Re: TLS issue with purchase order emails from ariba.com system.

On 17/6/2022 12:11 pm, raf wrote: Something like the following should do it (after making the renewal config changes that Viktor mentioned (or including them in the command)): certbot renew --force-renewal --cert-name XXX Also note that there is a very useful forum for help with

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 11:09:10PM +0530, P V Anthony wrote: > Please note, I am still finding how to force renew with the letsencrypt > certs with the new renewal settings. Something like the following should do it (after making the renewal config changes that Viktor mentioned (or including

Re: TLS issue with purchase order emails from ariba.com system.

On 16/6/2022 8:16 pm, Viktor Dukhovni wrote: So it is far from clear what you could do to make this client happy. Perhaps some security middlebox near the client is misbehaving, or its TLS stack is broken beyond repair. Your best may be to disable STARTTLS for connections from this client:

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 03:09:16PM -0400, Viktor Dukhovni wrote: > You can share the PCAP file with me off-list. Thanks for the PCAP file. An immediate interesting feature is how the connection is terminated ("tcpdump" output edited to trim excess detail): 22:32:13.555416 1711 > 25: [S],

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 11:09:10PM +0530, P V Anthony wrote: > Unfortunately I am not experienced enough to find the problem from the logs. > > Any suggests? > > Please note, I am still finding how to force renew with the letsencrypt > certs with the new renewal settings. > >

Re: TLS issue with purchase order emails from ariba.com system.

On 15/6/2022 3:08 am, Viktor Dukhovni wrote: Increasing security is primarily about raising the *ceiling*, and rarely about raising not floor. When you set the bar too high, instead of greater security, mail is sent in the clear or not at all. Got better logs for the ariba.com problem. The

Re: TLS issue with purchase order emails from ariba.com system.

On 15/6/2022 3:08 am, Viktor Dukhovni wrote: Increasing security is primarily about raising the *ceiling*, and rarely about raising not floor. When you set the bar too high, instead of greater security, mail is sent in the clear or not at all.

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 12:33:52AM +0200, Steffen Nurpmeso wrote: > Viktor Dukhovni wrote in > : > |On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote: > |> On 13/6/2022 4:31 pm, Wietse Venema wrote: > ... > |Two comments on your server setup: > | > |* The server certificate

Re: TLS issue with purchase order emails from ariba.com system.

Viktor Dukhovni wrote in : |On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote: |> On 13/6/2022 4:31 pm, Wietse Venema wrote: ... |Two comments on your server setup: | |* The server certificate is 4096 bit RSA. This is needlessly turgid. The FreeBSD handbook recommendet 4096

Re: TLS issue with purchase order emails from ariba.com system.

On Tue, Jun 14, 2022 at 05:51:17PM -0400, Dan Mahoney wrote: > Postfix has sane defaults as long as you run a fairly recent version, > and the developers have clue. Not all apps have sane defaults (for > example, I could see the need to configure default SSL configs with > Sendmail). Even when

Re: TLS issue with purchase order emails from ariba.com system.

> On Jun 14, 2022, at 5:30 PM, P V Anthony wrote: > > On 15/6/2022 2:43 am, Viktor Dukhovni wrote: > >> The simplest configuration is therefore to just leave the parameter >> unset, the default value will be sensible. > > I have just commented out smtpd_tls_dh1024_param_file > > I have made

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 03:00:58AM +0530, P V Anthony wrote: > On 15/6/2022 2:43 am, Viktor Dukhovni wrote: > > > The simplest configuration is therefore to just leave the parameter > > unset, the default value will be sensible. > > I have just commented out smtpd_tls_dh1024_param_file > > I

Re: TLS issue with purchase order emails from ariba.com system.

On 15/6/2022 2:43 am, Viktor Dukhovni wrote: The simplest configuration is therefore to just leave the parameter unset, the default value will be sensible. I have just commented out smtpd_tls_dh1024_param_file I have made so much of mistakes trying to increase security. Talk about bobo on

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 01:45:36AM +0530, P V Anthony wrote: > smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param Also, this appears to be a 4096-bit DH key, again much too turgid. Use 2048 bits instead: https://www.postfix.org/postconf.5.html#smtpd_tls_dh1024_param_file

Re: TLS issue with purchase order emails from ariba.com system.

On 15/6/2022 2:33 am, Viktor Dukhovni wrote: Actually, don't. I meant "2". Ok. I have just changed it to "2". Thank you for being patient. P.V.Anthony

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 01:46:49AM +0530, P V Anthony wrote: > On 15/6/2022 1:32 am, Viktor Dukhovni wrote: > > > You may need to temporarily raise the TLS log level to "2". > > > > smtpd_tls_loglevel = 2 > > Just did smtpd_tls_loglevel = 3 just to be sure. Actually, don't. I meant "2".

