Re: Problem using TLS: lost connection after STARTTLS

Fri, 14 Jun 2013 09:16:44 -0700 

On Fri, Jun 14, 2013 at 05:53:03PM +0200, Jan P. Kessler wrote:

> >I would have expected SHA-2 support as of OpenSSL 1.0.0a.
> 
> Ok, so the problem seems to be clear. The system uses an ancient
> openssl version (sunfreeware package):
> 
>         libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8
>         libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8
>
> # /usr/local/ssl/bin/openssl version
> OpenSSL 0.9.8k 25 Mar 2009
> 
> Thank you very much for your help! Is it possible to deactivate the
> "smtpd_tls_ask_ccert = yes" setting for this special target? Ideally
> without deactivating the complete STARTTLS extension completely?

Only via NAT, if you can divert traffic from this client IP to a
different SMTP listener in which the feature is disabled via
master.cf.

The sender should replace their certificate, it is not compliant
with TLSv1.  This too may take time.

I never enabled ask_ccert on port 25, I had used 587 for that (on
a machine that nevertheless was not an MSA), and clients with special
access configured via ccerts had to use a transport table or similar
to send to a non-default port to get that access.

> I understand that the correct solution is an openssl upgrade on our
> side (due to other security related reasons), but I need a
> maintenance window for this.

Build OpenSSL 1.0.1e from source without shared libraries, just
".a" files (default via OpenSSL's Configure).  Then link Postfix
against that, and deploy.  For example with OpenSSL built in
/var/tmp/openssl (libcrypto.a and libssl.a in that directory, and
include files in /var/tmp/openssl/include) build as follows (adjusting
paths as required):

#! /bin/sh

DEST=/usr/local
CCARGS='-DUSE_TLS -I/var/tmp/openssl/include ...'
AUXLIBS='-L/var/tmp/openssl -lssl -lcrypto ...'

while read -r name val
do
    CCARGS="$CCARGS $(printf -- '-D%s=\\"%s\\"' $name $val)"
done <<EOF
    DEF_COMMAND_DIR         $DEST/sbin
    DEF_CONFIG_DIR          $DEST/etc
    DEF_DAEMON_DIR          $DEST/libexec
    DEF_MAILQ_PATH          /usr/bin/mailq
    DEF_HTML_DIR            $DEST/html
    DEF_MANPAGE_DIR         $DEST/man
    DEF_NEWALIAS_PATH       /usr/bin/newaliases
    DEF_README_DIR          $DEST/readme
    DEF_SENDMAIL_PATH       /usr/sbin/sendmail
EOF
make -f Makefile.init "CCARGS=$CCARGS" "AUXLIBS=$AUXLIBS" makefiles
make

-- 
        Viktor.

Reply via email to