Re: SSL_accept error from ...outbound.protection.outlook.com
On Mon, Nov 07, 2016 at 10:30:06AM -0500, Bill Cole wrote:
> >Nov 7 15:03:29 blueberry postfix/smtpd[18091]:
> >mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d]:
> >TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH:!aNULL"
>
> This is probably your problem. The austere cipher list is the result of this
> setting, shown in your postconf output:
>
> smtpd_tls_ciphers = high
Let's not speculate, ... It is almost certain that the problem
lies elsewhere, and even with the OP's SSL library half-broken
("unknown state") that's also likely not the problem, but just in
case:
http://dilbert.com/strip/1995-06-24
The outlook.com email servers are fully able to support modern TLS
ciphersuites, and do not object to my self-signed cert.
Nov 7 16:34:41 amnesiac postfix/smtpd[6205]: connect from
mail-by2nam01on0058.outbound.protection.outlook.com[104.47.34.58]
Nov 7 16:34:42 amnesiac postfix/smtpd[6205]: Anonymous TLS connection
established from
mail-by2nam01on0058.outbound.protection.outlook.com[104.47.34.58]:
TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Nov 7 16:34:42 amnesiac postfix/smtpd[6205]: A59CF284B0A:
client=mail-by2nam01on0058.outbound.protection.outlook.com[104.47.34.58]
Nov 7 16:34:42 amnesiac postfix/cleanup[26419]: A59CF284B0A: ...
Nov 7 16:34:43 amnesiac postfix/qmgr[16255]: A59CF284B0A: from=<...>,
size=130131, nrcpt=1 (queue active)
Nov 7 16:34:43 amnesiac postfix/virtual[29503]: A59CF284B0A:
to=<...>, orig_to=<...>, relay=virtual, delay=1.1, delays=1/0/0/0.03,
dsn=2.0.0, status=sent (delivered to maildir)
Nov 7 16:34:43 amnesiac postfix/qmgr[16255]: A59CF284B0A: removed
The real issue, mentioned on this list previously IIRC, is the
over-aggressive way in which Microsoft deprecated MD5. They
needlessly (and unfortunately) apply the MD5 restriction to the
self-signatures of root CAs, and even in the context of STARTTLS,
where they happily deliver in cleartext or to self-signed certs,
so failing with weak signatures is noticeably lame.
The OP just happens one of the unlucky ones who goes way overboard
with 4096-bit RSA keys and SHA512 signatures (don't do that it's
futile), but uses a root CA whose self-signature is with MD5:
$ posttls-finger -cC floppy.org |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -noout -print_certs -text |
perl -lne '
print "" if /^Cert/;
print $1 if m{(?:Signature Algorithm|Subject|Issuer):\s*(.*)}
'
sha512WithRSAEncryption
O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing
Authority/emailAddress=supp...@cacert.org
CN=blueberry.post-peine.de
sha512WithRSAEncryption
md5WithRSAEncryption
O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing
Authority/emailAddress=supp...@cacert.org
O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing
Authority/emailAddress=supp...@cacert.org
md5WithRSAEncryption
A suitable 2048-bit self-signed certificate will work much better.
--
Viktor.
Re: SSL_accept error from ...outbound.protection.outlook.com
On 7 Nov 2016, at 9:26, Florian Piekert wrote: Hello everybody, another issue around TLS/SSL from me. I see tons of ==> mail/mail.log <== [...] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH:!aNULL" This is probably your problem. The austere cipher list is the result of this setting, shown in your postconf output: smtpd_tls_ciphers = high This has the perverse effect of causing some senders to fallback to no encryption and others to fail because they are configured to never do that when a server claims to support TLS or are simply broken.
SSL_accept error from ...outbound.protection.outlook.com
Hello everybody, another issue around TLS/SSL from me. I see tons of ==> mail/mail.log <== Nov 7 15:03:29 blueberry postfix/postscreen[16163]: PASS NEW [2a01:111:f400:fe1f::32d]:56472 Nov 7 15:03:29 blueberry postfix/postscreen[16163]: CONNECT from [187.58.37.29]:62661 to [85.214.17.19]:25 Nov 7 15:03:29 blueberry postfix/smtpd[18091]: connect from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: setting up TLS connection from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH:!aNULL" Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept:before/accept initialization Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept:unknown state Nov 7 15:03:29 blueberry postfix/smtpd[18091]: message repeated 5 times: [ SSL_accept:unknown state] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept:failed in unknown state Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept error from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d]: lost connection Nov 7 15:03:29 blueberry postfix/smtpd[18091]: lost connection after STARTTLS from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: disconnect from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] ehlo=1 starttls=0/1 commands In my log files. Only from outlook.com. TLS/SSL with other hosts works fine, anonymous, untrusted, trusted, verified. All there, despite the unknown state thing. Only that outlook.com thing bugs me. Did anybody of you encounter something similar? I found one hit on the net that explained something similar to get a certifikate with min. 2k bits, mine are 4k bits. (https://community.sophos.com/kb/hu-hu/122327) So the question is, how to get that going? Any pointers highly appreciated... Cheers, Florian === Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx! 2bounce_notice_recipient = postmaster-bounce address_verify_map = btree:/var/lib/postfix/verify address_verify_negative_cache = yes address_verify_negative_expire_time = 3d address_verify_negative_refresh_time = 300s address_verify_positive_expire_time = 31d address_verify_positive_refresh_time = 7d alias_database = btree:/etc/aliases alias_maps = btree:/etc/aliases allow_percent_hack = no always_bcc = append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks.regexp bounce_notice_recipient = postmaster-bounce bounce_queue_lifetime = 1d bounce_size_limit = 10240 broken_sasl_auth_clients = yes canonical_maps = btree:/etc/postfix/canonical command_directory = /usr/sbin compatibility_level = 2 content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 default_database_type = btree default_destination_concurrency_limit = 10 default_privs = nobody default_process_limit = 12 defer_transports = hold delay_notice_recipient = postmaster-delay delay_warning_time = 2d disable_dns_lookups = no disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 error_notice_recipient = postmaster-error header_checks = regexp:/etc/postfix/block255, regexp:/etc/postfix/header_checks.regexp home_mailbox = Maildir/ html_directory = /srv/www/blueberry.post-peine.de/html/postfix inet_interfaces = all inet_protocols = all lmtp_tls_ciphers = high lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols = !SSLv2 !SSLv3 local_destination_concurrency_limit = 4 mail_owner = postfix mail_spool_directory = /var/mail mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root maximal_queue_lifetime = 3d message_size_limit = 12500 meta_directory = /etc/postfix mydestination = localhost.$mydomain, localhost, localhost.localdomain, h2511160.stratoserver.net $myhostname myhostname = blueberry.post-peine.de mynetworks = 127.0.0.0/8 [::1]/128 85.214.231.59/32 [2a01:238:42e6:2a00:400c:c565:2fc4:894f]/128 [2a01:238:42e9:8500:ef96:269e:db52:64a8]/128 85.214.17.19 newaliases_path = /usr/bin/newaliases notify_classes = bounce, resource, software, delay, policy postscreen_access_list =
