Re: Unable to send or receive from Gmail
On 22.06.19 15:03, Security Admin (NetSec) wrote: I figured TLS 1.3 might be the culprit from the logs. The OpenSSL version shows "OpenSSL 1.1.1 11 Sep 2018" and it was updated recently via Ubuntu. How might I go about not negotiating TLS 1.3, as it is obvious I need to update some certificates (which I will worry about later). have you tried to enforce tls1.3? Lower TLS version should be negotiated if 1.3 negiotiation doesn't succeed. What are your tls-related options? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "Where do you want to go to die?" [Microsoft]
Re: Unable to send or receive from Gmail
" If you are netsecdesign.com, ssllabs says your cert has issues. Not that this may be your problem, but I would fix that first." This cert is not the same cert or the same server or the same IP address as my postfix SMTP gateway. The postfix SMTP gateway uses a self-signed certificate. On 6/21/19, 10:42 PM, "owner-postfix-us...@postfix.org on behalf of Viktor Dukhovni" wrote: > On Jun 22, 2019, at 1:12 AM, lists wrote: > > If you are netsecdesign.com, ssllabs says your cert has issues. Not that this may be your problem, but I would fix that first. The certificate is past its nominal expiration, but perhaps more importantly its "Basic Key Usage" field says: X509v3 Key Usage: Certificate Sign which does not include digitalSignature, and that's most likely the issue. A more appropriate certificate is more likely to work. Gmail IIRC enforces more TLS hygiene when TLSv1.3 is negotiated. -- Viktor.
Re: Unable to send or receive from Gmail (temp solution)
Doh! !TLSv1.3 added to "main.conf" fixed the issue hopefully. Will work on updating certificate later... On 6/22/19, 8:10 AM, "owner-postfix-us...@postfix.org on behalf of Security Admin (NetSec)" wrote: I figured TLS 1.3 might be the culprit from the logs. The OpenSSL version shows "OpenSSL 1.1.1 11 Sep 2018" and it was updated recently via Ubuntu. How might I go about not negotiating TLS 1.3, as it is obvious I need to update some certificates (which I will worry about later). Edward Ray On 6/21/19, 10:36 PM, "owner-postfix-us...@postfix.org on behalf of Viktor Dukhovni" wrote: On Sat, Jun 22, 2019 at 04:09:45AM +, Security Admin (NetSec) wrote: > Within the last week or so I am suddenly unable to send or receive from > Google Gmail. Any help with this issue would be appreciated. What version of OpenSSL is installed on your system? Was it upgraded recently? You are now negotiating TLSv1.3, was that the case previously? > Receive Error from mail.log: > > Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify > Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished Your SMTP server has just sent its certificate chain, and signature over the handshake transcript (so far). > Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter The SMTP client responds with an "illegal parameter" alert. As yet, unclear why. > Send Error from mail.log: > > Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate > Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify Sadly this too is a receive log. -- Viktor.
Re: Unable to send or receive from Gmail
The website for “netsecdesign.com” is different than the one for my postfix gateway. Different machine, different IP address, different cert. From: on behalf of lists Date: Friday, June 21, 2019 at 10:13 PM To: Security Admin , "postfix-users@postfix.org" Subject: Re: Unable to send or receive from Gmail If you are netsecdesign.com, ssllabs says your cert has issues. Not that this may be your problem, but I would fix that first. From: secad...@netsecdesign.com Sent: June 21, 2019 9:19 PM To: postfix-users@postfix.org Subject: Unable to send or receive from Gmail Within the last week or so I am suddenly unable to send or receive from Google Gmail. Any help with this issue would be appreciated. Receive Error from mail.log<http://mail.log>: Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:error in error Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept error from mail-wm1-f52.google.com<http://mail-wm1-f52.google.com>[209.85.128.52<http://209.85.128.52>]: -1 Jun 21 20:59:26 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47: Jun 21 20:59:26 portus postfix/smtpd[3726]: lost connection after STARTTLS from mail-wm1-f52.google.com<http://mail-wm1-f52.google.com>[209.85.128.52<http://209.85.128.52>] Jun 21 20:59:26 portus