Re: Ubuntu 16.04lts & ssl unknown states
Am 03.11.2016 um 20:57 schrieb Viktor Dukhovni: Good morning. > Perhaps "posttls-finger" is left over from an earlier install? Did > you build and install Postfix from source? I reinstalled the distro pf package and re-compiled pf snapshot 1101 again. Now posttls-finger works again. Whyever. > The OpenSSL version looks typical enough, is that "/usr/bin/openssl" > or some other version? What does "ldd" show for this binary? > > # openssl version -a > OpenSSL 1.0.2g 1 Mar 2016 > built on: reproducible build, date unspecified > platform: debian-amd64 > options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) > compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time > -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack > -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM > -DGHASH_ASM -DECP_NISTZ256_ASM > OPENSSLDIR: "/usr/lib/ssl" > > Here we see that the same "unknown state" issue happens with Postfix > out of the picture. Both for local connections and connections to > Gmail. So this should be pursued on a suitable Ubuntu forum. I put out the cry for help there. If I come to a solution, I will share it with you guys in here again (if somebody happens to have a similar issue). Best of thanks on this one & now to the other... Cheers, Florian === Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx! signature.asc Description: OpenPGP digital signature
Re: Ubuntu 16.04lts & ssl unknown states
On Thu, Nov 03, 2016 at 09:38:39PM +0100, Florian Piekert wrote: > >> -rwxr-xr-x 1 root root 34768 Apr 13 2016 /usr/sbin/posttls-finger* > > > > Perhaps "posttls-finger" is left over from an earlier install? Did > > you build and install Postfix from source? > > posttls-finger most probably is a relic of the default packages > installation. pf is installed from source. You should probably delete the left-over binary. > > Here we see that the same "unknown state" issue happens with Postfix > > out of the picture. Both for local connections and connections to > > Gmail. So this should be pursued on a suitable Ubuntu forum. > > OK, I understand it then is more of an OS issue than a specific to pf. > Correct? The issue is a common symptom of OpenSSL on your system and is NOT Postfix-specific. -- Viktor.
Re: Ubuntu 16.04lts & ssl unknown states
Am 03.11.2016 um 20:57 schrieb Viktor Dukhovni: Hello Viktor, you are correct, it is compiled & install from the source, like I did the last ten+? years on all of my machines. No issues on ubuntu 14.04, opensuse, or others. Only on 16.04. it causes me a pain. I installed postfix from scratch with the default packages that come with 16.04, then compiled the pf snapshot that was available at that time, with the configure file I slightly modified to pay tribute to the new system. See the attached configure.postfix file with the args. >> Since there is no tlsproxy running at the moment (removed the modifications >> from Wietse and restarted pf, let's wait...?) I can't provide that output >> at the moment. Or do you have a suggestion how to get one up & running? > > You could go back to the previous configuration, but read on... > >> On the other hand, my pf is the snapshot from 1101 and not any longer the >> default package that ubuntu delivered. >> >> root@blueberry:/var/lib/postfix# l /usr/sbin/post* >> -rwxr-xr-x 1 root root 45160 Nov 1 22:04 /usr/sbin/postalias* >> -rwxr-xr-x 1 root root 34216 Nov 1 22:04 /usr/sbin/postcat* >> -rwxr-xr-x 1 root root 422752 Nov 1 22:04 /usr/sbin/postconf* >> -rwxr-sr-x 1 root postdrop 34504 Nov 1 22:04 /usr/sbin/postdrop* >> -rwxr-xr-x 1 root root 28960 Nov 1 22:04 /usr/sbin/postfix* >> -rwxr-xr-x 1 root root 5017 Apr 13 2016 /usr/sbin/postfix-add-filter* >> -rwxr-xr-x 1 root root 3923 Apr 13 2016 /usr/sbin/postfix-add-policy* >> -rwxr-xr-x 1 root root 37856 Okt 26 2014 /usr/sbin/postgrey* >> -rwxr-xr-x 1 root root 20696 Nov 1 22:04 /usr/sbin/postkick* >> -rwxr-xr-x 1 root root 22608 Nov 1 22:04 /usr/sbin/postlock* >> -rwxr-xr-x 1 root root 22384 Nov 1 22:04 /usr/sbin/postlog* >> -rwxr-xr-x 1 root root 48512 Nov 1 22:04 /usr/sbin/postmap* >> -rwxr-xr-x 1 root root 69928 Nov 1 22:04 /usr/sbin/postmulti* >> -rwxr-sr-x 1 root postdrop 54304 Nov 1 22:04 /usr/sbin/postqueue* >> -rwxr-xr-x 1 root root 60552 Nov 1 22:04 /usr/sbin/postsuper* >> -rwxr-xr-x 1 root root 34768 Apr 13 2016 /usr/sbin/posttls-finger* > > Perhaps "posttls-finger" is left over from an earlier install? Did > you build and install Postfix from source? posttls-finger most probably is a relic of the default packages installation. pf is installed from source. > The OpenSSL version looks typical enough, is that "/usr/bin/openssl" > or some other version? What does "ldd" show for this binary? yes, it is that version. root@blueberry:/home/software# ldd /usr/bin/openssl linux-vdso.so.1 => (0x7ffca532) libssl.so.1.0.0 => /lib/x86_64-linux-gnu/libssl.so.1.0.0 (0x7fcc7780a000) libcrypto.so.1.0.0 => /lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x7fcc773c6000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7fcc76ffc000) libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7fcc76df8000) /lib64/ld-linux-x86-64.so.2 (0x7fcc77a7d000) > # openssl version -a > OpenSSL 1.0.2g 1 Mar 2016 > built on: reproducible build, date unspecified > platform: debian-amd64 > options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) > compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS > -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 > -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time > -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack > -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT > -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM > -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM > -DGHASH_ASM -DECP_NISTZ256_ASM > OPENSSLDIR: "/usr/lib/ssl" > > Here we see that the same "unknown state" issue happens with Postfix > out of the picture. Both for local connections and connections to > Gmail. So this should be pursued on a suitable Ubuntu forum. OK, I understand it then is more of an OS issue than a specific to pf. Correct? > # (sleep 1; printf "quit\r\n") | > openssl s_client -quiet -state -starttls smtp -connect localhost:25 > SSL_connect:before/connect initialization > SSL_connect:SSLv2/v3 write client hello A > SSL_connect:unknown state > depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing > Authority, emailAddress = supp...@cacert.org > verify return:1 > depth=0 CN = yabba.dadd-do.de > verify return:1 > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > SSL_connect:unknown state > 250 DSN >
Re: Ubuntu 16.04lts & ssl unknown states
On Thu, Nov 03, 2016 at 06:05:50PM +0100, Florian Piekert wrote: > Since there is no tlsproxy running at the moment (removed the modifications > from Wietse and restarted pf, let's wait...?) I can't provide that output > at the moment. Or do you have a suggestion how to get one up & running? You could go back to the previous configuration, but read on... > On the other hand, my pf is the snapshot from 1101 and not any longer the > default package that ubuntu delivered. > > root@blueberry:/var/lib/postfix# l /usr/sbin/post* > -rwxr-xr-x 1 root root 45160 Nov 1 22:04 /usr/sbin/postalias* > -rwxr-xr-x 1 root root 34216 Nov 1 22:04 /usr/sbin/postcat* > -rwxr-xr-x 1 root root 422752 Nov 1 22:04 /usr/sbin/postconf* > -rwxr-sr-x 1 root postdrop 34504 Nov 1 22:04 /usr/sbin/postdrop* > -rwxr-xr-x 1 root root 28960 Nov 1 22:04 /usr/sbin/postfix* > -rwxr-xr-x 1 root root 5017 Apr 13 2016 /usr/sbin/postfix-add-filter* > -rwxr-xr-x 1 root root 3923 Apr 13 2016 /usr/sbin/postfix-add-policy* > -rwxr-xr-x 1 root root 37856 Okt 26 2014 /usr/sbin/postgrey* > -rwxr-xr-x 1 root root 20696 Nov 1 22:04 /usr/sbin/postkick* > -rwxr-xr-x 1 root root 22608 Nov 1 22:04 /usr/sbin/postlock* > -rwxr-xr-x 1 root root 22384 Nov 1 22:04 /usr/sbin/postlog* > -rwxr-xr-x 1 root root 48512 Nov 1 22:04 /usr/sbin/postmap* > -rwxr-xr-x 1 root root 69928 Nov 1 22:04 /usr/sbin/postmulti* > -rwxr-sr-x 1 root postdrop 54304 Nov 1 22:04 /usr/sbin/postqueue* > -rwxr-xr-x 1 root root 60552 Nov 1 22:04 /usr/sbin/postsuper* > -rwxr-xr-x 1 root root 34768 Apr 13 2016 /usr/sbin/posttls-finger* Perhaps "posttls-finger" is left over from an earlier install? Did you build and install Postfix from source? The OpenSSL version looks typical enough, is that "/usr/bin/openssl" or some other version? What does "ldd" show for this binary? # openssl version -a OpenSSL 1.0.2g 1 Mar 2016 built on: reproducible build, date unspecified platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/usr/lib/ssl" Here we see that the same "unknown state" issue happens with Postfix out of the picture. Both for local connections and connections to Gmail. So this should be pursued on a suitable Ubuntu forum. # (sleep 1; printf "quit\r\n") | openssl s_client -quiet -state -starttls smtp -connect localhost:25 SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:unknown state depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = supp...@cacert.org verify return:1 depth=0 CN = yabba.dadd-do.de verify return:1 SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state 250 DSN 221 2.0.0 Bye SSL3 alert read:warning:close notify SSL3 alert write:warning:close notify # (sleep 1; printf "quit\r\n") | openssl s_client -quiet -state -starttls smtp -connect smtp.gmail.com:587 SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:unknown state depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN = Google Internet Authority G2 verify return:1 depth=0 C = US, ST = California, L = Mountain View, O = Google Inc, CN = smtp.gmail.com verify return:1 SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state 250 SMTPUTF8 221 2.0.0 closing connection g9sm9596385wjk.25 - gsmtp read:errno=0 SSL3 alert write:warning:close notify > postconf mail_version > -> mail_version = 3.2-20161101 I very much doubt that Ubuntu shipped this Postfix version. Looks like
Re: Ubuntu 16.04lts & ssl unknown states
Am 03.11.2016 um 17:29 schrieb Viktor Dukhovni: Hello Viktor, Wietse and everybody, since there is no tlsproxy running at the moment (removed the modifications from Wietse and restarted pf, let's wait...?) I can't provide that output at the moment. Or do you have a suggestion how to get one up & running? I have a proxymap up sometimes... But maybe the attached txt file providing what I could provide helps in understanding...? Especially the missing symbol aspect of posttls-finger? On the other hand, my pf is the snapshot from 1101 and not any longer the default package that ubuntu delivered. root@blueberry:/var/lib/postfix# l /usr/sbin/post* -rwxr-xr-x 1 root root 45160 Nov 1 22:04 /usr/sbin/postalias* -rwxr-xr-x 1 root root 34216 Nov 1 22:04 /usr/sbin/postcat* -rwxr-xr-x 1 root root 422752 Nov 1 22:04 /usr/sbin/postconf* -rwxr-sr-x 1 root postdrop 34504 Nov 1 22:04 /usr/sbin/postdrop* -rwxr-xr-x 1 root root 28960 Nov 1 22:04 /usr/sbin/postfix* -rwxr-xr-x 1 root root 5017 Apr 13 2016 /usr/sbin/postfix-add-filter* -rwxr-xr-x 1 root root 3923 Apr 13 2016 /usr/sbin/postfix-add-policy* -rwxr-xr-x 1 root root 37856 Okt 26 2014 /usr/sbin/postgrey* -rwxr-xr-x 1 root root 20696 Nov 1 22:04 /usr/sbin/postkick* -rwxr-xr-x 1 root root 22608 Nov 1 22:04 /usr/sbin/postlock* -rwxr-xr-x 1 root root 22384 Nov 1 22:04 /usr/sbin/postlog* -rwxr-xr-x 1 root root 48512 Nov 1 22:04 /usr/sbin/postmap* -rwxr-xr-x 1 root root 69928 Nov 1 22:04 /usr/sbin/postmulti* -rwxr-sr-x 1 root postdrop 54304 Nov 1 22:04 /usr/sbin/postqueue* -rwxr-xr-x 1 root root 60552 Nov 1 22:04 /usr/sbin/postsuper* -rwxr-xr-x 1 root root 34768 Apr 13 2016 /usr/sbin/posttls-finger* That explains the difference of the file dates. > openssl