Re: TLS issue with purchase order emails from ariba.com system.

On 15/6/2022 2:16 am, Viktor Dukhovni wrote: Either add the option: --preferred-chain "ISRG Root X1" to your cron job running "certbot renew", or else add the following to configuration under /etc/letsencrypt/renewal/, preferred_chain = ISRG Root X1 Wow!!! Thank you very much

Re: TLS issue with purchase order emails from ariba.com system.

On 15/6/2022 2:20 am, Viktor Dukhovni wrote: For this, in the renewal configuration file: rsa_key_size = 2048 or on the command-line: --rsa-key-size=2048 Thank you very very very much for helping. I really do appreciate it very very very much. This advice has saved me a lot of

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 01:56:59AM +0530, P V Anthony wrote: > On 15/6/2022 1:45 am, Viktor Dukhovni wrote: > > > Two comments on your server setup: > > > > * The server certificate is 4096 bit RSA. This is needlessly turgid. > >The issuing CA is 2048 bits, there is little to gain

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 01:56:59AM +0530, P V Anthony wrote: > > * The "Let's Encrypt CA" chain is configured for compatibility with > > legacy Android systems that trust the expired "DST" root CA: > > > > subject=CN = prometheus.mindmedia.com.sg > > issuer=C = US, O = Let's Encrypt, CN

Re: TLS issue with purchase order emails from ariba.com system.

On 15/6/2022 1:45 am, Viktor Dukhovni wrote: Two comments on your server setup: * The server certificate is 4096 bit RSA. This is needlessly turgid. The issuing CA is 2048 bits, there is little to gain from a stronger EE key. Some peer libraries may not support keys of

Re: TLS issue with purchase order emails from ariba.com system.

On 15/6/2022 1:32 am, Viktor Dukhovni wrote: You may need to temporarily raise the TLS log level to "2". smtpd_tls_loglevel = 2 Just did smtpd_tls_loglevel = 3 just to be sure. This is unfortunately going to apply to all remote clients, not just "ariba". Noted. P.V.Anthony

Re: TLS issue with purchase order emails from ariba.com system.

On 15/6/2022 12:38 am, Wietse Venema wrote: What is the output from: # postconf -nf | grep tls | grep -v smtp_ smtpd_tls_cert_file = /etc/postfix/smtpd.cert smtpd_tls_dh1024_param_file = /etc/pki/tls/private/postfix.dh.param smtpd_tls_key_file = /etc/postfix/smtpd.key smtpd_tls_loglevel = 3

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote: > On 13/6/2022 4:31 pm, Wietse Venema wrote: > > > Delete the TLS protocol and cipher crap, and see if that solves > > the problem. > > I am sad to report, even after removing the bad configs, the ariba > emails are still not coming

Re: TLS issue with purchase order emails from ariba.com system.

On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote: > On 13/6/2022 4:31 pm, Wietse Venema wrote: > > > Delete the TLS protocol and cipher crap, and see if that solves > > the problem. > > I am sad to report, even after removing the bad configs, the ariba > emails are still not coming

Re: TLS issue with purchase order emails from ariba.com system.

P V Anthony: > On 13/6/2022 4:31 pm, Wietse Venema wrote: > > > Delete the TLS protocol and cipher crap, and see if that solves > > the problem. > > I am sad to report, even after removing the bad configs, the ariba > emails are still not coming in. > > Here are the logs. Is there any other

Re: TLS issue with purchase order emails from ariba.com system.

On 13/6/2022 4:31 pm, Wietse Venema wrote: Delete the TLS protocol and cipher crap, and see if that solves the problem. I am sad to report, even after removing the bad configs, the ariba emails are still not coming in. Here are the logs. Is there any other thing I can do? --

Re: TLS issue with purchase order emails from ariba.com system.

On 13/6/2022 5:04 pm, Viktor Dukhovni wrote: Well, it is certainly not recommended in the Postfix documentation. Various OpenSSL cipher recommendations on the Internet are generally a bad idea. So sure, "crap". Thank you very much, Wietse and Viktor, for taking the time to reply and

Re: TLS issue with purchase order emails from ariba.com system.

On Mon, Jun 13, 2022 at 04:57:27PM +0530, P V Anthony wrote: > > Haha! Oh no! I must have made such a big mistake for it to be called > crap. Haha! Well, it is certainly not recommended in the Postfix documentation. Various OpenSSL cipher recommendations on the Internet are generally a bad

Re: TLS issue with purchase order emails from ariba.com system.

