Re: Problem using TLS: lost connection after STARTTLS

Jan P. Kessler Sat, 15 Jun 2013 16:59:27 -0700

>> # openssl
>> ./Configure \
>>     --prefix=${BASE}/openssl \
>>     --openssldir=${BASE}/openssl \
>>     solaris-sparcv9-cc
>> make; make install
>>
>> # postfix
>> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
>> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
>> -L/usr/local/lib"
>> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
>> -I/usr/local/include"
>>
>> make tidy; make makefiles \
>>     CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
>>     AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
>> make; make upgrade


The openssl update from 0.9.8k to 1.0.1e solved the client certificate
issue. Unfortunately now we see another problem with the outgoing
instance, trying to send to another partner with mandatory TLS:

Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] 704A35DD5: Cannot start TLS: handshake failure
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.21] said: 403
4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] 704A35DD5: Cannot start TLS: handshake failure
Jun 16 00:28:55 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] 704A35DD5: to=<xxx....@example.com>,
relay=mxtls.allianz.com[194.127.3.22]:25, delay=62663,
delays=62662/0/0.54/0.01, dsn=4.7.0, status=deferred (host
mxtls.allianz.com[194.127.3.22] said: 403 4.7.0 encryption too weak 0
less than 256 (in reply to MAIL FROM command))

BEFORE UPGRADE:
Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
mail.info] certificate verification failed for
mxtls.allianz.com[194.127.3.21]:25: untrusted issuer /C=US/O=VeriSign,
Inc./OU=Class 3 Public Primary Certification Authority
Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
mail.info] Untrusted TLS connection established to
mxtls.allianz.com[194.127.3.21]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
Jun 14 11:43:42 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
mail.info] 19688599D: to=<xxx....@example.com>,
relay=mxtls.allianz.com[194.127.3.21]:25, delay=0.94,
delays=0.03/0/0.48/0.43, dsn=2.0.0, status=sent (250 2.0.0
r5E9hfN2006147 Message accepted for delivery)

Other outgoing TLS connections seem to work fine:

Jun 16 00:29:52 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] setting up TLS connection to
gmail-smtp-in.l.google.com[173.194.70.26]:25
Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] Trusted TLS connection established to
gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher
ECDHE-RSA-RC4-SHA (128/128 bits)
Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
mail.info] CBF8256AD: to=<aaa....@example.com>,
relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.85,
delays=0.01/0/0.18/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1371335393
b5si7050738eew.190 - gsmtp)

Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
setting up TLS connection to smail2-neu.mailintern.local[10.221.24.22]:25
Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
Trusted TLS connection established to
smail2-neu.mailintern.local[10.221.24.22]:25: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Jun 16 00:29:55 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
6195A56F4: to=<ccc....@example.com>,
relay=smail2-neu.mailintern.local[10.221.24.22]:25, delay=11,
delays=11/0/0.14/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
98BABC6DA0)

Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
mail.info] setting up TLS connection to smtpcl3.fiducia.de[195.200.34.38]:25
Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
mail.info] smtpcl3.fiducia.de[195.200.34.38]:25: re-using session with
untrusted certificate, look for details earlier in the log
Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
mail.info] Untrusted TLS connection established to
smtpcl3.fiducia.de[195.200.34.38]:25: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
Jun 16 00:29:58 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
mail.info] 932B356AF: to=<eee....@example.com>,
relay=smtpcl3.fiducia.de[195.200.34.38]:25, delay=2.1,
delays=0.58/0.07/0.26/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as 7C5731C8C89)

I have already tried to wipe the smtp_scache.db without success. Could
you give me another hint? Verbose logs and configuration follow at the
end of this mail.

> If you're interested, I now have another option for you, a Postfix
> patch that will likely enable support for SHA-2 digests even when
> Postfix is compiled and linked with OpenSSL 0.9.8.

May I ask if this would have a chance to be included in future postfix
releases? Just to know if postfix has to be patched again with updates.

> Keep in mind that that latest OpenSSL 0.9.8 patch level is now
> 0.9.8y, and I seem to recall that you had 0.9.8k which likely
> various unpatched bugs.  So you should probably upgrade the system's
> OpenSSL 0.9.8 libraries to 0.9.8y.

Thanks, but the 0.9.8k openssl lib is anyway not the solaris 10 default.
It was installed separately some time ago from a different source
(sunfreeware) to compile postfix. I'd prefer to drop it completely. It
is not used by other software on these systems.

# postconf -c /etc/postfix/OUT mail_version
mail_version = 2.8.13
# /opt/vrnetze/openssl/bin/openssl version
OpenSSL 1.0.1e 11 Feb 2013

# postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
# postqueue -c /etc/postfix/OUT -i 704A35DD5
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] mxtls.allianz.com[194.127.3.22]:25: TLS cipher list
"aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] looking for session
smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
in smtp cache
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
mail.info] lookup smtp session
id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:before/connect initialization
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B))
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 b7 
....f... b..Q....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0010 a5 91 88 61 35 5b 04 b0|16 00 7a 15 84 3c b5 0b 
...a5[.. ..z..<..
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0020 59 23 37 d6 e4 7d 6f 15|82 8f c6 00 00 ca c0 19 
Y#7..}o. ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28  .
...m.: ...0.,.(
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b 
.$....." .!.....k
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a 
.j.9.8.. ...2...*
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17 
.&...... .=.5....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34 
........ .....l.4
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09 
...F./.+ .'.#....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32 
........ .g.@.3.2
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25 
.....E.D .1.-.).%
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07 
.......< ./...A..
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04 
........ ...o....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19 
.......4 .2......
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00 
........ .....#..
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02  ...".
.. ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01                
........ ...
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:SSLv2/v3 write client hello A
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:error in SSLv2/v3 read server hello A
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] remove session
smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
from client cache
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
mail.info] delete smtp session
id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 704A35DD5: Cannot start TLS: handshake failure
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.22] said: 403
4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] mxtls.allianz.com[194.127.3.21]:25: TLS cipher list
"aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] looking for session
smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
in smtp cache
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
mail.info] lookup smtp session
id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:before/connect initialization
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] write to 000A3418 [000F6020] (363 bytes => 363 (0x16B))
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 70 
....f... b..Q...p
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0010 e9 dc 5b a9 11 c3 47 1e|77 5b 4a a8 81 81 26 40 
..[...G. w[J...&@
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0020 e2 0a 41 b0 2e b9 96 2c|2e 63 e4 00 00 ca c0 19 
..A...., .c......
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28  .
...m.: ...0.,.(
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b 
.$....." .!.....k
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a 
.j.9.8.. ...2...*
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17 
.&...... .=.5....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34 
........ .....l.4
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09 
...F./.+ .'.#....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32 
........ .g.@.3.2
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25 
.....E.D .1.-.).%
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07 
.......< ./...A..
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04 
........ ...o....
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19 
.......4 .2......
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00 
........ .....#..
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02  ...".
.. ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01 
........ ........
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01                
........ ...
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:SSLv2/v3 write client hello A
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] read from 000A3418 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect:error in SSLv2/v3 read server hello A
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] remove session
smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
from client cache
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
mail.info] delete smtp session
id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 704A35DD5: Cannot start TLS: handshake failure
Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
mail.info] 704A35DD5: to=<xxx....@example.com>,
relay=mxtls.allianz.com[194.127.3.21]:25, delay=64211,
delays=64211/0/0.54/0.01, dsn=4.7.0, status=deferred (host
mxtls.allianz.com[194.127.3.21] said: 403 4.7.0 encryption too weak 0
less than 256 (in reply to MAIL FROM command))


# egrep -v "^#" /etc/postfix/OUT/master.cf
smtp26  inet    n       -       n       -       200     smtpd
  -o smtpd_client_connection_count_limit=100
cryptosmtp      unix    -       -       n       -       50      smtp
  -o smtp_data_done_timeout=1200
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
old-cyrus unix  -       n       n       -       -       pipe
  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
cyrus     unix  -       n       n       -       -       pipe
  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
$recipient

# postconf -c /etc/postfix/OUT -n
alias_database = hash:/etc/postfix/aliases
alias_maps = $alias_database
body_checks = pcre:/etc/postfix/OUT/body_checks
body_checks_size_limit = 512000
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.cf
command_directory = /opt/vrnetze/postfix/sbin
config_directory = /etc/postfix/OUT
daemon_directory = /opt/vrnetze/postfix/libexec
data_directory = /var/spool/postfix-OUT/DATA
debug_peer_level = 2
default_privs = nobody
default_process_limit = 200
disable_vrfy_command = yes
fast_flush_domains = $relay_domains
header_checks = pcre:/etc/postfix/OUT/header_checks
html_directory = no
inet_interfaces = all
luser_relay = g_cna...@example.com
mail_name = Mailservice
mail_owner = postfix
mailbox_size_limit = 56000001
mailq_path = /usr/bin/mailq
manpage_directory = /opt/vrnetze/postfix/man
maximal_queue_lifetime = 3d
message_size_limit = 56000000
mime_header_checks = pcre:/etc/postfix/OUT/mime_header_checks
mydestination = $myhostname, localhost.$mydomain
mydomain = EXAMPLE.COM
myhostname = mail.EXAMPLE.COM
mynetworks = /etc/postfix/relay_from_networks
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases
proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9
queue_directory = /var/spool/postfix-OUT
readme_directory = /opt/vrnetze/postfix/doc
receive_override_options = no_address_mappings
relay_domains = /etc/postfix/relay_to_domains
sample_directory = /etc/postfix
sender_canonical_maps = btree:/etc/postfix/sender_canonical
sendmail_path = /usr/lib/sendmail
setgid_group = postdrop
smtp_enforce_tls = no
smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem
smtp_tls_key_file = /etc/postfix/CERTS/key.pem
smtp_tls_loglevel = 1
smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER
smtp_tls_scert_verifydepth = 8
smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP Mailservice
smtpd_enforce_tls = no
smtpd_recipient_restrictions = reject_non_fqdn_recipient,      
reject_non_fqdn_sender, permit_mynetworks,      reject
smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_ccert_verifydepth = 8
smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem
smtpd_tls_key_file = /etc/postfix/CERTS/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
syslog_name = postfix-OUT
transport_maps = btree:/etc/postfix/fehlerdomains,
btree:/etc/postfix/transport
unknown_address_reject_code = 554
unknown_local_recipient_reject_code = 550

Re: Problem using TLS: lost connection after STARTTLS

Reply via email to