version -a > # (sleep 1; printf "quit\r\n") | > openssl s_client -quiet -state -starttls smtp -connect localhost:25 > # (sleep 1; printf "quit\r\n") | > openssl s_client -quiet -state -starttls smtp -connect > smtp.gmail.com:587 > > # postconf mail_version > # ldd /usr/sbin/posttls-finger # IIRC Ubuntu ships it > > # pid=8057 # actual pid here > # cat /proc/$pid/maps > # ldd /proc/$pid/exe > # grep "tlsproxy/\[$pid\]" /var/log/mail.log | tail > > [ These should work, but Ubuntu may have packaged Postfix in > some way that makes it otherwise: ] > > # d=$(/var/tmp/postfix/sbin/postconf -xh meta_directory) I don't have that directory btw. > # cat $d/makedefs.out Cheers, Florian === Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine. Thx! openssl version -a -> root@blueberry:/var/lib/postfix# openssl version -a OpenSSL 1.0.2g 1 Mar 2016 built on: reproducible build, date unspecified platform: debian-amd64 options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) blowfish(idx) compiler: cc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,--noexecstack -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM OPENSSLDIR: "/usr/lib/ssl" (sleep 1; printf "quit\r\n") | openssl s_client -quiet -state -starttls smtp -connect localhost:25 -> SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:unknown state depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = supp...@cacert.org verify return:1 depth=0 CN = yabba.dadd-do.de verify return:1 SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state SSL_connect:unknown state 250 DSN 221 2.0.0 Bye SSL3 alert read:warning:close notify SSL3 alert write:warning:close notify (sleep 1; printf "quit\r\n") | openssl s_client -quiet -state -starttls smtp -connect smtp.gmail.com:587 -> SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:unknown state depth=3 C = US, O = Equifax, OU = Equifax Secure Certificate Authority verify return:1 depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA verify return:1 depth=1 C = US, O = Google Inc, CN =
Re: Ubuntu 16.04lts & ssl unknown states
> On Nov 3, 2016, at 12:29 PM, Viktor Dukhovni> wrote: > > # grep "tlsproxy/\[$pid\]" /var/log/mail.log | tail Oops, misplaced '/' there, it should of course be: # grep "/tlsproxy\[$pid\]" /var/log/mail.log | tail -- Viktor.
Re: Ubuntu 16.04lts & ssl unknown states
On Thu, Nov 03, 2016 at 12:48:01PM +0100, Florian Piekert wrote: > Good morning everybody, > > I was wondering for quite some weeks now how to fix this issue with my > postfix. I had a brief discussion with Ralf Hildebrandt and he suggested > asking via the users lists, that's what I am doing now. > > I have the situation that the PF currently doesn't seem to get proper > information about the state of the SSL connection, as you can see below. Find the process id of a still running "tlsproxy", then post the output of (multiple commands, so post each command followed by its output, without changing line breaks with a blank line or two above each command block): # openssl version -a # (sleep 1; printf "quit\r\n") | openssl s_client -quiet -state -starttls smtp -connect localhost:25 # (sleep 1; printf "quit\r\n") | openssl s_client -quiet -state -starttls smtp -connect smtp.gmail.com:587 # postconf mail_version # ldd /usr/sbin/posttls-finger # IIRC Ubuntu ships it # pid=8057 # actual pid here # cat /proc/$pid/maps # ldd /proc/$pid/exe # grep "tlsproxy/\[$pid\]" /var/log/mail.log | tail [ These should work, but Ubuntu may have packaged Postfix in some way that makes it otherwise: ] # d=$(/var/tmp/postfix/sbin/postconf -xh meta_directory) # cat $d/makedefs.out also report whether that proxy had already logged a similar message by the time you found it. > Any pointers what to check/where to lock/what to fix are highly appreciated. This has the feel of a shared library issue. The Postfix configuration is largely irrelevant here, but chroot may play a role in this. -- Viktor.
