Re: SMTPS 465
Am 2013-04-15 07:27 schrieb Stan Hoeppner: We've been told that this kernel upgrade created the problem. Simply reverting to the previous kernel should fix it. I wager the OP upgraded more than just the kernel, or upgraded the kernel in-place, Russian Roulette style. ;) The lesson learned is that package managers are a Good Thing, and if you really need to roll out custom-built software, it pays to create your own packages, especially if you can build them with a chrooted builder in a clean environment.
Re: SMTPS 465
On 2013-04-14 6:30 PM, Joan Moreau j...@grosjo.net wrote: Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used, and finding out what's wrong with yours is not a good use of your time or mine. Well, this server has worked since ever, supporting plenty of web operations (so I can not really 'delete and re-install' and broke only after updating the kernel. Any other clue ? Roll back to the previous kernel. Seriously. If you updated the kernel but didn't keep the last known good/working one, then hopefully you have learned why doing this is such a good idea and will do so in the future. -- Best regards, Charles
Re: SMTPS 465
Le 15/04/2013 10:24, Charles Marcus a écrit : On 2013-04-14 6:30 PM, Joan Moreau j...@grosjo.net wrote: Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used, and finding out what's wrong with yours is not a good use of your time or mine. Well, this server has worked since ever, supporting plenty of web operations (so I can not really 'delete and re-install' and broke only after updating the kernel. Any other clue ? Roll back to the previous kernel. Seriously. If you updated the kernel but didn't keep the last known good/working one, then hopefully you have learned why doing this is such a good idea and will do so in the future. Reverted to 3.7.10. Recompiled openssl + cyrus + posfix . Same errors. Where does the inconsistency reside ? 2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597:
Re: SMTPS 465
Am 15.04.2013 13:57, schrieb Joan Moreau: Le 15/04/2013 10:24, Charles Marcus a écrit : Roll back to the previous kernel. Seriously. If you updated the kernel but didn't keep the last known good/working one, then hopefully you have learned why doing this is such a good idea and will do so in the future. Reverted to 3.7.10. Recompiled openssl + cyrus + posfix . Same errors. Where does the inconsistency reside ? 2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597 for me this sound like you are doing configure make make install well this does not cleanup all garbage, doing so repeatly let's as example fail mysql to compile at all this is why things like rpmbuild was invited, they are working in a predictable and clean buildroot and with the resulting binaries you can predictable downgrade/upgrade packages and since dependencies for libraries and APIs are automatically injected in the RPM packages you normally recognize a binary incompatible update because RPM refuse to install the package additionally NOBODY builds his binaries on the production machine and fires make install, NOBODY - this has to be done on a testmachine and if the binary package works there you minimize the risk i know that this does not help you very much now but that should be what you learned the hardway by brick a production environement without take care how to make sure updates are working however, this is not a postfix-problem, this is revenge of bad practice signature.asc Description: OpenPGP digital signature
Re: SMTPS 465
On Apr 15, 2013, at 13:57, Joan Moreau j...@grosjo.net wrote: Le 15/04/2013 10:24, Charles Marcus a écrit : On 2013-04-14 6:30 PM, Joan Moreau j...@grosjo.net wrote: Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used, and finding out what's wrong with yours is not a good use of your time or mine. Well, this server has worked since ever, supporting plenty of web operations (so I can not really 'delete and re-install' and broke only after updating the kernel. Any other clue ? Roll back to the previous kernel. Seriously. If you updated the kernel but didn't keep the last known good/working one, then hopefully you have learned why doing this is such a good idea and will do so in the future. Reverted to 3.7.10. Recompiled openssl + cyrus + posfix . Same errors. Where does the inconsistency reside ? Probably in library versions you updated along the way, changes in the way you compile things, and so on. Besides, aren't the odd kernel versions such as 3.5.x, 3.7.x etc. development kernels? I really don't get why you are experimenting with development level software on what you claim is a production system. I suggest you stop wasting everyone's time, including your own, and roll back to the supported production kernel for your distribution, supported library versions, and so on. If you need custom Postfix packages for some reason, compile packages against the supported libraries. And if you do want to experiment with development level software, do so on a system that you can wipe and reinstall, or a virtual machine that you can roll back to a previous snapshot. Also, own your decision to live on the cutting edge. Fixing it is YOUR problem when you do, don't outsource it to others. Cya, Jona
