Re: TLS with openssl-1.0.1a not working with hotmail

Tue, 24 Apr 2012 09:14:22 -0700 

On Tue, 24 Apr 2012 11:34:11 -0400 (EDT)
Wietse Venema articulated:

>Jerry:
>> FreeBSD-8.2 STABLE
>> Postfix (2.10-20120422)
>> OpenSSL 1.0.1a 19 Apr 2012
>> 
>> I just updated to the latest devel version of Postfix and
>> openssl-1.0.1a.
>> 
>> Following the instructions (I think correctly) on this list, I
>> created the following file:
>> 
>> cat tls_policy
>> hotmail.com     may protocols=!SSLv2:!TLSv1.1:!TLS1.2
>> 
>> I check it as so:
>> 
>> postmap -q hotmail.com ./tls_policy
>> may protocols=!SSLv2:!TLSv1.1:!TLS1.2
>
>TLS1.2 is an invalid protocol name. Postfix will not send STARTTLS,
>disconnect, and make a plaintext connection if permitted.
>
>    Apr 24 11:11:27 spike postfix/smtp[19134]: warning:
>       65.55.96.11[65.55.96.11]:25: Invalid TLS protocol list
>       "!SSLv2:!TLSv1.1:!TLS1.2": aborting TLS session
>
>So your logs don't match the configuration.

I got those setting from your email to the list:

<quote>
However, it may be better to disable the new protocols for broken
sites only, with smtp_tls_policy_maps entries.

/etc/postfix/main.cf:
    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

/etc/postfix/tls_policy:
    example.com         may protocols=!SSLv2:!TLSv1.1:!TLSv1.2
</quote>

I did screw it up, I left out the "v"in the "TLSv1.2" protocol name.
However, even changing that did not make any difference.

>I have verified that Postfix + OpenSSL 1.0.1a fails to communicate
>with 65.55.96.11 with "default" settings, but succeeds when I disable
>TLSv1.2 (with smtp_tls_policy_maps or with smtp_tls_protocols).
>
>If you can't make it work with the policy table, simply specify in
>main.cf:
>
>    smtp_tls_protocols = !SSLv2,!TLSv1.2
>    smtp_tls_mandatory_protocols = !SSLv2,!TLSv1.2

This works fine for me. I fail to understand why the policy map fails
however.

>I don't see STARTTLS support on the MX hosts for hotmail.com, so I
>wonder why you ended up talking to 65.55.96.11.

No idea.

Thanks for your help.

-- 
Jerry ✌
postfix-u...@seibercom.net
_____________________________________________________________________
TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Reply via email to