Re: Ubuntu 16.04lts & ssl unknown states
Am 03.11.2016 um 15:58 schrieb Wietse Venema: > postconf \ > 'postscreen_bare_newline_enable = no' \ > 'postscreen_non_smtp_command_enable = no' \ > 'postscreen_pipelining_enable = no' > > postfix reload Nov 3 16:03:51 blueberry postfix/smtp[12959]: SSL_connect:before/connect initialization Nov 3 16:03:51 blueberry postfix/smtp[12959]: SSL_connect:SSLv2/v3 write client hello A Nov 3 16:03:51 blueberry postfix/smtp[12959]: SSL_connect:unknown state ... Nov 3 16:03:51 blueberry postfix/smtp[12959]: SSL_connect:unknown state Nov 3 16:03:51 blueberry postfix/smtp[12959]: message repeated 10 times: [ SSL_connect:unknown state] Negative. -- Florian Piekert, PMP flo...@floppy.org Spargelweg 5Telephone+Fax: +49-179- 3928582 38179 Schwülper-Walle/Germany === Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx! signature.asc Description: OpenPGP digital signature
Re: Ubuntu 16.04lts & ssl unknown states
Florian Piekert: > ==> mail/mail.log <== > Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: CONNECT from > [2a01:111:f400:fe02::31f]:39552 Does it make a difference after: postconf \ 'postscreen_bare_newline_enable = no' \ 'postscreen_non_smtp_command_enable = no' \ 'postscreen_pipelining_enable = no' postfix reload That eliminates postfix/tlsproxy from the equation. Wietse
Re: Ubuntu 16.04lts & ssl unknown states
* Florian Piekert: > Nov 3 08:50:30 blueberry postfix/tlsproxy[8057]: SSL_accept:unknown state I checked my logs and couldn't find any log entries like the one above. Hm, I am not using smtp(d)_tls_loglevel=2, but 1. > smtp_tls_loglevel = 2 > smtpd_tls_loglevel = 2 -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG, 80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
Re: Ubuntu 16.04lts & ssl unknown states
Am 03.11.2016 um 14:26 schrieb Fazzina, Angelo: Hello Angelo, please find attached my output, looks pretty good to me, similar to yours. > Hi Florian, > I am curious if you ran a basic telnet test of your SSL config, trying to > connect over port 465 or 587 ? > Sorry for not reading your attachments. > > I am attaching one file of the command and its output, showing example test > over both ports. > Does your postfix respond like my example or you are not even able to do that > ? > -ALF > > -Angelo Fazzina > Operating Systems Programmer / Analyst > University of Connecticut, UITS, SSG-Linux/ M > 860-486-9075 Cheers, Florian === Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx! root@blueberry:/home/software# openssl s_client -connect localhost:465 CONNECTED(0003) depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = supp...@cacert.org verify return:1 depth=0 CN = yabba.dadd-do.de verify return:1 --- Certificate chain 0 s:/CN=yabba.dadd-do.de i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supp...@cacert.org 1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supp...@cacert.org i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supp...