On 29/04/2015 20:56, Viktor Dukhovni wrote:
On Wed, Apr 29, 2015 at 03:53:00PM +0300, Birta Levente wrote:
I see many SSL_connect error for different domains which mail service hosted
at microsoft:
Apr 28 10:32:12 srv1 postfix/smtp[18296]: SSL_connect error to
irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection
Apr 28 10:32:12 srv1 postfix/smtp[18296]: 3lbZRv0VXQz1lvjB:
to=<xxxxx...@irs.ro>, relay=irs-ro.mail.eo.outlook.com[213.199.154.87]:25,
delay=1.1, delays=0.14/0.37/0.56/0, dsn=4.7.5, status=deferred (Cannot start
TLS: handshake failure)
I don't see this problem, here's logging for "sendmail -bv postmas...@irs.ro":
pickup[23826]: 4486C283032: uid=1000 from=<user>
cleanup[10530]: 4486C283032:
message-id=<20150429174125.4486C283032@amnesiac.example>
qmgr[8720]: 4486C283032: from=<u...@example.org>,
size=295, nrcpt=1 (queue active)
smtp[10884]: Untrusted TLS connection established to
irs-ro.mail.eo.outlook.com[213.199.154.23]:25:
TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
smtp[10884]: 4486C283032: to=<postmas...@irs.ro>,
relay=irs-ro.mail.eo.outlook.com[213.199.154.23]:25,
delay=6.5, delays=0.06/0.02/1.3/5.2, dsn=5.4.1,
status=undeliverable
(host irs-ro.mail.eo.outlook.com[213.199.154.23] said:
550 5.4.1 [postmas...@irs.ro]: Recipient address rejected:
Access denied (in reply to RCPT TO command))
qmgr[8720]: 4486C283032: removed
So TLS was established, and worked at least as far as "RCPT TO:"
and the negative reply.
Perhaps some sort of middle-box is interfering with TLS on your
end. Also, what version of OpenSSL are you using?
Centos 6.6 up to date: openssl-1.0.1e-30.el6.8.x86_64
If something is in the middle, saddly, is out of my control.
I make a test on another server which is in totally other location,
other city, other ISP, but same OS, openssl and postfix.3.1.20150421
Apr 30 08:55:05 srv2 postfix/pickup[31818]: 3lcmBx5stxz7wX4: uid=0
from=<root>
Apr 30 08:55:05 srv2 postfix/cleanup[4359]: 3lcmBx5stxz7wX4:
message-id=<3lcmbx5stxz7...@email.xxxxxxxxx.ro>
Apr 30 08:55:05 srv2 opendkim[1223]: 3lcmBx5stxz7wX4: DKIM-Signature
field added (s=epsilon201504, d=xxxxxxx.ro)
Apr 30 08:55:05 srv2 postfix/qmgr[13449]: 3lcmBx5stxz7wX4:
from=<r...@email.xxxxxxxxxx.ro>, size=322, nrcpt=1 (queue active)
Apr 30 08:55:06 srv2 postfix/smtp[4367]: SSL_connect error to
irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection
Apr 30 08:55:06 srv2 postfix/smtp[4367]: 3lcmBx5stxz7wX4: Cannot start
TLS: handshake failure
Apr 30 08:55:06 srv2 postfix/smtp[4367]: SSL_connect error to
irs-ro.mail.eo.outlook.com[213.199.154.23]:25: lost connection
Apr 30 08:55:06 srv2 postfix/smtp[4367]: 3lcmBx5stxz7wX4:
to=<postmas...@irs.ro>,
relay=irs-ro.mail.eo.outlook.com[213.199.154.23]:25, delay=1.1,
delays=0.18/0.01/0.9/0, dsn=4.7.5, status=undeliverable (Cannot start
TLS: handshake failure)
It's hard to believe the problem is on my side, because other microsoft
domain work and many-many domain with TLSv1.2... but on your side it's
works...so I don't know
Apr 29 15:04:46 srv1 postfix/smtp[5398]: Untrusted TLS connection
established to mx4.hotmail.com[65.55.33.119]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits)
Apr 29 15:04:47 srv1 postfix/smtp[5398]: 3lcJRw1t3lz1lvk7:
to=<xxxxx...@hotmail.com>, relay=mx4.hotmail.com[65.55.33.119]:25,
delay=3.4, delays=0.08/0.13/1.9/1.3, dsn=2.0.0, status=sent (250
<5540c8dc.1000...@yyyyyyyyyyyy.ro> Queued mail for delivery)
Looked at the mailing list archive I resolved with smtp_tls_policy_maps =
hash:/etc/postfix/tls_policy:
tls_policy:
irs.ro may protocols=TLSv1 ciphers=medium exclude=3DES:MD5
Instead of forcing "TLSv1" (I would recomment specific exclusions).
protocols=!SSLv2:!SSLv3
I tried this too, but same result.
Thanks,
--
Levi
