Re: Trouble with SMTP, TLS and dovecot.org.
> On 07/09/2023 20:46 EEST Ralph Seichter via dovecot > wrote: > > > * Aki Tuomi via dovecot: > > > I updated the settings a bit on the server as well. Maybe it works > > better now? > > Yes, it does indeed: > > Sep 7 19:33:23 ra postfix/smtp[14429]: Trusted TLS connection established > to talvi.dovecot.org[2a04:3545:1000:720:acc1:5bff:fe5e:459]:25: TLSv1.3 with > cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) > server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature > ECDSA (secp384r1) client-digest SHA384 > Sep 7 19:33:24 ra postfix/smtp[14429]: 1989FBE002A: > to=, > relay=talvi.dovecot.org[2a04:3545:1000:720:acc1:5bff:fe5e:459]:25, delay=4.3, > delays=0.01/0.01/3.6/0.73, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as > D22D55DEF4) > > Thank you, Aki. Would you be willing to share what was changed in your > server's settings and/or certificates? I am still wondering what exactly > caused the issue. By the way, I have reverted all TLS-related changes > previously used for testing on my end, returning to Postfix's defaults. > > -Ralph Mostly just disabled older TLS stuff and in particular enabled TLSv1.3. Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Trouble with SMTP, TLS and dovecot.org.
* Aki Tuomi via dovecot: > I updated the settings a bit on the server as well. Maybe it works > better now? Yes, it does indeed: Sep 7 19:33:23 ra postfix/smtp[14429]: Trusted TLS connection established to talvi.dovecot.org[2a04:3545:1000:720:acc1:5bff:fe5e:459]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384 Sep 7 19:33:24 ra postfix/smtp[14429]: 1989FBE002A: to=, relay=talvi.dovecot.org[2a04:3545:1000:720:acc1:5bff:fe5e:459]:25, delay=4.3, delays=0.01/0.01/3.6/0.73, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as D22D55DEF4) Thank you, Aki. Would you be willing to share what was changed in your server's settings and/or certificates? I am still wondering what exactly caused the issue. By the way, I have reverted all TLS-related changes previously used for testing on my end, returning to Postfix's defaults. -Ralph ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Trouble with SMTP, TLS and dovecot.org.
> On 07/09/2023 03:49 EEST Ralph Seichter via dovecot > wrote: > > > * Marc Schiffbauer via dovecot: > > > Wild guess: you need to explicitely allow for example DEFAULT@SECLEVEL=0 > > ciphersuite in postfix to make *your* openssl accept this remote sslv3 > > connection > > Thanks, Marc. I had thought about this, and have tried various Postfix > parameters related to TLS ciphers and protocols. So far, no dice. In the > meantime, I also ran tests using Swaks, and this resulted in a possible > different route of investigation: Postfix uses a certificate issued by > Let's Encrypt (secp384r1) for both in- and outbound connections with > STARTTLS. If I use the same certificate with Swaks, I see the same error > as I do with Postfix. If I use Swaks *without* specifying a local TLS > certificate, the STARTTLS handshake works: > > === Trying talvi.dovecot.org:25... > === Connected to talvi.dovecot.org. > <- 220 talvi.dovecot.org ESMTP Postfix (Debian/GNU) >-> EHLO ra.horus-it.com > <- 250-talvi.dovecot.org > <- 250-PIPELINING > <- 250-SIZE 104857600 > <- 250-ETRN > <- 250-STARTTLS > <- 250-ENHANCEDSTATUSCODES > <- 250-8BITMIME > <- 250-DSN > <- 250 CHUNKING >-> STARTTLS > <- 220 2.0.0 Ready to start TLS > === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 > === TLS no local certificate set > === TLS peer DN="/CN=talvi.dovecot.org" > > Looks the combination of certificate ciphers and OpenSSL library > versions on my end and on the talvi.dovecot.org end is causing some > bother. The original error message points to a protocol issue, not a > cipher problem, and how SSLv3 gets into the mix is anybody's guess. > Perhaps I'll see clearer after some much needed sleep. > > -Ralph I updated the settings a bit on the server as well. Maybe it works better now? Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Trouble with SMTP, TLS and dovecot.org.