postfix/smtpd[3726]: disconnect from mail-wm1-f52.google.com<http://mail-wm1-f52.google.com>[209.85.128.52<http://209.85.128.52>] ehlo=1 starttls=0/1 commands=1/2 Send Error from mail.log<http://mail.log>: Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:error in error Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept error from mail-pl1-f180.google.com<http://mail-pl1-f180.google.com>[209.85.214.180<http://209.85.214.180>]: -1 Jun 21 21:05:47 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47: Jun 21 21:05:47 portus postfix/smtpd[3726]: lost connection after STARTTLS from mail-pl1-f180.google.com<http://mail-pl1-f180.google.com>[209.85.214.180<http://209.85.214.180>] Jun 21 21:05:47 portus postfix/smtpd[3726]: disconnect from mail-pl1-f180.google.com<http://mail-pl1-f180.google.com>[209.85.214.180<http://209.85.214.180>] ehlo=1 starttls=0/1 commands=1/2
Re: Unable to send or receive from Gmail
OK, but then I would verify the cert your are using and would still fix this cert since ssllabs says it is not trusted. From: secad...@netsecdesign.comSent: June 22, 2019 8:03 AMTo: li...@lazygranch.com; postfix-users@postfix.orgSubject: Re: Unable to send or receive from Gmail The website for “netsecdesign.com” is different than the one for my postfix gateway. Different machine, different IP address, different cert. From: <owner-postfix-us...@postfix.org> on behalf of lists <li...@lazygranch.com> Date: Friday, June 21, 2019 at 10:13 PM To: Security Admin <secad...@netsecdesign.com>, "postfix-users@postfix.org" <postfix-users@postfix.org> Subject: Re: Unable to send or receive from Gmail If you are netsecdesign.com, ssllabs says your cert has issues. Not that this may be your problem, but I would fix that first. From: secad...@netsecdesign.com Sent: June 21, 2019 9:19 PM To: postfix-users@postfix.org Subject: Unable to send or receive from Gmail Within the last week or so I am suddenly unable to send or receive from Google Gmail. Any help with this issue would be appreciated. Receive Error from mail.log: Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:error in error Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept error from mail-wm1-f52.google.com[209.85.128.52]: -1 Jun 21 20:59:26 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47: Jun 21 20:59:26 portus postfix/smtpd[3726]: lost connection after STARTTLS from mail-wm1-f52.google.com[209.85.128.52] Jun 21 20:59:26 portus postfix/smtpd[3726]: disconnect from mail-wm1-f52.google.com[209.85.128.52] ehlo=1 starttls=0/1 commands=1/2 Send Error from mail.log: Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:error in error Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept error from mail-pl1-f180.google.com[209.85.214.180]: -1 Jun 21 21:05:47 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47: Jun 21 21:05:47 portus postfix/smtpd[3726]: lost connection after STARTTLS from mail-pl1-f180.google.com[209.85.214.180] Jun 21 21:05:47 portus postfix/smtpd[3726]: disconnect from mail-pl1-f180.google.com[209.85.214.180] ehlo=1 starttls=0/1 commands=1/2
Re: Unable to send or receive from Gmail
I figured TLS 1.3 might be the culprit from the logs. The OpenSSL version shows "OpenSSL 1.1.1 11 Sep 2018" and it was updated recently via Ubuntu. How might I go about not negotiating TLS 1.3, as it is obvious I need to update some certificates (which I will worry about later). Edward Ray On 6/21/19, 10:36 PM, "owner-postfix-us...@postfix.org on behalf of Viktor Dukhovni" wrote: On Sat, Jun 22, 2019 at 04:09:45AM +, Security Admin (NetSec) wrote: > Within the last week or so I am suddenly unable to send or receive from > Google Gmail. Any help with this issue would be appreciated. What version of OpenSSL is installed on your system? Was it upgraded recently? You are now negotiating TLSv1.3, was that the case previously? > Receive Error from mail.log: > > Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify > Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished Your SMTP server has just sent its certificate chain, and signature over the handshake transcript (so far). > Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter The SMTP client responds with an "illegal parameter" alert. As yet, unclear why. > Send Error from mail.log: > > Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate > Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify Sadly this too is a receive log. -- Viktor.
