Date:
From:
Subject: [none]
On Sun, Oct 20, 2013 at 08:55:33PM +0300, Deniss wrote:
I have an issue with postfix-2.10.2 and latest MS
windows/exchange/outlook: SSL connection cannot be negotiated with
default settings, there is an error in postfix log:
Oct 20 20:13:41 box postfix/smtp[21730]: warning: TLS library
problem: 21730:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:
Please DO NOT omit critical related information. What was the
final error logged by the Postfix SMTP client for this delivery?
This generally records the SMTP protocol stage at which the error
occurred. In particular, whether the handshake completed and the
error happend during data transfer or not.
Show all related logging from process 21730.
well, full log shows:
Oct 21 21:35:01 box postfix/smtp[19887]: warning: TLS library problem:
19887:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:
Oct 21 21:35:01 box postfix/smtp[19887]: 9057812402F:
to=<s...@co.inbox.lv>, relay=mail.co.inbox.lv[195.13.218.205]:25,
delay=0.05, delays=0.01/0.01/0.03/0, dsn=4.4.2, status=deferred (lost
connection with mail.co.inbox.lv[195.13.218.205] while sending MAIL FROM)
By brief investigation looks like schannel drops connection if first
tried cipher suite does not work and not try another ciphers
Wild guess:
http://archives.neohapsis.com/archives/postfix/2013-10/thread.html#289
i tried to make use of "smtp_tls_exclude_ciphers = DES-CBC3-SHA"
and got TLS failure and the message sent in plain wire (i belive):
Oct 21 21:43:41 box postfix/smtp[20925]: SSL_connect error to
mail.co.inbox.lv[195.13.218.205]:25: lost connection
Oct 21 21:43:41 box postfix/smtp[20925]: 7613D12402F: Cannot start TLS:
handshake failure
Oct 21 21:43:41 box postfix/smtp[20925]: 7613D12402F:
to=<s...@co.inbox.lv>, relay=mail.co.inbox.lv[195.13.218.205]:25,
delay=0.38, delays=0.01/0.01/0.02/0.35, dsn=2.6.0, status=sent (250
2.6.0 <526575df.8070...@sad.lv> Queued mail for delivery)
Oct 21 21:43:41 got postfix/qmgr[20393]: 7613D12402F: removed
I tried openssl s_client -connect mail.co.inbox.lv:25 -starttls smtp
-tls1_2:
CONNECTED(00000003)
2714154632:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 437 bytes and written 7 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1382382209
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
but it works just fine with -tls1
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Moreover i tried
smtp_tls_policy_maps = hash:/etc/postfix/tls_map with
# cat /etc/postfix/tls_map
[mail.co.inbox.lv]:25 secure ciphers=medium exclude=3DES
with no lucks
Oct 21 22:13:32 box postfix/smtp[24060]: warning: TLS library problem:
24060:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:
Oct 21 22:13:32 box postfix/smtp[24060]: D912212402E:
to=<s...@co.inbox.lv>, relay=mail.co.inbox.lv[195.13.218.205]:25,
delay=0.04, delays=0/0.01/0.02/0, dsn=4.4.2, status=deferred (lost
connection with mail.co.inbox.lv[195.13.218.205] while sending MAIL FROM)
if you provide more context, you'll get better help.
BTW Digest of postfix-users list does not allow to reply to the messages :(