@cacert.org --- Server certificate -BEGIN CERTIFICATE- MIIGJTCCBA2gAwIBAgIDEkl3MA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y dEBjYWNlcnQub3JnMB4XDTE2MDgxOTA1MjkyM1oXDTE3MDIxNTA1MjkyM1owIjEg MB4GA1UEAxMXYmx1ZWJlcnJ5LnBvc3QtcGVpbmUuZGUwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCyMxBTyzYZuIPqDDGAaZw3OaK6ntq2RCjdv1SNRHvQ UCLj/2Qh6XCcANbLraU59rBy4ioPON6pX73fXnfRApOP3l9jVsiDrvwzDbu2XOzF 6u8vZhbcG889zIyj0aPaR3pRsleWkxJ5vsmHS/MoaG++LUTLWGyBGFv05bDDtXVj QhdfDFW4JwDrznivbvu2bn3r09wiCb9J8f21Wr45n6vm6wmpsPXxiiUnzH08WvY8 xdHBOUKlfl4m7u+ZQ8YY/VchPzF5+zVvwh7vuGSvjL6TEznxZS5dtKSFKdQV2lXT z6KYGuGoVfs+CzeeoW8OO34jQ33BU9puFxb41iFJapuwe61xxQ/my/DTq3aCfwu3 6YdX9QejeYBuBKY7lYNTFSzOkpP/KQbxUGLY+lIv9omPNYC6WtZEpf368pycXFSH L5K0USpXPWA4Wc5O7k7xAXKKDAxYlIxIChPtEb4UylTmeinCbrOn3bs1igbvQ7dg n1BcNMZSmQCP1nLlOiVSHqvhD6BfATF0WgDpdIFvtizP/ep0qpjlmYhUVzaOtKFy KnNW8xGo03gICllHjx3ESWgvqw1b0zzvcIlmol19m61VzIp2mo2G1HxNdm3YtUhr Ss9J0XpAXkXH9A8QSMJhZR0Rvt5X/g5NZgXg7Q20oiUlReoagikKyda2AeRlzHBX nwIDAQABo4IBCzCCAQcwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCA6gwNAYD VR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUFBwMBBglghkgBhvhCBAEGCisGAQQBgjcK AwMwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5jYWNl cnQub3JnLzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmNhY2VydC5vcmcv cmV2b2tlLmNybDBJBgNVHREEQjBAghdibHVlYmVycnkucG9zdC1wZWluZS5kZaAl BggrBgEFBQcIBaAZDBdibHVlYmVycnkucG9zdC1wZWluZS5kZTANBgkqhkiG9w0B AQ0FAAOCAgEAePVVQx9jJIYgtjBIGjssZgaiHi2Q908IEiC0JxDIYL98jIpmlHHO lZbaTurNh/n3HpC8sN52hVwA/Zbzna7XP5FbfvJhAHiaan/9jbPppP/nszvqP+pC d9SMrn5qeByES8R1XvbhWsIUsJDsfe68Hh9q7hDVwIG1jMFFI1vRxr+2h0owGxc3 lHyVKVKqTukgxze+HCpiK6KVNZ+O8g1LaSI4Ejqk0f9TpUB3ejnMJVls4266dC6a lemH0Lf1SIP6Dl8wlhxMnCk7wKb2kG5gi7aKshqOjcgRLc41pp2h3Wkba5Z/HDZ3 P1v+lpndKO4+PnAlsb3hSrQTPzs24kupMDHq7WNwt0XHl9oByxrIza+6YvufADi8 LMMOp6aq1UPv3k7UTzAn3XiSPC/jAkBFFQZYvFNuVF8NcCPAfeHnYNnxQqPA94Af 9uPo85o2tVMxcfPZ3ja/Ybj57Jy+7UvF2k6QS3ittdJTJ46bXqFXnYT350B6DnhS HZfo18qIcf0kjZfHq0+GTblUEsiBFv7bKFH7mKhHavqUAZg3E1eF1jtZp3N3A66g WENj2GNxaPHexYt5qZofz7k9dNuLuB/IIK03SvL8ErG8IScIWEBVy/kyi6HJ+8YW +K5sf3tgUm1L/hyf8exlTAGQWfdLCYsgy6gByxdOS4Z1SOQer+IBS/k= -END CERTIFICATE- subject=/CN=yabba.dadd-do.de issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=supp...@cacert.org --- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4394 bytes and written 443 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 8BEFEAEFA881F97A56AC14E6894249C6E1F583628382FB0877597DFF554539C2 Session-ID-ctx:
RE: Ubuntu 16.04lts & ssl unknown states
Hi Florian, I am curious if you ran a basic telnet test of your SSL config, trying to connect over port 465 or 587 ? Sorry for not reading your attachments. I am attaching one file of the command and its output, showing example test over both ports. Does your postfix respond like my example or you are not even able to do that ? -ALF -Angelo Fazzina Operating Systems Programmer / Analyst University of Connecticut, UITS, SSG-Linux/ M 860-486-9075 -Original Message- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Florian Piekert Sent: Thursday, November 3, 2016 7:48 AM To: postfix-users@postfix.org Subject: Ubuntu 16.04lts & ssl unknown states Good morning everybody, I was wondering for quite some weeks now how to fix this issue with my postfix. I had a brief discussion with Ralf Hildebrandt and he suggested asking via the users lists, that's what I am doing now. I have the situation that the PF currently doesn't seem to get proper information about the state of the SSL connection, as you can see below. ==> mail/mail.log <== Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: CONNECT from [2a01:111:f400:fe02::31f]:39552 Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: setting up TLS connection from [2a01:111:f400:fe02::31f]:39552 Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: [2a01:111:f400:fe02::31f]:39552: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH:!aNULL" Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: SSL_accept:before/accept initialization Nov 3 08:50:30 blueberry postfix/tlsproxy[8057]: SSL_accept:unknown state Nov 3 08:50:30 blueberry postfix/tlsproxy[8057]: message repeated 5 times: [ SSL_accept:unknown state] Nov 3 08:50:30 blueberry postfix/tlsproxy[8057]: SSL_accept:failed in unknown state It doesn't matter if it is an IPv6 host, if the host is in mynetworks or not (all postfixes with CACert issues certs and working properly between each of the others finely). Any pointers what to check/where to lock/what to fix are highly appreciated. And I will probably drop another mail around another issue in conjunction with dovecot virtual user delivery pf->dovecot... but first this SSL thing... Thanks! Florian === Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx! TEST 1 [ OK ] [root@mta4 ~]# openssl s_client -connect mta4.example.com:465 CONNECTED(0003) depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = US, ST = MI, L = Ann Arbor, O = Internet2, OU = InCommon, CN = InCommon RSA Server CA verify return:1 depth=0 C = US, postalCode = 06269, ST = Connecticut, L = Storrs, street = MSB, O = University of Connecticut, OU = UITS, CN = mta4.example.com verify return:1 --- Certificate chain 0 s:/C=US/postalCode=06269/ST=Connecticut/L=Storrs/street=MSB/O=University of Connecticut/OU=UITS/CN=mta4.example.com i:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA 1 s:/C=US/ST=MI/L=Ann Arbor/O=Internet2/OU=InCommon/CN=InCommon RSA Server CA i:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority 2 s:/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 3 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -BEGIN CERTIFICATE- MIIFbTCCBFWgAwIBAgIQUUUM6kkQWQV8kesbMKoP2TANBgkqhkiG9w0BAQsFADB2 MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjES MBAGA1UEChMJSW50ZXJuZXQyMREwDwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMW SW5Db21tb24gUlNBIFNlcnZlciBDQTAeFw0xNjAzMDEwMDAwMDBaFw0xOTAzMDEy MzU5NTlaMIGjMQswCQYDVQQGEwJVUzEOMAwGA1UEERMFMDYyNjkxFDASBgNVBAgT C0Nvbm5lY3RpY3V0MQ8wDQYDVQQHEwZTdG9ycnMxDDAKBgNVBAkTA01TQjEiMCAG A1UEChMZVW5pdmVyc2l0eSBvZiBDb25uZWN0aWN1dDENMAsGA1UECxMEVUlUUzEc MBoGA1UEAxMTbXRhNC51aXRzLnVjb25uLmVkdTCCASIwDQYJKoZIhvcNAQEBBQAD ggEPADCCAQoCggEBAKXs5Mhq4l4c+nMdwxFY3lndze/40SAuVhLUA2oiQ1j359tA xu6UPoE5XaeYDevTSm7kG/GiTRrNJRWXqWcGAfqxU2smopOP1ybLSqYno8JG6bq7 IzQzOpUaT9jhqXhxYLwC7gNkw6FfFTwH3dzUCqMEDiceBf7Sbgu3cw53WeoXjYOD 4sLaidh4ZLRXTYGoTcrFUAosyM4GhNs9DFbRYJxYMTN/FLFHGi62EfLdWnynKHHm ewsvOWTRwcC+mVxXOOrD24fNsX9PKshYbX+jBLXI/HCHgT8zx7MZUSY
Ubuntu 16.04lts & ssl unknown states
Good morning everybody, I was wondering for quite some weeks now how to fix this issue with my postfix. I had a brief discussion with Ralf Hildebrandt and he suggested asking via the users lists, that's what I am doing now. I have the situation that the PF currently doesn't seem to get proper information about the state of the SSL connection, as you can see below. ==> mail/mail.log <== Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: CONNECT from [2a01:111:f400:fe02::31f]:39552 Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: setting up TLS connection from [2a01:111:f400:fe02::31f]:39552 Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: [2a01:111:f400:fe02::31f]:39552: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH:!aNULL" Nov 