On Wed, Apr 29, 2015 at 05:57:36PM -0700, Tom Johnson wrote:
> I have a basic postfix setup that's been working fine for a long time,
> but recently, I've been seeing errors with a number of sites:
>
> "Cannot start TLS: handshake failure"
>
> Here are some specific sites where I'm seeing this issue:
>
> SSL_connect error to 23.25.38.217 [23.25.38.217]
> SSL_connect error to 108.247.226.220 [108.247.226.220]
> SSL_connect error to 216.167.201.250 [216.167.201.250]
>
> And so on.
>
> I have minimal settings in my main.cf for smtp_tls_* settings - most of the
> settings are simply the defaults.
>
> smtp_use_tls = yes
> smtp_tls_security_level = may
> smtp_tls_session_cache_timeout = 3600s
> smtp_tls_CApath = <path>
> smtp_tls_CAfile = <ca file>
Fine, but you'll save a bit of CPU if you leave "smtp_tls_CApath" and
"smtp_tls_CAfile" empty.
> smtp_tls_key_file = <key file>
> smtp_tls_cert_file = <cert file>
And you're generally better off without client certs too.
> And I've tried this, thinking that it could be an issue with the selected
> ciphers, but it makes no difference:
>
> smtp_tls_exclude_ciphers = 3DES DES
The symptom with broken 3DES with Microsoft systems is not a
handshake failure.
> 2015-04-29T22:36:51+0000 server.domain.com postfix-gw/smtp[29844]: setting up
> TLS connection to mail.mlmatthews.com[23.25.38.217]:25
> 2015-04-29T22:36:51+0000 server.domain.com postfix-gw/smtp[29844]:
> mail.mlmatthews.com[23.25.38.217]:25: TLS cipher list
> "aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH:!3DES:!DES"
> 2015-04-29T22:36:51+0000 server.domain.com postfix-gw/smtp[29844]:
> SSL_connect:before/connect initialization
> 2015-04-29T22:36:51+0000 server.domain.com postfix-gw/smtp[29844]:
> SSL_connect:SSLv2/v3 write client hello A
> 2015-04-29T22:36:51+0000 server.domain.com postfix-gw/smtp[29844]:
> SSL_connect error to mail.mlmatthews.com[23.25.38.217]:25: lost connection
> 2015-04-29T22:36:51+0000 server.domain.com postfix-gw/smtp[29844]:
> 3lcZT61sm7z5wjJ: to=<u...@mlmatthews.com>,
> relay=mail.mlmatthews.com[23.25.38.217]:25, delay=8.8,
> delays=8.5/0.26/0.05/0, dsn=4.7.5, status=undeliverable-but-not-cached
> (Cannot start TLS: handshake failure)
>
That's funny, the domain's MX host is different for me:
$ dig +short -t mx mlmatthews.com
10 mail.mailroute.net.
That aside, even with the "wrong" MX host, I still get successful
connections. Perhaps you're behind some sort of firewall that
proxies TLS and disconnects when it does not like the peer certificate:
$ posttls-finger -c -Ldebug "[mail.mlmatthews.com]"
posttls-finger: initializing the client-side TLS engine
posttls-finger: setting up TLS connection to
mail.mlmatthews.com[23.25.38.217]:25
...
posttls-finger: SSL_connect:SSLv2/v3 write client hello A
posttls-finger: SSL_connect:SSLv3 read server hello A
...
posttls-finger: SSL_connect:SSLv3 read server certificate A
posttls-finger: SSL_connect:SSLv3 read server done A
posttls-finger: SSL_connect:SSLv3 write client key exchange A
posttls-finger: SSL_connect:SSLv3 write change cipher spec A
posttls-finger: SSL_connect:SSLv3 write finished A
posttls-finger: SSL_connect:SSLv3 flush data
posttls-finger: SSL_connect:SSLv3 read finished A
posttls-finger: server certificate verification failed for
mail.mlmatthews.com[23.25.38.217]:25: certificate has expired
posttls-finger: mail.mlmatthews.com[23.25.38.217]:25:
subject_CN=mail.mlmatthews.com, issuer_CN=Go Daddy Secure Certification
Authority,
fingerprint=84:E0:0C:BD:01:55:DF:38:7C:7E:CF:22:DC:AC:97:6A:3B:91:87:7B,
pkey_fingerprint=D5:EE:32:D4:FF:7D:70:58:43:06:89:5A:85:8B:79:5B:6C:B4:3B:B4
posttls-finger: Untrusted TLS connection established to
mail.mlmatthews.com[23.25.38.217]:25: TLSv1 with cipher RC4-MD5 (128/128 bits)
> Here's what I'm running:
>
> postfix 3.1-20150421
> CentOS release 6.6 (Final)
> openssl-1.0.1e-30.el6.8.x86_64
> openssl-devel-1.0.1e-30.el6.8.x86_64
I'm testing with Postfix 2.11 on NetBSD, but that should make little difference.
> Any suggestions about what is going on here? Did something recently change
> with either openssl or with MS Exchange? Many, although not all the
> servers where I see this happening are exchange servers, but I don't have
> enough data to say that's definitive.
Are you behind some sort of firewall? I'd look there first.
--
Viktor.
