4zSps4R2QyKNgPbw==
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Redmond/O=Microsoft/OU=Windows Live
Mail/CN=smtp.live.com
issuer=/CN=Microsoft Secure Server Authority
---
No client certificate CA names sent
---
SSL handshake has read 4742 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID:
371D0000C390CC301CDC08932E3363F03471FE7DD7283B3A6B7CFA7AF72E1A43
Session-ID-ctx:
Master-Key:
77AA2E9D3B846342164412EC5AD737CD7F230E16741E4D6A90E33423F6666A7224AFB06D26925DF8259ACFF30E24270D
Key-Arg : None
Start Time: 1298490132
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 OK
quit
read:errno=104
1m15.16s elapsed, 0m0.00s user, 0m0.00s system, 0.02% cpu
$ errno 104
including: <errno.h>
<errno.h> 986:#define ECONNRESET 104 /* Connection reset by peer */
I would venture a guess that this problem has more to do with libssl0.9.8
than with postfix, but I wanted to see your expert response first.
Thanks,
Jeffrey Sheinberg
-- System Information:
Debian Release: 6.0
APT prefers squeeze-updates
APT policy: (500, 'squeeze-updates'), (500, 'proposed-updates'), (500,
'stable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Versions of packages postfix depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii dpkg 1.15.8.10 Debian package management system
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libdb4.8 4.8.30-2 Berkeley v4.8 Database Libraries [
ii libsasl2-2 2.1.23.dfsg1-7 Cyrus SASL - authentication abstra
ii libssl0.9.8 0.9.8o-4squeeze1 SSL shared libraries
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii netbase 4.45 Basic TCP/IP networking system
ii ssl-cert 1.0.28 simple debconf wrapper for OpenSSL
Versions of packages postfix recommends:
ii python 2.6.6-3+squeeze6 interactive high-level object-orie
Versions of packages postfix suggests:
ii bsd-mailx [mail-re 8.1.2-0.20100314cvs-1 simple mail user agent
ii emacs23 [mail-read 23.2+1-7 The GNU Emacs editor (with GTK+ us
ii jed [mail-reader] 1:0.99.19-2 editor for programmers (textmode v
ii libsasl2-modules 2.1.23.dfsg1-7 Cyrus SASL - pluggable authenticat
ii mutt [mail-reader] 1.5.20-9+squeeze1 text-based mailreader supporting M
pn postfix-cdb <none> (no description available)
pn postfix-ldap <none> (no description available)
pn postfix-mysql <none> (no description available)
pn postfix-pcre <none> (no description available)
pn postfix-pgsql <none> (no description available)
ii procmail 3.22-19 Versatile e-mail processor
ii resolvconf 1.46 name server information handler
ii sasl2-bin 2.1.23.dfsg1-7 Cyrus SASL - administration progra
pn ufw <none> (no description available)
-- Configuration Files:
/etc/init.d/postfix changed:
PATH=/bin:/usr/bin:/sbin:/usr/sbin
DAEMON=/usr/sbin/postfix
NAME=Postfix
TZ=
unset TZ
SYNC_CHROOT="y"
test -f /etc/default/postfix && . /etc/default/postfix
test -x $DAEMON && test -f /etc/postfix/main.cf || exit 0
. /lib/lsb/init-functions
running() {
queue=$(postconf -h queue_directory 2>/dev/null || echo /var/spool/postfix)
if [ -f ${queue}/pid/master.pid ]; then
pid=$(sed 's/ //g' ${queue}/pid/master.pid)
# what directory does the executable live in. stupid prelink systems.
dir=$(ls -l /proc/$pid/exe 2>/dev/null | sed 's/.* -> //;
s/\/[^\/]*$//')
if [ "X$dir" = "X/usr/lib/postfix" ]; then
echo y
fi
fi
}
if grep -q -E -e '^sasl:' </etc/group ; then
if grep -q -E -e ':postfix($|:)' </etc/group ; then
: "ok, user postfix is already in group sasl"
else
adduser postfix sasl
fi
fi
case "$1" in
start)
log_daemon_msg "Starting Postfix Mail Transport Agent" postfix
RUNNING=$(running)
