Re: TLS1.2 issue with postfix and windows

Tue, 22 Oct 2013 07:24:18 -0700 

On Tue, Oct 22, 2013 at 01:15:06PM +0300, Deniss wrote:

> > So this is definitely a version of the broken Windows TLS ciphersuite
> > problem.  If you must use TLS with this server, disable TLSv1.2
> > and 3DES, allow medium grade ciphers (i.e. RC4) and make sure your
> > policy tables, ... are postmapped.
> 
> it was clear from begining that disabling tls1.2 fixes the issue.
> the question is if it possible to fix the problem mangling cipher suites
> list without complete tls1.2 removing ?

What I see with postttls-finger is that it is enough, with otherwise
default settings, to disable just 3DES and aNULL (that is also
anonymous ciphers, either a new twist for this server, or perhaps
all previous similar tests with ancient Exchange servers were with
the TLS level set to "secure" and did not exercise the need to
disable anonymous ciphers).

    $ defciphers="tls_medium_cipherlist=$(postconf -dhx tls_medium_cipherlist)"

    $ posttls-finger -o "$defciphers" -c -lencrypt -Lsummary "[195.13.218.205]"
    posttls-finger: Connected to 195.13.218.205[195.13.218.205]:25
    posttls-finger: Untrusted TLS connection established to 
195.13.218.205[195.13.218.205]:25: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
    posttls-finger: warning: TLS library problem: 93763:error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
    posttls-finger: warning: lost connection while sending QUIT command

    $ posttls-finger -o "$defciphers"':!3DES:!aNULL' -c -lencrypt -Lsummary 
"[195.13.218.205]"
    posttls-finger: Connected to 195.13.218.205[195.13.218.205]:25
    posttls-finger: Untrusted TLS connection established to 
195.13.218.205[195.13.218.205]:25: TLSv1 with cipher RC4-MD5 (128/128 bits)

> where tool posttls-finger may be obtained ?

It is included in the source distribution of recent Postfix 2.11
snapshots.  On a non-RedHat system with OpenSSL 1.0.0 or later,
compile Postfix 2.11 with TLS support.  After a successful build,
the posttls-finger tool will be in the bin/ sub-directory of the
source tree.  Documentation:

    http://www.postfix.org/posttls-finger.1.html

-- 
        Viktor.

Reply via email to