3 08:50:29 blueberry postfix/tlsproxy[8057]: SSL_accept:before/accept initialization Nov 3 08:50:30 blueberry postfix/tlsproxy[8057]: SSL_accept:unknown state Nov 3 08:50:30 blueberry postfix/tlsproxy[8057]: message repeated 5 times: [ SSL_accept:unknown state] Nov 3 08:50:30 blueberry postfix/tlsproxy[8057]: SSL_accept:failed in unknown state It doesn't matter if it is an IPv6 host, if the host is in mynetworks or not (all postfixes with CACert issues certs and working properly between each of the others finely). Any pointers what to check/where to lock/what to fix are highly appreciated. And I will probably drop another mail around another issue in conjunction with dovecot virtual user delivery pf->dovecot... but first this SSL thing... Thanks! Florian === Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx! 2bounce_notice_recipient = postmaster-bounce address_verify_map = btree:/var/lib/postfix/verify address_verify_negative_cache = yes address_verify_negative_expire_time = 3d address_verify_negative_refresh_time = 300s address_verify_positive_expire_time = 31d address_verify_positive_refresh_time = 7d alias_database = btree:/etc/aliases alias_maps = btree:/etc/aliases allow_percent_hack = no always_bcc = biff = no body_checks = regexp:/etc/postfix/body_checks.regexp bounce_notice_recipient = postmaster-bounce bounce_queue_lifetime = 1d bounce_size_limit = 10240 broken_sasl_auth_clients = yes canonical_maps = btree:/etc/postfix/canonical command_directory = /usr/sbin compatibility_level = 2 content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 default_database_type = btree default_destination_concurrency_limit = 10 default_privs = nobody default_process_limit = 12 defer_transports = hold delay_notice_recipient = postmaster-delay delay_warning_time = 2d disable_dns_lookups = no disable_vrfy_command = yes error_notice_recipient = postmaster-error header_checks = regexp:/etc/postfix/block255, regexp:/etc/postfix/header_checks.regexp html_directory = /srv/www/yadda.dadd-do.de/html/postfix inet_interfaces = all inet_protocols = all lmtp_tls_ciphers = export lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols = !SSLv2 !SSLv3 local_destination_concurrency_limit = 4 mail_owner = postfix mail_spool_directory = /var/mail mailbox_size_limit = 10 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root maximal_queue_lifetime = 3d message_size_limit = 12500 meta_directory = /etc/postfix mydestination = localhost.$mydomain, localhost, localhost.localdomain, $myhostname myhostname = yadda.dadd-do.de mynetworks = 127.0.0.0/8 [::1]/128... newaliases_path = /usr/bin/newaliases notify_classes = bounce, resource, software, delay, policy postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr postscreen_bare_newline_action = drop postscreen_bare_newline_enable = yes postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce postscreen_non_smtp_command_enable = yes postscreen_pipelining_enable = yes queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix/README_FILES relay_domains = btree:/etc/postfix/relay_domains relay_recipient_maps = btree:/etc/postfix/recipient_maps.outpost relayhost = outpost.post-peine.de relocated_maps = btree:/etc/postfix/relocated resolve_dequoted_address = yes sample_directory = /usr/share/doc/packages/postfix/samples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop shlib_directory =