Re: SMTPS 465
Am 15.04.2013 14:14, schrieb DTNX Postmaster: Besides, aren't the odd kernel versions such as 3.5.x, 3.7.x etc. development kernels? why should they? since kernel 2.6 released around 10 years ago the versioning is no longer this way and 3.0.x is only a renumbering from 2.6.40 https://www.kernel.org/ stable: 3.8.7 stable: 3.7.10 [EOL] signature.asc Description: OpenPGP digital signature
Re: SMTPS 465
On 4/15/2013 6:57 AM, Joan Moreau wrote: Reverted to 3.7.10. Recompiled openssl + cyrus + posfix . Same errors. Where does the inconsistency reside ? You will probably not get the answer from the Postfix mailing list, as this is not a problem with Postfix, and it appears that nobody here is willing to dedicate additional time to helping you debug/fix a non-Postfix problem. 2013-04-15T13:55:29.921960+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-15T13:55:29.921966+02:00 server postfix/smtpd[3308]: warning: TLS library problem: 3308:error:140D308A:SSL routines:TLS1_SETUP_KEY_BLOCK:cipher or hash unavailable:t1_enc.c:597: I think it's time for you to move (back?) into the distribution fold, to discontinue building your userland from scratch. You are an end user, not a developer. The situation you find yourself in is the exact reason why the first Linux distributions were created, and still exist today. Which is to get a pre built system where the kernel and all of the package and library versions work together, without end user debugging required. In fact, you are the current poster child for the Linux distribution model. -- Stan
Re: SMTPS 465
Le 13/04/2013 16:27, Viktor Dukhovni a écrit : On Sat, Apr 13, 2013 at 03:40:59PM +0200, mouss wrote: 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: This suggests your TLS library is broken. The TLS library being which one ? I am using openSSL and all https web site are working fine. Is there another library involved ? most probably, the compiled/configured version of openssl does not match what postfix expects. The only versions of OpenSSL I could find in which s3_enc.c has SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); on line 423, are the unreleased OpenSSL 1.0.2 branch and the master development branch. The OP has upgraded to a bleeding-edge OpenSSL, which may have unresolved bugs, or may be incompatible with the installed libcrypto due to an incomplete upgrade, ... The solution is to use stable OpenSSL releases if you're not an OpenSSL developer. When running development versions of your O/S distribution you need to be willing to find and solve problems independently. [ I've been ignoring this thread, because the OP replied to an unrelated message to postfix-devel instead of starting a new message, and I don't like to untangle messed up threads. When composing a new message, don't hit Reply. ] Ok, I tried 1 - to re-install openssl 1.0.1 then recompile postfix 2 - to reboot on an old kernel 3 - to use postfix 2.9, 2.10 or 2.11-devel 4 - to move from SSL (465) to STARTTLS (25) 5 - put the ciphers req to medium In all cases, I get to something similar to: 2013-04-14T15:26:27.625728+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-14T15:26:27.625738+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:140D308A:SSL routines:tls1_setup_key_block:cipher or hash unavailable:t1_enc.c:621: Any clue ? Thanks a million in advance Joan
Re: SMTPS 465
On Sun, Apr 14, 2013 at 01:30:53PM +, Joan Moreau wrote: [ You're using a mail client, whose plain-text response does not properly quote material you're replying to. When posting to this list please use a non-HTML client that gets the plain-text message right. ] Ok, I tried 1 - to re-install openssl 1.0.1 then recompile postfix Done right, this is sufficient. Your compiler settings must be wrong. Post the exact command you use the create the Postfix makefiles. 2 - to reboot on an old kernel 3 - to use postfix 2.9, 2.10 or 2.11-devel 4 - to move from SSL (465) to STARTTLS (25) 5 - put the ciphers req to medium None of these matter. but I don't recall seeing a postconf -n In all cases, I get to something similar to: 2013-04-14T15:26:27.625728+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-14T15:26:27.625738+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:140D308A:SSL routines:tls1_setup_key_block:cipher or hash unavailable:t1_enc.c:621: Any clue ? Your libcrypto does not support the algorithms that libssl expects, report the output of: unset LD_LIBRARY_PATH unset LD_PRELOAD ldd $(postconf -h daemon_directory)/smtpd On MacOSX replace ldd with otool -L, ... -- Viktor.