On 13/6/2022 4:31 pm, Wietse Venema wrote: Delete the TLS protocol and cipher crap, and see if that solves the problem. Thank you very much for replying and helping. Haha! Oh no! I must have made such a big mistake for it to be called crap. Haha! Just to confirm, are these to be deleted?

Re: TLS issue with purchase order emails from ariba.com system.

P V Anthony: > Hi, > > Having problems with purchase order emails from ariba.com systems. > > Has anyone experienced this similar issue with ariba.com? > > Here are the logs from our side. Delete the TLS protocol and cipher crap, and see if that solves the problem. Wietse

TLS issue with purchase order emails from ariba.com system.

Hi, Having problems with purchase order emails from ariba.com systems. Has anyone experienced this similar issue with ariba.com? Here are the logs from our side. -- start Jun 13 15:13:22 mail postfix/smtpd[4153705]: connect from

Re: TLS issue

posting a properly detailed problem description. The above isn't even close. http://postfix.1071664.n5.nabble.com/TLS-issue-td87598.html#a87612 http://www.postfix.org/DEBUG_README.html#mail http://www.postfix.org/DEBUG_README.html#sniffer To decode TLS packet dumps: $ tshark -r /file/name -V -x a

Re: TLS issue

Problem is generated by one of our Ironport systems which is trying to establish TLS connection. In Postfix server I already configured it: smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = !SSLv2,!SSLv3 I suspect that TLS client is not

Re: TLS issue

On 12/2/16 12:16 PM, Wietse Venema wrote: With 'no shared ciphers' happening frequently, do we want to set up a TLS troubleshooting document, or is the decision tree too complex for such a document to be useful? Considering how often the question is asked, probably. However, I think the error

Re: TLS issue

The problem is only going to get worse, so any guidance and probably even some more general error messages giving more direct hints would be appreciated. The guy who just posted his solution to interoperable with old postfix and the Windows patch he could us is a perfect example. Sent from

Re: TLS issue

On Fri, 2 Dec 2016 14:16:20 -0500 (EST), Wietse Venema stated: >With 'no shared ciphers' happening frequently, do we want to set >up a TLS troubleshooting document, or is the decision tree too >complex for such a document to be useful? +1 for a "TLS Troubleshooting Document" -- Jerry

Re: TLS issue

Viktor Dukhovni: > > > On Dec 2, 2016, at 4:22 AM, Zalezny Niezalezny > > wrote: > > > > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error > > from smtptransit.de.net.intra[152.21.2.44]: -1 > > Dec 2 10:12:03 postfix-server01

Re: TLS issue

> On Dec 2, 2016, at 4:22 AM, Zalezny Niezalezny > wrote: > > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error from > smtptransit.de.net.intra[152.21.2.44]: -1 > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library >

Re: TLS issue

Zalezny Niezalezny: > Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library > problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared > cipher:s3_srvr.c:1352: This is asked onnce a week. Google for 'SSL3_GET_CLIENT_HELLO no shared cipher'.

Re: TLS issue

That looks like a problem with your certificates. You can check/verify them by openssl command. Thanks, Pawel 2016-12-02 9:22 GMT+00:00 Zalezny Niezalezny : > Hi, > > we have a problem with TLS on our Postfix server > > > ec 2 10:12:03 postfix-server01

TLS issue

Hi, we have a problem with TLS on our Postfix server ec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: connect from smtptransit.de.net.intra[152.21.2.44] Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error from smtptransit.de.net.intra[152.21.2.44]: -1 Dec 2 10:12:03

Re: TLS Issue

Dnia , o godz. Steffan A. Cline stef...@hldns.com napisał(a): Hi, have you resolved this problem yet? I reproduce it when I connect via either imap or smtp from claws-mail linked against gnutls 3.3.10-1 to a postfix server with dovecot sasl enabled. In my case it is caused by my dovecot

Re: TLS Issue

Jan, No, I have not. Viktor suggested my webapp was at fault. I submitted a bug to the middleware provider to see if they can isolate it but if there are other apps with the same issue, it makes me wonder if there's something we can change server side (postfix) to fix it. You've renewed my

Re: TLS Issue

Am 07.12.2014 um 18:02 schrieb Jan Kowalski: Dnia , o godz. Steffan A. Cline stef...@hldns.com napisał(a): have you resolved this problem yet? I reproduce it when I connect via either imap or smtp from claws-mail linked against gnutls 3.3.10-1 to a postfix server with dovecot sasl enabled.

