Hello everybody, another issue around TLS/SSL from me.
I see tons of ==> mail/mail.log <== Nov 7 15:03:29 blueberry postfix/postscreen[16163]: PASS NEW [2a01:111:f400:fe1f::32d]:56472 Nov 7 15:03:29 blueberry postfix/postscreen[16163]: CONNECT from [187.58.37.29]:62661 to [85.214.17.19]:25 Nov 7 15:03:29 blueberry postfix/smtpd[18091]: connect from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: setting up TLS connection from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d]: TLS cipher list "aNULL:-aNULL:HIGH:@STRENGTH:!aNULL" Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept:before/accept initialization Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept:unknown state Nov 7 15:03:29 blueberry postfix/smtpd[18091]: message repeated 5 times: [ SSL_accept:unknown state] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept:failed in unknown state Nov 7 15:03:29 blueberry postfix/smtpd[18091]: SSL_accept error from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d]: lost connection Nov 7 15:03:29 blueberry postfix/smtpd[18091]: lost connection after STARTTLS from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] Nov 7 15:03:29 blueberry postfix/smtpd[18091]: disconnect from mail-ve1eur01hn032d.outbound.protection.outlook.com[2a01:111:f400:fe1f::32d] ehlo=1 starttls=0/1 commands In my log files. Only from outlook.com. TLS/SSL with other hosts works fine, anonymous, untrusted, trusted, verified. All there, despite the unknown state thing. Only that outlook.com thing bugs me. Did anybody of you encounter something similar? I found one hit on the net that explained something similar to get a certifikate with min. 2k bits, mine are 4k bits. (https://community.sophos.com/kb/hu-hu/122327) So the question is, how to get that going? Any pointers highly appreciated... Cheers, Florian =========================================================================== Note: this message was send by me *only* if the eMail message contains a correct pgp signature corresponding to my address at flo...@floppy.org. Do you need my PGP public key? Check out http://www.floppy.org or send me an email with the subject "send pgp public key" to this address of mine.Thx!
2bounce_notice_recipient = postmaster-bounce
address_verify_map = btree:/var/lib/postfix/verify
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 300s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
alias_database = btree:/etc/aliases
alias_maps = btree:/etc/aliases
allow_percent_hack = no
always_bcc =
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks.regexp
bounce_notice_recipient = postmaster-bounce
bounce_queue_lifetime = 1d
bounce_size_limit = 10240
broken_sasl_auth_clients = yes
canonical_maps = btree:/etc/postfix/canonical
command_directory = /usr/sbin
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/lib/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin xxgdb
$daemon_directory/$process_name $process_id & sleep 5
default_database_type = btree
default_destination_concurrency_limit = 10
default_privs = nobody
default_process_limit = 12
defer_transports = hold
delay_notice_recipient = postmaster-delay
delay_warning_time = 2d
disable_dns_lookups = no
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
error_notice_recipient = postmaster-error
header_checks = regexp:/etc/postfix/block255,
regexp:/etc/postfix/header_checks.regexp
home_mailbox = Maildir/
html_directory = /srv/www/blueberry.post-peine.de/html/postfix
inet_interfaces = all
inet_protocols = all
lmtp_tls_ciphers = high
lmtp_tls_mandatory_protocols = !SSLv2 !SSLv3
lmtp_tls_protocols = !SSLv2 !SSLv3
local_destination_concurrency_limit = 4
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_queue_lifetime = 3d
message_size_limit = 125000000
meta_directory = /etc/postfix
mydestination = localhost.$mydomain, localhost, localhost.localdomain,
h2511160.stratoserver.net $myhostname
myhostname = blueberry.post-peine.de
mynetworks = 127.0.0.0/8 [::1]/128 85.214.231.59/32
[2a01:238:42e6:2a00:400c:c565:2fc4:894f]/128
[2a01:238:42e9:8500:ef96:269e:db52:64a8]/128 85.214.17.19
newaliases_path = /usr/bin/newaliases
notify_classes = bounce, resource, software, delay, policy
postscreen_access_list = permit_mynetworks
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_action = drop
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
recipient_delimiter = +
relay_domains = btree:/etc/postfix/relay_domains
relay_recipient_maps = btree:/etc/postfix/recipient_maps.outpost
relocated_maps = btree:/etc/postfix/relocated
resolve_dequoted_address = yes
sample_directory = /usr/share/doc/packages/postfix/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = btree:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_send_xforward_command = yes
smtp_tls_CApath = /etc/ssl/certs/
smtp_tls_cert_file = /etc/ssl/certs/blueberry.pem
smtp_tls_ciphers = high
smtp_tls_key_file = /etc/ssl/private/blueberry.key
smtp_tls_loglevel = 2
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = btree:/etc/postfix/tls_nach_ziel
smtp_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_session_cache
smtp_tls_session_cache_timeout = 3600s
smtp_use_tls = no
smtpd_authorized_xforward_hosts = 127.0.0.0/8 [::1]/128
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks
smtpd_error_sleep_time = 1
smtpd_hard_error_limit = 3
smtpd_proxy_timeout = 3600s
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination, check_policy_service inet:localhost:10023
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 7
smtpd_timeout = 3600s
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_ask_ccert = yes
smtpd_tls_cert_file = /etc/ssl/certs/blueberry.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/ssl/private/blueberry.key
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_session_cache
smtpd_tls_session_cache_timeout = 7200s
smtpd_use_tls = yes
smtputf8_enable = no
strict_rfc821_envelopes = yes
swap_bangpath = no
tls_random_source = dev:/dev/urandom
transport_maps = btree:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 554
virtual_alias_maps = $virtual_maps
virtual_gid_maps = static:1001
virtual_mailbox_base = /var/spool/mail/vmail
virtual_mailbox_domains = btree:/etc/postfix/virtual_domain
virtual_mailbox_maps = btree:/etc/postfix/virtual_domain_users
virtual_maps = btree:/etc/postfix/virtual
virtual_transport = dovecot
virtual_uid_maps = static:500
signature.asc
Description: OpenPGP digital signature