Re: SMTPS 465
Le 14/04/2013 15:25, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 01:30:53PM +, Joan Moreau wrote: [ You're using a mail client, whose plain-text response does not properly quote material you're replying to. When posting to this list please use a non-HTML client that gets the plain-text message right. ] Ok, I tried 1 - to re-install openssl 1.0.1 then recompile postfix Done right, this is sufficient. Your compiler settings must be wrong. Post the exact command you use the create the Postfix makefiles. make -f Makefile.init makefiles 'CCARGS=-DHAS_PCRE -DHAS_MYSQL -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -UHAS_LDAP -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl -lcrypto -lz -lm -lpcre -lsasl2' 2 - to reboot on an old kernel 3 - to use postfix 2.9, 2.10 or 2.11-devel 4 - to move from SSL (465) to STARTTLS (25) 5 - put the ciphers req to medium None of these matter. but I don't recall seeing a postconf -n alias_maps = hash:/etc/aliases biff = no bounce_queue_lifetime = 6h broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no dovecot_destination_recipient_limit = 1 header_checks = pcre:/etc/postfix/smtp_header_checks html_directory = no inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root maximal_queue_lifetime = 1d message_size_limit = 20480 mydestination = localhost, localhost.$mydomain mydomain = grosjo.net myhostname = grosjo.net mynetworks = 127.0.0.0/8 204.93.196.46/32 myorigin = $mydomain newaliases_path = /usr/bin/newaliases proxy_read_maps = $virtual_mailbox_domains $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = no relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop slow_destination_concurrency_limit = 2 slow_destination_recipient_limit = 1 smtp_header_checks = pcre:/etc/postfix/smtp_header_checks smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit smtpd_helo_required = yes smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_rbl_client bl.spamcop.net,reject_rbl_client sbl-xbl.spamhaus.org,check_policy_service inet:127.0.0.1:10023 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = permit_sasl_authenticated smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt smtpd_tls_key_file = /etc/ssl/certs/postfix.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s strict_8bitmime = no strict_rfc821_envelopes = no tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:1002 virtual_mailbox_base = /data/mail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 0 virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 10001 virtual_transport = dovecot virtual_uid_maps = static:10001 In all cases, I get to something similar to: 2013-04-14T15:26:27.625728+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:1411C146:SSL
Re: SMTPS 465
On Sun, Apr 14, 2013 at 03:57:07PM +, Joan Moreau wrote: Done right, this is sufficient. Your compiler settings must be wrong. Post the exact command you use the create the Postfix makefiles. make -f Makefile.init makefiles 'CCARGS=-DHAS_PCRE -DHAS_MYSQL -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -UHAS_LDAP -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl -lcrypto -lz -lm -lpcre -lsasl2' This looks OK, but perhaps you're running into DLL hell. As a sanitty check, what version of OpenSSL provides the header files? $ grep OPENSSL_VERSION /usr/include/openssl/opensslv.h None of these matter. but I don't recall seeing a postconf -n smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt smtpd_tls_key_file = /etc/ssl/certs/postfix.