Re: Unable to send or receive from Gmail
> On Jun 22, 2019, at 1:12 AM, lists wrote: > > If you are netsecdesign.com, ssllabs says your cert has issues. Not that this > may be your problem, but I would fix that first. The certificate is past its nominal expiration, but perhaps more importantly its "Basic Key Usage" field says: X509v3 Key Usage: Certificate Sign which does not include digitalSignature, and that's most likely the issue. A more appropriate certificate is more likely to work. Gmail IIRC enforces more TLS hygiene when TLSv1.3 is negotiated. -- Viktor.
Re: Unable to send or receive from Gmail
On Sat, Jun 22, 2019 at 04:09:45AM +, Security Admin (NetSec) wrote: > Within the last week or so I am suddenly unable to send or receive from > Google Gmail. Any help with this issue would be appreciated. What version of OpenSSL is installed on your system? Was it upgraded recently? You are now negotiating TLSv1.3, was that the case previously? > Receive Error from mail.log: > > Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server > certificate verify > Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write > finished Your SMTP server has just sent its certificate chain, and signature over the handshake transcript (so far). > Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal > parameter The SMTP client responds with an "illegal parameter" alert. As yet, unclear why. > Send Error from mail.log: > > Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write > certificate > Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server > certificate verify Sadly this too is a receive log. -- Viktor.
Re: Unable to send or receive from Gmail
If you are netsecdesign.com, ssllabs says your cert has issues. Not that this may be your problem, but I would fix that first. From: secad...@netsecdesign.comSent: June 21, 2019 9:19 PMTo: postfix-users@postfix.orgSubject: Unable to send or receive from Gmail Within the last week or so I am suddenly unable to send or receive from Google Gmail. Any help with this issue would be appreciated. Receive Error from mail.log: Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:error in error Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept error from mail-wm1-f52.google.com[209.85.128.52]: -1 Jun 21 20:59:26 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47: Jun 21 20:59:26 portus postfix/smtpd[3726]: lost connection after STARTTLS from mail-wm1-f52.google.com[209.85.128.52] Jun 21 20:59:26 portus postfix/smtpd[3726]: disconnect from mail-wm1-f52.google.com[209.85.128.52] ehlo=1 starttls=0/1 commands=1/2 Send Error from mail.log: Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:error in error Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept error from mail-pl1-f180.google.com[209.85.214.180]: -1 Jun 21 21:05:47 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47: Jun 21 21:05:47 portus postfix/smtpd[3726]: lost connection after STARTTLS from mail-pl1-f180.google.com[209.85.214.180] Jun 21 21:05:47 portus postfix/smtpd[3726]: disconnect from mail-pl1-f180.google.com[209.85.214.180] ehlo=1 starttls=0/1 commands=1/2
Unable to send or receive from Gmail
Within the last week or so I am suddenly unable to send or receive from Google Gmail. Any help with this issue would be appreciated. Receive Error from mail.log: Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept:error in error Jun 21 20:59:26 portus postfix/smtpd[3726]: SSL_accept error from mail-wm1-f52.google.com[209.85.128.52]: -1 Jun 21 20:59:26 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47: Jun 21 20:59:26 portus postfix/smtpd[3726]: lost connection after STARTTLS from mail-wm1-f52.google.com[209.85.128.52] Jun 21 20:59:26 portus postfix/smtpd[3726]: disconnect from mail-wm1-f52.google.com[209.85.128.52] ehlo=1 starttls=0/1 commands=1/2 Send Error from mail.log: Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write certificate Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 write server certificate verify Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:SSLv3/TLS write finished Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:TLSv1.3 early data Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL3 alert read:fatal:illegal parameter Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept:error in error Jun 21 21:05:47 portus postfix/smtpd[3726]: SSL_accept error from mail-pl1-f180.google.com[209.85.214.180]: -1 Jun 21 21:05:47 portus postfix/smtpd[3726]: warning: TLS library problem: error:14094417:SSL routines:ssl3_read_bytes:sslv3 alert illegal parameter:../ssl/record/rec_layer_s3.c:1528:SSL alert number 47: Jun 21 21:05:47 portus postfix/smtpd[3726]: lost connection after STARTTLS from mail-pl1-f180.google.com[209.85.214.180] Jun 21 21:05:47 portus postfix/smtpd[3726]: disconnect from mail-pl1-f180.google.com[209.85.214.180] ehlo=1 starttls=0/1 commands=1/2