if [ -n "$RUNNING" ]; then
log_end_msg 0
else
# if you set myorigin to 'ubuntu.com' or 'debian.org', it's wrong,
and annoys the admins of
# those domains. See also sender_canonical_maps.
MYORIGIN=$(postconf -h myorigin | tr 'A-Z' 'a-z')
if [ "X${MYORIGIN#/}" != "X${MYORIGIN}" ]; then
MYORIGIN=$(tr 'A-Z' 'a-z' < $MYORIGIN)
fi
if [ "X$MYORIGIN" = Xubuntu.com ] || [ "X$MYORIGIN" = Xdebian.org
]; then
log_failure_msg "Invalid \$myorigin ($MYORIGIN), refusing to
start"
log_end_msg 1
exit 1
fi
# see if anything is running chrooted.
NEED_CHROOT=$(awk '/^[0-9a-z]/ && ($5 ~ "[-yY]") { print "y";
exit}' /etc/postfix/master.cf)
if [ -n "$NEED_CHROOT" ] && [ -n "$SYNC_CHROOT" ]; then
# Make sure that the chroot environment is set up correctly.
oldumask=$(umask)
umask 022
cd $(postconf -h queue_directory)
# if we're using tls, then we need to add
etc/ssl/certs/ca-certificates.crt.
if [ -f "/etc/ssl/certs/ca-certificates.crt" ]; then
smtp_use_tls=$(postconf -h smtp_use_tls)
smtp_enforce_tls=$(postconf -h smtp_enforce_tls)
smtpd_use_tls=$(postconf -h smtpd_use_tls)
smtpd_enforce_tls=$(postconf -h smtpd_use_tls)
case
:$smtp_use_tls:$smtp_enforce_tls:$smtpd_use_tls:$smtpd_enforce_tls: in
*:yes:*)
mkdir -p etc/ssl/certs
cp /etc/ssl/certs/ca-certificates.crt etc/ssl/certs/
esac
fi
# if we're using unix:passwd.byname, then we need to add
etc/passwd.
local_maps=$(postconf -h local_recipient_maps)
if [ "X$local_maps" != "X${local_maps#*unix:passwd.byname}" ];
then
if [ "X$local_maps" =
"X${local_maps#*proxy:unix:passwd.byname}" ]; then
sed 's/^\([^:]*\):[^:]*/\1:x/' /etc/passwd > etc/passwd
chmod a+r etc/passwd
fi
fi
FILES="etc/localtime etc/services etc/resolv.conf etc/hosts \
etc/nsswitch.conf etc/nss_mdns.config"
for file in $FILES; do
[ -d ${file%/*} ] || mkdir -p ${file%/*}
if [ -f /${file} ]; then rm -f ${file} && cp /${file}
${file}; fi
if [ -f ${file} ]; then chmod a+rX ${file}; fi
done
rm -f usr/lib/zoneinfo/localtime
mkdir -p usr/lib/zoneinfo
ln -sf /etc/localtime usr/lib/zoneinfo/localtime
rm -f lib/libnss_*so*
tar cf - /lib/libnss_*so* 2>/dev/null |tar xf -
umask $oldumask
fi
if start-stop-daemon --start --exec ${DAEMON} -- quiet-quick-start;
then
log_end_msg 0
else
log_end_msg 1
fi
fi
;;
stop)
RUNNING=$(running)
log_daemon_msg "Stopping Postfix Mail Transport Agent" postfix
if [ -n "$RUNNING" ]; then
if ${DAEMON} quiet-stop; then
log_end_msg 0
else
log_end_msg 1
fi
else
log_end_msg 0
fi
;;
restart)
$0 stop
$0 start
;;
force-reload|reload)
log_action_begin_msg "Reloading Postfix configuration"
if ${DAEMON} quiet-reload; then
log_action_end_msg 0
else
log_action_end_msg 1
fi
;;
status)
RUNNING=$(running)
if [ -n "$RUNNING" ]; then
log_success_msg "postfix is running"
exit 0
else
log_success_msg "postfix is not running"
exit 3
fi
;;
flush|check|abort)
${DAEMON} $1
;;
*)
log_action_msg "Usage: /etc/init.d/postfix
{start|stop|restart|reload|flush|check|abort|force-reload}"
exit 1
;;
esac
exit 0
-- debconf information:
* postfix/mailname: l2.bsrd.net
postfix/tlsmgr_upgrade_warning:
* postfix/recipient_delim: +
* postfix/main_mailer_type: Internet with smarthost
postfix/retry_upgrade_warning:
postfix/kernel_version_warning:
* postfix/relayhost: smtp.bsrd.net
* postfix/procmail: true
postfix/bad_recipient_delimiter:
* postfix/chattr: false
* postfix/root_address: rootmail
postfix/rfc1035_violation: false
postfix/mydomain_warning:
* postfix/mynetworks: 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
* postfix/destinations: $myhostname, localhost.$mydomain localhost, $mydomain
postfix/not_configured:
* postfix/mailbox_limit: 51200000
* postfix/protocols: ipv4
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
