On Tue, Oct 15, 2013 at 12:21:28PM +0200, Michael B?ker wrote:
> > Oct 15 02:30:04 asterix postfix/smtp[4458]: warning: TLS library problem:
> > 4458:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> > number:s3_pkt.c:337:
> >
> > Oct 15 02:30:04 asterix postfix/smtp[4458]: 42E021A0F44: to=<mb@michael-
> > bueker.de>, relay=smtp-auth.foo.de[999.169.5.134]:587, delay=0.51,
> > delays=0.08/0.03/0.4/0, dsn=4.4.2, status=deferred (lost connection with
> > smtp-auth.foo.de[999.169.5.134] while performing the EHLO handshake)
>
> Now, I _think_ the tls_policy entry is correct, because if I set if to
> something absurd like "protocols=SSLv2", the connection fails predictably:
Note the "while performing the EHLO handshake" detail. This means
the TLS handshake succeeded, but the subsequent SMTP commands failed
inside the encrypted channel. Fortunately, your over-obfuscation
of the target server left me with only 224 choices of the target
IP address. The server in question is a Microsoft Exchange server
with buggy 3DES ciphersuites (IIRC found in Windows XP, and
perhaps Windows Server 2003).
Add "exclude=3DES" to the entry table for this server, and you'll likely
be fine. You probably don't need to tweak the protocols.
$ posttls-finger -o
'tls_medium_cipherlist=aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:!3DES:@STRENGTH'
"[smtp-auth.foo.de]:587"
posttls-finger: Connected to smtp-auth.foo.de[999.169.5.134]:587
posttls-finger: < 220 adxf3.win.foo.de Microsoft ESMTP MAIL Service,
Version: 6.0.3790.4675 ready at Tue, 15 Oct 2013 16:43:11 +0200
posttls-finger: > EHLO central-dogma.lan
posttls-finger: < 250-adxf3.win.foo.de Hello [999.169.40.26]
posttls-finger: < 250-TURN
posttls-finger: < 250-SIZE
posttls-finger: < 250-ETRN
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8bitmime
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250-CHUNKING
posttls-finger: < 250-VRFY
posttls-finger: < 250-TLS
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-X-EXPS GSSAPI NTLM
posttls-finger: < 250-AUTH GSSAPI NTLM
posttls-finger: < 250-X-LINK2STATE
posttls-finger: < 250-XEXCH50
posttls-finger: < 250 OK
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 SMTP server ready
posttls-finger: smtp-auth.foo.de[999.169.5.134]:587: Matched
subjectAltName: smtp-auth.foo.de
posttls-finger: smtp-auth.foo.de[999.169.5.134]:587 CommonName
smtp-auth.foo.de
posttls-finger: certificate verification failed for
smtp-auth.foo.de[999.169.5.134]:587: untrusted issuer /C=DE/O=Deutsche Telekom
AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2
posttls-finger: smtp-auth.foo.de[999.169.5.134]:587:
subject_CN=smtp-auth.foo.de, issuer_CN=FOO CA - G02,
fingerprint=21:B2:6F:D3:19:96:C7:DE:73:A4:0B:70:FA:6B:4C:B1:BC:F1:97:CE,
pkey_fingerprint=CC:50:03:5F:14:AA:4B:AC:46:B4:C0:0A:D2:9C:B1:77:E8:DD:0F:10
posttls-finger: Untrusted TLS connection established to
smtp-auth.foo.de[999.169.5.134]:587: TLSv1 with cipher RC4-MD5 (128/128 bits)
posttls-finger: > EHLO central-dogma.lan
posttls-finger: < 250-adxf3.win.foo.de Hello [999.169.40.26]
posttls-finger: < 250-TURN
posttls-finger: < 250-SIZE
posttls-finger: < 250-ETRN
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8bitmime
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250-CHUNKING
posttls-finger: < 250-VRFY
posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN
posttls-finger: < 250-X-EXPS=LOGIN
posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN
posttls-finger: < 250-AUTH=LOGIN
posttls-finger: < 250-X-LINK2STATE
posttls-finger: < 250-XEXCH50
posttls-finger: < 250 OK
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 adxf3.win.foo.de Service closing transmission
channel
I'd like to suggest that you find a less broken email provider.
--
Viktor.