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s strict_8bitmime = no strict_rfc821_envelopes = no tls_random_source = dev:/dev/urandom Nothing exciting here, provided this is the correct main.cf, you don't have anything there that would break TLS ciphers. 2013-04-14T15:26:27.625728+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-14T15:26:27.625738+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:140D308A:SSL routines:tls1_setup_key_block:cipher or hash unavailable:t1_enc.c:621: Any clue ? Your libcrypto does not support the algorithms that libssl expects, report the output of: unset LD_LIBRARY_PATH unset LD_PRELOAD ldd $(postconf -h daemon_directory)/smtpd # ldd $(postconf -h daemon_directory)/smtpd linux-vdso.so.1 libmysqlclient.so.18 = /usr/lib/mysql/libmysqlclient.so.18 libssl.so.1.0.0 = /usr/lib/libssl.so.1.0.0 libcrypto.so.1.0.0 = /usr/lib/libcrypto.so.1.0.0 libz.so.1 = /lib/libz.so.1 libm.so.6 = /lib/libm.so.6 libpcre.so.1 = /lib/libpcre.so.1 libsasl2.so.2 = /usr/lib/libsasl2.so.2 libdb-5.3.so = /usr/lib/libdb-5.3.so libnsl.so.1 = /lib/libnsl.so.1 libresolv.so.2 = /lib/libresolv.so.2 libc.so.6 = /lib/libc.so.6 libpthread.so.0 = /lib/libpthread.so.0 libdl.so.2 = /lib/libdl.so.2 libstdc++.so.6 = /usr/lib/libstdc++.so.6 libgcc_s.so.1 = /usr/lib/libgcc_s.so.1 /lib64/ld-linux-x86-64.so.2 The only thing that comes to mind here is that perhaps libmsqlclient.so.18 is linked against a different OpenSSL runtime library than Postfix. Report the output of: readelf -d /usr/lib/postfix/smtpd readelf -d /usr/lib/mysql/libmysqlclient.so.18 Otherwise, your libcrypto and libssl are unusually messed up, re-install your system from scratch. -- Viktor.
Re: SMTPS 465
Am 14.04.2013 17:57, schrieb Joan Moreau:
Le 14/04/2013 15:25, Viktor Dukhovni a écrit :
On Sun, Apr 14, 2013 at 01:30:53PM +, Joan Moreau wrote:
[ You're using a mail client, whose plain-text response does not properly
quote material you're replying to. When posting to this list please
use a non-HTML client that gets the plain-text message right. ]
Ok, I tried 1 - to re-install openssl 1.0.1 then recompile postfix
Done right, this is sufficient. Your compiler settings must
be wrong. Post the exact command you use the create the
Postfix makefiles.
make -f Makefile.init makefiles 'CCARGS=-DHAS_PCRE -DHAS_MYSQL
-DUSE_SASL_AUTH -DUSE_CYRUS_SASL -UHAS_LDAP
-UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl '
'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl
-lcrypto -lz -lm -lpcre -lsasl2'
i am missing here the path to openssl
below the ARGS from my fedora-rpm-SPEC
-DUSE_TLS -I/usr/include/openssl
CCARGS=-fPIC -DHAS_PCRE -I%{_includedir}/pcre -DHAS_MYSQL
-I%{_includedir}/mysql -DUSE_SASL_AUTH -DUSE_CYRUS_SASL
-I%{_includedir}/sasl -DUSE_TLS -I/usr/include/openssl
-DDEF_CONFIG_DIR=\\\%{postfix_config_dir}\\\
AUXLIBS=-lpcre -L%{_libdir}/mysql -lmysqlclient -lm -L%{_libdir}/sasl2 -lsasl2
-lssl -lcrypto -pie -Wl,-z,relro
signature.asc
Description: OpenPGP digital signature
Re: SMTPS 465
On Sun, Apr 14, 2013 at 07:22:28PM +0200, Reindl Harald wrote: -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl -lcrypto -lz -lm -lpcre -lsasl2' i am missing here the path to openssl below the ARGS from my fedora-rpm-SPEC -DUSE_TLS -I/usr/include/openssl This is not a good idea. The OpenSSL header files are accessed by Postfix via: #include openssl/mumble.h Unless you have /usr/include/openssl/opennssl/ssl.h you should NOT do this. -- Viktor.
