On 29/04/2015 16:06, DTNX Postmaster wrote:
On 29 Apr 2015, at 14:53, Birta Levente <blevi.li...@gmail.com> wrote:
Hello
I see many SSL_connect error for different domains which mail service hosted at
microsoft:
Apr 28 10:32:12 srv1 postfix/smtp[18296]: SSL_connect error to
irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection
Apr 28 10:32:12 srv1 postfix/smtp[18296]: 3lbZRv0VXQz1lvjB:
to=<xxxxx...@irs.ro>, relay=irs-ro.mail.eo.outlook.com[213.199.154.87]:25,
delay=1.1, delays=0.14/0.37/0.56/0, dsn=4.7.5, status=deferred (Cannot start TLS:
handshake failure)
After a few tries postfix send the message in plain.
Looked at the mailing list archive I resolved with smtp_tls_policy_maps =
hash:/etc/postfix/tls_policy:
tls_policy:
irs.ro may protocols=TLSv1 ciphers=medium exclude=3DES:MD5
But all this domains have MX record pointed to
something.othersomething.outlook.com, so I wonder if there is a method to apply
this policy like that:
[.outlook.com]:25 may protocols=TLSv1 ciphers=medium exclude=3DES:MD5
Have you tried just turning off your override? The receiving server
does not support your excluded cipher anyway;
==
Target: irs-ro.mail.eo.outlook.com:25
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-384,384bits
2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-384,384bits
4 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
5 AES256-SHA256 TLSv1.2
6 AES128-SHA256 TLSv1.2
7 AES256-SHA TLSv1,TLSv1.1,TLSv1.2
8 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
9 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
10 RC4-SHA TLSv1,TLSv1.1,TLSv1.2
11 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2
Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering
==
And it should negotiate the strongest possible cipher just fine. Ours
negotiate the first in the list, and if your OpenSSL doesn't support
TLSv1.2 yet you should see either #3 or #7.
Mvg,
Joni
Our server negotiate too the first in your list:
# posttls-finger irs-ro.mail.eo.outlook.com:25
posttls-finger: Connected to irs-ro.mail.eo.outlook.com[213.199.154.23]:25
posttls-finger: < 220 AM1FFO11FD015.mail.protection.outlook.com
Microsoft ESMTP MAIL Service ready at Wed, 29 Apr 2015 13:42:24 +0000
posttls-finger: > EHLO srv1.xxxxxxxx.ro
posttls-finger: < 250-AM1FFO11FD015.mail.protection.outlook.com Hello
[176.223.199.54]
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250 CHUNKING
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 SMTP server ready
posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25: Matched
subjectAltName: *.mail.eo.outlook.com
posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25:
subjectAltName: *.mail.protection.outlook.com
posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25:
subjectAltName: mail.protection.outlook.com
posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25:
subjectAltName: outlook.com
posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25:
subjectAltName: mail.messaging.microsoft.com
posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25 CommonName
mail.protection.outlook.com
posttls-finger: certificate verification failed for
irs-ro.mail.eo.outlook.com[213.199.154.23]:25: untrusted issuer
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25:
subject_CN=*.mail.eo.outlook.com, issuer_CN=MSIT Machine Auth CA 2,
fingerprint=3D:FA:EC:8A:81:0E:8B:F2:D8:1D:64:6E:D4:E1:1E:0F:FD:F6:FA:55,
pkey_fingerprint=19:00:DD:94:FA:DC:82:BF:CD:79:31:B1:8D:36:C8:99:CD:AA:B4:8F
posttls-finger: Untrusted TLS connection established to
irs-ro.mail.eo.outlook.com[213.199.154.23]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-SHA384 (256/256 bits)
posttls-finger: > EHLO srv1.xxxxxxxx.ro
posttls-finger: < 250-AM1FFO11FD015.mail.protection.outlook.com Hello
[176.223.199.54]
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-AUTH LOGIN
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Service closing transmission channel
But something happening after negotiation.
My knowledge is not deep at all, but certainly they have problem with
TLSv1.2.
--
Levi