Re: TLS Issue

On Sun, Dec 07, 2014 at 06:02:23PM +0100, Jan Kowalski wrote: In my case it is caused by my dovecot configuration, namely: ssl_protocols = !SSLv2 !SSLv3 ssl_cipher_list = HIGH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL This configuration is incorrect. The majority of TLSv1.2 cipher suites were defined

Re: TLS Issue

Looking earlier on the thread, Jan suggested that it was dovecot that had the issue and may be related. My issue seems to be a connection issue postfix and my webapp. Viktor suggested it could be an issue with my OpenSSL implementation. The dev webapp is running on MacOS X 10.10 which should have

Re: TLS Issue

On Sun, Dec 07, 2014 at 10:56:17PM -0700, Steffan A. Cline wrote: Looking earlier on the thread, Jan suggested that it was dovecot that had the issue and may be related. My issue seems to be a connection issue postfix and my webapp. Viktor suggested it could be an issue with my OpenSSL

TLS Issue

I've been googling a while to find a resolution to this but am not having the best of luck. I have a web app trying to connect to postfix to send mail via TLS. It fails right after authentication. I find a BUNCH of these in the log: Nov 30 10:10:32 hosting1 postfix/smtpd[11990]: connect from

Re: TLS Issue

On Sun, Nov 30, 2014 at 09:32:43AM -0700, Steffan A. Cline wrote: I have a web app trying to connect to postfix to send mail via TLS. It fails right after authentication. Actually, no, it (what you show from the logs) fails during the TLS handshake, which should precede authentication. I

SSL/TLS issue

I have an issue regarding SSL/TLS. I have configured my certificates and STARTTLS works fine. Out of curosity, I wanted to get SSL over tcp/465 working. I uncommented the following line in master.cf: smtps inet n - n - - smtpd And netsat shows the

Re: SSL/TLS issue

IT geek 31: I have an issue regarding SSL/TLS. I have configured my certificates and STARTTLS works fine. Out of curosity, I wanted to get SSL over tcp/465 working. Port 465 uses a different protocol than port 25. On port 25, the session starts in plaintext, and the client sends STARTTLS.

Re: SSL/TLS issue

On 18 January 2011 22:22, Wietse Venema wie...@porcupine.org wrote: IT geek 31: I have an issue regarding SSL/TLS. I have configured my certificates and STARTTLS works fine.  Out of curosity, I wanted to get SSL over tcp/465 working. Port 465 uses a different protocol than port 25. On

Re: SSL/TLS issue

IT geek 31: On 18 January 2011 22:22, Wietse Venema wie...@porcupine.org wrote: IT geek 31: I have an issue regarding SSL/TLS. I have configured my certificates and STARTTLS works fine. ?Out of curosity, I wanted to get SSL over tcp/465 working. Port 465 uses a different protocol

Re: SSL/TLS issue

On 18 January 2011 22:34, Wietse Venema wie...@porcupine.org wrote: IT geek 31: On 18 January 2011 22:22, Wietse Venema wie...@porcupine.org wrote: IT geek 31: I have an issue regarding SSL/TLS. I have configured my certificates and STARTTLS works fine. ?Out of curosity, I wanted to

Re: SSL/TLS issue

in thunderbird you have two options SSL/TLS StARTTLS on port 465 you have to use SSL/TLS the same for imaps/pop3s on dedicated ports if port / enycryption is in the wrong combination it will not work, happens most time if you changed the ports manually while doing some tests, after that the

Enforced TLS issue after Postfix upgrade

Hello, After upgrading from 2.5.x to 2.7.1 mail started queuing up to one particular domain (TLS security level: verify) with Server certificate not verified. Systems still on 2.5.x versions of Postfix transmit messages to that domain via enforced TLS just fine. Based on some testing with

Re: Enforced TLS issue after Postfix upgrade

On Tue, Nov 30, 2010 at 02:44:31AM +, Mueller, Martin (Messaging) wrote: After upgrading from 2.5.x to 2.7.1 mail started queuing up to one particular domain (TLS security level: verify) with Server certificate not verified. Postfix TLS support has not changed noticeably since 2.5.

Re: Enforced TLS issue after Postfix upgrade

On Tue, Nov 30, 2010 at 12:56:08AM -0500, Victor Duchovni wrote: When testing with Postfix 2.7 compiled against OpenSSL 1.0.0a and also 1.0.0b with two patches from the upcoming 1.0.0c (due any day now) everything is normal. Your OpenSSL is perhaps less fortuitously selected than mine. I get