Re: SMTPS 465
Le 14/04/2013 17:21, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 03:57:07PM +, Joan Moreau wrote: Done right, this is sufficient. Your compiler settings must be wrong. Post the exact command you use the create the Postfix makefiles. make -f Makefile.init makefiles 'CCARGS=-DHAS_PCRE -DHAS_MYSQL -DUSE_SASL_AUTH -DUSE_CYRUS_SASL -UHAS_LDAP -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl -lcrypto -lz -lm -lpcre -lsasl2' This looks OK, but perhaps you're running into DLL hell. As a sanitty check, what version of OpenSSL provides the header files? $ grep OPENSSL_VERSION /usr/include/openssl/opensslv.h # grep OPENSSL_VERSION /usr/include/openssl/opensslv.h #define OPENSSL_VERSION_NUMBER 0x1000105fL #define OPENSSL_VERSION_TEXTOpenSSL 1.0.1e-fips 11 Feb 2013 #define OPENSSL_VERSION_TEXTOpenSSL 1.0.1e 11 Feb 2013 #define OPENSSL_VERSION_PTEXTpart of OPENSSL_VERSION_TEXT None of these matter. but I don't recall seeing a postconf -n smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_ask_ccert = no smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/postfix.crt smtpd_tls_key_file = /etc/ssl/certs/postfix.key smtpd_tls_loglevel = 2 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_cache smtpd_tls_session_cache_timeout = 3600s strict_8bitmime = no strict_rfc821_envelopes = no tls_random_source = dev:/dev/urandom Nothing exciting here, provided this is the correct main.cf, you don't have anything there that would break TLS ciphers. 2013-04-14T15:26:27.625728+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-14T15:26:27.625738+02:00 server postfix/smtpd[20218]: warning: TLS library problem: 20218:error:140D308A:SSL routines:tls1_setup_key_block:cipher or hash unavailable:t1_enc.c:621: Any clue ? Your libcrypto does not support the algorithms that libssl expects, report the output of: unset LD_LIBRARY_PATH unset LD_PRELOAD ldd $(postconf -h daemon_directory)/smtpd # ldd $(postconf -h daemon_directory)/smtpd linux-vdso.so.1 libmysqlclient.so.18 = /usr/lib/mysql/libmysqlclient.so.18 libssl.so.1.0.0 = /usr/lib/libssl.so.1.0.0 libcrypto.so.1.0.0 = /usr/lib/libcrypto.so.1.0.0 libz.so.1 = /lib/libz.so.1 libm.so.6 = /lib/libm.so.6 libpcre.so.1 = /lib/libpcre.so.1 libsasl2.so.2 = /usr/lib/libsasl2.so.2 libdb-5.3.so = /usr/lib/libdb-5.3.so libnsl.so.1 = /lib/libnsl.so.1 libresolv.so.2 = /lib/libresolv.so.2 libc.so.6 = /lib/libc.so.6 libpthread.so.0 = /lib/libpthread.so.0 libdl.so.2 = /lib/libdl.so.2 libstdc++.so.6 = /usr/lib/libstdc++.so.6 libgcc_s.so.1 = /usr/lib/libgcc_s.so.1 /lib64/ld-linux-x86-64.so.2 The only thing that comes to mind here is that perhaps libmsqlclient.so.18 is linked against a different OpenSSL runtime library than Postfix. Report the output of: readelf -d /usr/lib/postfix/smtpd