Re: tls_policy

Wed, 29 Apr 2015 06:48:06 -0700 

On 29/04/2015 16:06, DTNX Postmaster wrote:

On 29 Apr 2015, at 14:53, Birta Levente <blevi.li...@gmail.com> wrote:


Hello

I see many SSL_connect error for different domains which mail service hosted at 
microsoft:

Apr 28 10:32:12 srv1 postfix/smtp[18296]: SSL_connect error to 
irs-ro.mail.eo.outlook.com[213.199.154.87]:25: lost connection
Apr 28 10:32:12 srv1 postfix/smtp[18296]: 3lbZRv0VXQz1lvjB: 
to=<xxxxx...@irs.ro>, relay=irs-ro.mail.eo.outlook.com[213.199.154.87]:25, 
delay=1.1, delays=0.14/0.37/0.56/0, dsn=4.7.5, status=deferred (Cannot start TLS: 
handshake failure)

After a few tries postfix send the message in plain.

Looked at the mailing list archive I resolved with smtp_tls_policy_maps = 
hash:/etc/postfix/tls_policy:

tls_policy:
irs.ro          may protocols=TLSv1 ciphers=medium exclude=3DES:MD5


But all this domains have MX record pointed to 
something.othersomething.outlook.com, so I wonder if there is a method to apply 
this policy like that:

[.outlook.com]:25 may protocols=TLSv1 ciphers=medium exclude=3DES:MD5

Have you tried just turning off your override? The receiving server
does not support your excluded cipher anyway;

==
Target: irs-ro.mail.eo.outlook.com:25

prio  ciphersuite              protocols              pfs_keysize
1     ECDHE-RSA-AES256-SHA384  TLSv1.2                ECDH,P-384,384bits
2     ECDHE-RSA-AES128-SHA256  TLSv1.2                ECDH,P-256,256bits
3     ECDHE-RSA-AES256-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-384,384bits
4     ECDHE-RSA-AES128-SHA     TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
5     AES256-SHA256            TLSv1.2
6     AES128-SHA256            TLSv1.2
7     AES256-SHA               TLSv1,TLSv1.1,TLSv1.2
8     AES128-SHA               TLSv1,TLSv1.1,TLSv1.2
9     DES-CBC3-SHA             TLSv1,TLSv1.1,TLSv1.2
10    RC4-SHA                  TLSv1,TLSv1.1,TLSv1.2
11    RC4-MD5                  TLSv1,TLSv1.1,TLSv1.2

Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering
==

And it should negotiate the strongest possible cipher just fine. Ours
negotiate the first in the list, and if your OpenSSL doesn't support
TLSv1.2 yet you should see either #3 or #7.

Mvg,
Joni



Our server negotiate too the first in your list:

# posttls-finger irs-ro.mail.eo.outlook.com:25
posttls-finger: Connected to irs-ro.mail.eo.outlook.com[213.199.154.23]:25
posttls-finger: < 220 AM1FFO11FD015.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Wed, 29 Apr 2015 13:42:24 +0000 
posttls-finger: > EHLO srv1.xxxxxxxx.ro
posttls-finger: < 250-AM1FFO11FD015.mail.protection.outlook.com Hello [176.223.199.54] 
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250 CHUNKING
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 SMTP server ready
posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25: Matched subjectAltName: *.mail.eo.outlook.com posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25: subjectAltName: *.mail.protection.outlook.com posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25: subjectAltName: mail.protection.outlook.com posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25: subjectAltName: outlook.com posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25: subjectAltName: mail.messaging.microsoft.com posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25 CommonName mail.protection.outlook.com posttls-finger: certificate verification failed for irs-ro.mail.eo.outlook.com[213.199.154.23]:25: untrusted issuer /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root posttls-finger: irs-ro.mail.eo.outlook.com[213.199.154.23]:25: subject_CN=*.mail.eo.outlook.com, issuer_CN=MSIT Machine Auth CA 2, fingerprint=3D:FA:EC:8A:81:0E:8B:F2:D8:1D:64:6E:D4:E1:1E:0F:FD:F6:FA:55, pkey_fingerprint=19:00:DD:94:FA:DC:82:BF:CD:79:31:B1:8D:36:C8:99:CD:AA:B4:8F posttls-finger: Untrusted TLS connection established to irs-ro.mail.eo.outlook.com[213.199.154.23]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits) 
posttls-finger: > EHLO srv1.xxxxxxxx.ro
posttls-finger: < 250-AM1FFO11FD015.mail.protection.outlook.com Hello [176.223.199.54] 
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-AUTH LOGIN
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Service closing transmission channel

But something happening after negotiation.
My knowledge is not deep at all, but certainly they have problem with TLSv1.2. 

--
           Levi

Reply via email to