[pfx] Re: Postfix refuses to accept email from video camera

Sat, 15 Apr 2023 08:56:45 -0700 

On Sat, Apr 15, 2023 at 05:39:21PM +0300, Oleksandr via Postfix-users wrote:

> However, Postfix refuses to accept mail from the video camera and
> demonstrates these lines in the log:

That's not an accurate statement.  Postfix is happy to accept mail from
the camera, but the camera aborts the transmission.

> Apr 14 23:00:08 mailserver postfix/smtps/smtpd[1653]: connect from 
> unknown[192.168.1.44]
> Apr 14 23:00:08 mailserver postfix/smtps/smtpd[1653]: SSL_accept error from 
> unknown[192.168.1.44]: Connection reset by peer
> Apr 14 23:00:08 mailserver postfix/smtps/smtpd[1653]: lost connection after 
> CONNECT from unknown[192.168.1.44]
> Apr 14 23:00:08 mailserver postfix/smtps/smtpd[1653]: disconnect from 
> unknown[192.168.1.44] commands=0/0
> 
> Friends, please tell me how I can fix this problem?

Make available a "PCAP" file (binary data, not text decode) of a single
failed TCP connection between the camera and the server captured via (on
a multihomed host perhaps also "-i <interface>"):

    # tcpdump -s0 -w /some/where/file.pcap tcp port 465 and host 192.168.1.44

>   465        inet  n       -       n       -       -       smtpd
>       -o syslog_name=postfix/smtps
>       -o smtpd_tls_wrappermode=yes
>       -o smtpd_sasl_auth_enable=yes
>       -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>       -o content_filter=smtp-amavis:[127.0.0.1]:10026
>
>   smtpd_tls_CAfile = /etc/ssl/certs/iRedMail.crt
>   smtpd_tls_CApath = /etc/ssl/certs
>   smtpd_tls_cert_file = /etc/ssl/certs/iRedMail.crt
>   smtpd_tls_key_file = /etc/ssl/private/iRedMail.key

Post the server's full certificate chain, that is the output of:

    $ (sleep 2; printf "QUIT\r\n") |
        openssl s_client -connect 127.0.0.1:465 -showcerts 2>&1 |
        openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
        openssl pkcs7 -print_certs -text -noout

>   smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
>       EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA

Just use the default ciphers with no exclusions, a random set of
exclusions does not do you much good (there's no such cipher class in
OpenSSL as aECDH, for example, the DES and EXPORT ciphers are long gone,
eNULL is already disabled by default, and there's no good reason to
disable aNULL ciphers, ...).

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to