readelf -d /usr/lib/mysql/libmysqlclient.so.18 server:~ # readelf -d /usr/lib/postfix/smtpd Dynamic section at offset 0x75480 contains 34 entries: TagType Name/Value 0x0001 (NEEDED) Shared library: [libmysqlclient.so.18] 0x0001 (NEEDED) Shared library: [libssl.so.1.0.0] 0x0001 (NEEDED) Shared library: [libcrypto.so.1.0.0] 0x0001 (NEEDED) Shared library: [libz.so.1] 0x0001 (NEEDED) Shared library: [libm.so.6] 0x0001 (NEEDED) Shared library: [libpcre.so.1] 0x0001 (NEEDED) Shared library: [libsasl2.so.2] 0x0001 (NEEDED) Shared library: [libdb-5.3.so] 0x0001 (NEEDED) Shared library: [libnsl.so.1] 0x0001 (NEEDED) Shared library: [libresolv.so.2] 0x0001 (NEEDED) Shared library: [libc.so.6] 0x000c (INIT) 0x405770 0x000d (FINI) 0x451034 0x0019 (INIT_ARRAY) 0x675468 0x001b (INIT_ARRAYSZ) 8 (bytes) 0x001a (FINI_ARRAY) 0x675470 0x001c (FINI_ARRAYSZ) 8 (bytes) 0x0004 (HASH) 0x400258 0x0005 (STRTAB) 0x402810 0x0006 (SYMTAB) 0x400b48 0x000a (STRSZ) 4123 (bytes) 0x000b (SYMENT) 24 (bytes) 0x0015 (DEBUG) 0x0 0x0003 (PLTGOT) 0x675710 0x0002 (PLTRELSZ) 6936 (bytes) 0x0014 (PLTREL) RELA 0x0017 (JMPREL) 0x403c58 0x0007 (RELA) 0x403b68 0x0008 (RELASZ) 240 (bytes) 0x0009 (RELAENT)24 (bytes)
Re: SMTPS 465
Am 14.04.2013 19:24, schrieb Viktor Dukhovni: On Sun, Apr 14, 2013 at 07:22:28PM +0200, Reindl Harald wrote: -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl -lcrypto -lz -lm -lpcre -lsasl2' i am missing here the path to openssl below the ARGS from my fedora-rpm-SPEC -DUSE_TLS -I/usr/include/openssl This is not a good idea. The OpenSSL header files are accessed by Postfix via: #include openssl/mumble.h Unless you have /usr/include/openssl/opennssl/ssl.h you should NOT do this Fedora has (i guess openssl/opennssl was a typo) [root@buildserver:~]$ rpm -q --file /usr/include/openssl/ssl.h openssl-devel-1.0.0k-1.fc17.20130221.rh.x86_64 signature.asc Description: OpenPGP digital signature
Re: SMTPS 465
On Sun, Apr 14, 2013 at 07:33:21PM +0200, Reindl Harald wrote: Am 14.04.2013 19:24, schrieb Viktor Dukhovni: On Sun, Apr 14, 2013 at 07:22:28PM +0200, Reindl Harald wrote: -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl -lcrypto -lz -lm -lpcre -lsasl2' i am missing here the path to openssl below the ARGS from my fedora-rpm-SPEC -DUSE_TLS -I/usr/include/openssl This is not a good idea. The OpenSSL header files are accessed by Postfix via: #include openssl/mumble.h Unless you have /usr/include/openssl/opennssl/ssl.h you should NOT do this Fedora has (i guess openssl/opennssl was a typo) No, I meant what I wrote. [root@buildserver:~]$ rpm -q --file /usr/include/openssl/ssl.h openssl-devel-1.0.0k-1.fc17.20130221.rh.x86_64 For this Postfix needs -I/usr/include (the default), and does NOT need -I/usr/include/openssl. -- Viktor.