* Marc Schiffbauer via dovecot: > Wild guess: you need to explicitely allow for example DEFAULT@SECLEVEL=0 > ciphersuite in postfix to make *your* openssl accept this remote sslv3 > connection Thanks, Marc. I had thought about this, and have tried various Postfix parameters related to TLS ciphers and protocols. So far, no dice. In the meantime, I also ran tests using Swaks, and this resulted in a possible different route of investigation: Postfix uses a certificate issued by Let's Encrypt (secp384r1) for both in- and outbound connections with STARTTLS. If I use the same certificate with Swaks, I see the same error as I do with Postfix. If I use Swaks *without* specifying a local TLS certificate, the STARTTLS handshake works: === Trying talvi.dovecot.org:25... === Connected to talvi.dovecot.org. <- 220 talvi.dovecot.org ESMTP Postfix (Debian/GNU) -> EHLO ra.horus-it.com <- 250-talvi.dovecot.org <- 250-PIPELINING <- 250-SIZE 104857600 <- 250-ETRN <- 250-STARTTLS <- 250-ENHANCEDSTATUSCODES <- 250-8BITMIME <- 250-DSN <- 250 CHUNKING -> STARTTLS <- 220 2.0.0 Ready to start TLS === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 === TLS no local certificate set === TLS peer DN="/CN=talvi.dovecot.org" Looks the combination of certificate ciphers and OpenSSL library versions on my end and on the talvi.dovecot.org end is causing some bother. The original error message points to a protocol issue, not a cipher problem, and how SSLv3 gets into the mix is anybody's guess. Perhaps I'll see clearer after some much needed sleep. -Ralph ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: Trouble with SMTP, TLS and dovecot.org.
* Ralph Seichter via dovecot schrieb am 06.09.23 um 22:43 Uhr: > Hello, > > I cannot seem to send STARTTLS protected mail to talvi.dovecot.org, and > I was wondering if anybody else sees similar problems: > > Sep 6 22:29:10 ra postfix/smtp[15748]: SSL_connect error to > talvi.dovecot.org[94.237.105.223]:25: -1 > Sep 6 22:29:10 ra postfix/smtp[15748]: warning: TLS library problem: > error:0A000417:SSL routines::sslv3 alert illegal > parameter:../openssl-3.0.9/ssl/record/rec_layer_s3.c:1586:SSL alert number 47: > Sep 6 22:29:10 ra postfix/smtp[15748]: 1AAE4BE0031: Cannot start TLS: > handshake failure > Sep 6 22:29:10 ra postfix/smtp[15748]: SSL_connect error to > talvi.dovecot.org[2a04:3545:1000:720:acc1:5bff:fe5e:459]:25: -1 > Sep 6 22:29:10 ra postfix/smtp[15748]: warning: TLS library problem: > error:0A000417:SSL routines::sslv3 alert illegal > parameter:../openssl-3.0.9/ssl/record/rec_layer_s3.c:1586:SSL alert number 47: > Sep 6 22:29:10 ra postfix/smtp[15748]: 1AAE4BE0031: > to=, > relay=talvi.dovecot.org[2a04:3545:1000:720:acc1:5bff:fe5e:459]:25, delay=1.6, > delays=0.02/0.01/1.6/0, dsn=4.7.5, status=deferred (Cannot start TLS: > handshake failure) > Sep 6 22:30:05 ra postfix/smtpd[15616]: timeout after END-OF-MESSAGE from > localhost[127.0.0.1] > Sep 6 22:30:05 ra postfix/smtpd[15616]: disconnect from localhost[127.0.0.1] > ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5 > > The originating server uses Postfix 3.8.2 and OpenSSL library > 3.0.9. To be able to send messages to dovecot.org at all, I had to use > Postfix's "smtp_tls_policy_maps" setting to explicitly disable TLS for > this destination domain. Your openssl-3.0.9 (I suppose gentoo stable?) will not allow TLSv1 or sslv3 connections bei default anymore. Wild guess: you need to explicitely allow for example DEFAULT@SECLEVEL=0 ciphersuite in postfix to make *your* openssl accept this remote sslv3 connection Cheers -Marc -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org