Hello everybody, another issue around TLS/SSL from me.
I see tons of ==> mail/mail.log <== Nov 7 15:03:29 blueberry postfix/postscreen[16163]: PASS NEW [2a01:111:f400:fe1f::32d]:56472 Nov 7 15:03:29 blueberry postfix/postscreen[16163]: CONNECT from [187.58.37.29]:62661 to [85.214.17.19]:25 Nov 7 15:03:29 blueberry postfix/smtpd[18091]: connect from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: setting up TLS connection from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH:!aNULL" Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept:before/accept initialization Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept:unknown state Nov 7 15:03:29 blueberry postfix/smtpd[18091]: message repeated 5 times: [ SSL_accept:unknown state] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept:failed in unknown state Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept error from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d]: lost connection Nov 7 15:03:29 blueberry postfix/smtpd[18091]: lost connection after STARTTLS from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: disconnect from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] ehlo=1 starttls=0/1 commands In my log files. Only from outlook.com. TLS/SSL with other hosts works fine, anonymous, untrusted, trusted, verified. All there, despite the unknown state thing. Only that outlook.com thing bugs me. Did anybody of you encounter something similar? I found one hit on the net that explained something similar to get a certifikate with min. 2k bits, mine are 4k bits. (https://community.sophos.com/kb/hu-hu/122327) So the question is, how to get that going? Any pointers highly appreciated... Cheers, Florian =========================================================================== Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx!
2bounce_notice_recipient = postmaster-bounce address_verify_map = btree:/var/lib/postfix/verify address_verify_negative_cache = yes address_verify_negative_expire_time = 3d address_verify_negative_refresh_time = 300s address_verify_positive_expire_time = 31d address_verify_positive_refresh_time = 7d alias_database = btree:/etc/aliases alias_maps = btree:/etc/aliases allow_percent_hack = no always_bcc = append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/body_checks.regexp bounce_notice_recipient = postmaster-bounce bounce_queue_lifetime = 1d bounce_size_limit = 10240 broken_sasl_auth_clients = yes canonical_maps = btree:/etc/postfix/canonical command_directory = /usr/sbin compatibility_level = 2 content_filter = smtp-amavis:[127.0.0.1]:10024 daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb $daemon_directory/$process_name $process_id & sleep 5 default_database_type = btree default_destination_concurrency_limit = 10 default_privs = nobody default_process_limit = 12 defer_transports = hold delay_notice_recipient = postmaster-delay delay_warning_time = 2d disable_dns_lookups = no disable_vrfy_command = yes dovecot_destination_recipient_limit = 1 error_notice_recipient = postmaster-error header_checks = regexp:/etc/postfix/block255, regexp:/etc/postfix/header_checks.regexp home_mailbox = Maildir/ html_directory = /srv/www/blueberry.post-peine.de/html/postfix inet_interfaces = all inet_protocols = all lmtp_tls_ciphers = high lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3 lmtp_tls_protocols = !SSLv2 !SSLv3 local_destination_concurrency_limit = 4 mail_owner = postfix mail_spool_directory = /var/mail mailbox_size_limit = 0 mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root maximal_queue_lifetime = 3d message_size_limit = 125000000 meta_directory = /etc/postfix mydestination = localhost.$mydomain, localhost, localhost.localdomain, h2511160.stratoserver.net $myhostname myhostname = blueberry.post-peine.de mynetworks = 127.0.0.0/8 [::1]/128 85.214.231.59/32 [2a01:238:42e6:2a00:400c:c565:2fc4:894f]/128 [2a01:238:42e9:8500:ef96:269e:db52:64a8]/128 85.214.17.19 newaliases_path = /usr/bin/newaliases notify_classes = bounce, resource, software, delay, policy postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access.cidr postscreen_bare_newline_action = drop postscreen_blacklist_action = drop postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = postscreen_dnsbl_threshold = 2 postscreen_greet_action = enforce queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix/README_FILES recipient_delimiter = + relay_domains = btree:/etc/postfix/relay_domains relay_recipient_maps = btree:/etc/postfix/recipient_maps.outpost relocated_maps = btree:/etc/postfix/relocated resolve_dequoted_address = yes sample_directory = /usr/share/doc/packages/postfix/samples sendmail_path = /usr/sbin/sendmail setgid_group = postdrop shlib_directory = /usr/lib/postfix smtp_sasl_auth_enable = yes smtp_sasl_password_maps = btree:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_send_xforward_command = yes smtp_tls_CApath = /etc/ssl/certs/ smtp_tls_cert_file = /etc/ssl/certs/blueberry.pem smtp_tls_ciphers = high smtp_tls_key_file = /etc/ssl/private/blueberry.key smtp_tls_loglevel = 2 smtp_tls_mandatory_protocols = !SSLv2 !SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_policy_maps = btree:/etc/postfix/tls_nach_ziel smtp_tls_protocols = !SSLv2 !SSLv3 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_session_cache smtp_tls_session_cache_timeout = 3600s smtp_use_tls = no smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128 smtpd_banner = $myhostname ESMTP $mail_name smtpd_client_restrictions = permit_mynetworks smtpd_error_sleep_time = 1 smtpd_hard_error_limit = 3 smtpd_proxy_timeout = 3600s smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service inet:localhost:10023 smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_soft_error_limit = 7 smtpd_timeout = 3600s smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_ask_ccert = yes smtpd_tls_cert_file = /etc/ssl/certs/blueberry.pem smtpd_tls_ciphers = high smtpd_tls_key_file = /etc/ssl/private/blueberry.key smtpd_tls_loglevel = 2 smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 smtpd_tls_protocols = !SSLv2 !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_session_cache smtpd_tls_session_cache_timeout = 7200s smtpd_use_tls = yes smtputf8_enable = no strict_rfc821_envelopes = yes swap_bangpath = no tls_random_source = dev:/dev/urandom transport_maps = btree:/etc/postfix/transport unknown_local_recipient_reject_code = 550 unverified_sender_reject_code = 554 virtual_alias_maps = $virtual_maps virtual_gid_maps = static:1001 virtual_mailbox_base = /var/spool/mail/vmail virtual_mailbox_domains = btree:/etc/postfix/virtual_domain virtual_mailbox_maps = btree:/etc/postfix/virtual_domain_users virtual_maps = btree:/etc/postfix/virtual virtual_transport = dovecot virtual_uid_maps = static:500
signature.asc
Description: OpenPGP digital signature