Re: SMTPS 465
Le 14/04/2013 17:45, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 07:33:21PM +0200, Reindl Harald wrote: Am 14.04.2013 19:24, schrieb Viktor Dukhovni: On Sun, Apr 14, 2013 at 07:22:28PM +0200, Reindl Harald wrote: -UHAS_IPV6 -DUSE_TLS -I/usr/include/mysql/ -I/usr/include/sasl ' 'AUXLIBS=-L/usr/lib/mysql/ -lmysqlclient -lssl -lcrypto -lz -lm -lpcre -lsasl2' i am missing here the path to openssl below the ARGS from my fedora-rpm-SPEC -DUSE_TLS -I/usr/include/openssl This is not a good idea. The OpenSSL header files are accessed by Postfix via: #include openssl/mumble.h Unless you have /usr/include/openssl/opennssl/ssl.h you should NOT do this Fedora has (i guess openssl/opennssl was a typo) No, I meant what I wrote. [root@buildserver:~]$ rpm -q --file /usr/include/openssl/ssl.h openssl-devel-1.0.0k-1.fc17.20130221.rh.x86_64 For this Postfix needs -I/usr/include (the default), and does NOT need -I/usr/include/openssl. Ok, I have now proper install of postfix / openssl / cyrsus / etc... I still get : 2013-04-14T20:29:44.951208+02:00 server postfix/smtpd[12926]: setting up TLS connection from unknown[41.137.65.121] 2013-04-14T20:29:44.951227+02:00 server postfix/smtpd[12926]: unknown[41.137.65.121]: TLS cipher list aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH 2013-04-14T20:29:44.951422+02:00 server postfix/smtpd[12926]: SSL_accept:before/accept initialization 2013-04-14T20:29:44.951502+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 read client hello A 2013-04-14T20:29:44.951510+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 write server hello A 2013-04-14T20:29:44.951520+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 write certificate A 2013-04-14T20:29:44.954011+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 write key exchange A 2013-04-14T20:29:44.954021+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 write server done A 2013-04-14T20:29:44.954025+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 flush data 2013-04-14T20:29:45.074066+02:00 server postfix/smtpd[12926]: SSL_accept:SSLv3 read client key exchange A 2013-04-14T20:29:45.074085+02:00 server postfix/smtpd[12926]: SSL_accept:error in SSLv3 read certificate verify A 2013-04-14T20:29:45.074091+02:00 server postfix/smtpd[12926]: SSL_accept error from unknown[41.137.65.121]: -1 2013-04-14T20:29:45.074096+02:00 server postfix/smtpd[12926]: warning: TLS library problem: 12926:error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash unavailable:s3_enc.c:402: 2013-04-14T20:29:45.074367+02:00 server postfix/smtpd[12926]: lost connection after CONNECT from unknown[41.137.65.121] 2013-04-14T20:29:45.074390+02:00 server postfix/smtpd[12926]: disconnect from unknown[41.137.65.121] What shall I do to fix this ? Thank you in advance Joan
Re: SMTPS 465
On Sun, Apr 14, 2013 at 06:31:48PM +, Joan Moreau wrote: Ok, I have now proper install of postfix / openssl / cyrsus / etc... I still get : 2013-04-14T20:29:45.074096+02:00 server postfix/smtpd[12926]: warning: TLS library problem: 12926:error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash unavailable:s3_enc.c:402: 2013-04-14T20:29:45.074367+02:00 server postfix/smtpd[12926]: lost connection after CONNECT from unknown[41.137.65.121] 2013-04-14T20:29:45.074390+02:00 server postfix/smtpd[12926]: disconnect from unknown[41.137.65.121] What shall I do to fix this ? Use a different O/S that ships working libraries. You test with: If Postfix is 2.10 or later, test via: $ openssl s_server \ -key $(postconf -xh smtpd_tls_key_file) \ -cert $(postconf -xh smtpd_tls_cert_file) \ -accept 12345 server.out 21 $ openssl s_client -state -connect 127.0.0.1:12345 21 | tee client.out (otherwise type the correct paths for -key and -cert). Do openssl's s_client and s_server manage to complete an SSH handshake? Post the output of openssl version -a as well as server.out and client.out. -- Viktor.
Re: SMTPS 465
Le 14/04/2013 19:46, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 06:31:48PM +, Joan Moreau wrote: Ok, I have now proper install of postfix / openssl / cyrsus / etc... I still get : 2013-04-14T20:29:45.074096+02:00 server postfix/smtpd[12926]: warning: TLS library problem: 12926:error:1409D08A:SSL routines:SSL3_SETUP_KEY_BLOCK:cipher or hash unavailable:s3_enc.c:402: 2013-04-14T20:29:45.074367+02:00 server postfix/smtpd[12926]: lost connection after CONNECT from unknown[41.137.65.121] 2013-04-14T20:29:45.074390+02:00 server postfix/smtpd[12926]: disconnect from unknown[41.137.65.121] What shall I do to fix this ? Use a different O/S that ships working libraries. You test with: If Postfix is 2.10 or later, test via: $ openssl s_server -key $(postconf -xh smtpd_tls_key_file) -cert $(postconf -xh smtpd_tls_cert_file) -accept 12345 server.out 21 $ openssl s_client -state -connect 127.0.0.1:12345 21 | tee client.out (otherwise type the correct paths for -key and -cert). Do openssl's s_client and s_server manage to complete an SSH handshake? Post the output of openssl version -a as well as server.out and client.out. Ok, here it is below client.out : # openssl s_client -state -connect 127.0.0.1:12345 21 | tee client.out SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = grosjo.net verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = grosjo.net verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = grosjo.net verify error:num=21:unable to verify the first certificate verify return:1 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read server session ticket A SSL_connect:SSLv3 read finished A CONNECTED(0003) --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- Server certificate -BEGIN CERTIFICATE- MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEyMTIwODAwMDAwMFoXDTEzMTIxMTIzNTk1 OVowVTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRswGQYDVQQL ExJHYW5kaSBTdGFuZGFyZCBTU0wxEzARBgNVBAMTCmdyb3Nqby5uZXQwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiKO6Pk90QKVi1qFMLY6XLy6PR5H/w JKxqtNuEDSXbIMA5Y5LAsGRL90Ew0MMq47Uazu6Sdc8axT91TwPhPEbiTl2tFjto aNXLvziCDNFzA9jtuCJ2T7gZcUx1bbJamJPsBYGmR6MbNUNHFqhtyiyomRYAIFYN oFGANj1xJrO8hYQVw4LUYf8BX7OjbUmZrWI1JF3dJhFapL0dgQchwypuBJ20fM6C NeHn+NL7bbZb9KAfgPn+nAmVyqqwBCLfHCxYB17sJE05A9kYdkplaZST6oYzDtkM /zJvNxPsPyHLlIUp1R/qwynWIH2Fwx3ASs6CmETLN3tNEZe0RDs06S2PAgMBAAGj ggG0MIIBsDAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5ITAdBgNVHQ4E FgQU6hNXUs/gyQfRDyDB7VR9E/DIGpYwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGAGA1UdIARZMFcw SwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3dy5nYW5kaS5u ZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzAIBgZngQwBAgEwPAYDVR0fBDUw MzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlTdGFuZGFyZFNTTENB LmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0dHA6Ly9jcnQuZ2Fu ZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYBBQUHMAGGFWh0dHA6 Ly9vY3NwLmdhbmRpLm5ldDAlBgNVHREEHjAcggpncm9zam8ubmV0gg53d3cuZ3Jv c2pvLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEARgrw0G7BqzKg7KWYP0mbLEKevI5A 6aNsoxbvu9mQoKVRdF2T3qOeJtp94djI9MMVNCxfOOZukp/W5e/6vkf/3K+UQUBZ TpVn5RxZlt5d4SOdBdXTNRmLQgGryTBVkzQvZZOHs+K5OgHGs2pPcUQcpBiZ1Vbi cB/V/Z9lFfStouNzUigSrqH2fUzakiCFfplerdmgKiZeNyCgF4EmEFHbTmbn3L4y puReKLl87tnZgtqxKeNjsrm+6/KLc0qZs2rZtprQ9UGKNZXRW0fzC7DFB/kC+AoX aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA== -END CERTIFICATE- subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent --- SSL handshake has read 1911 bytes and written 457 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4161F3711191453349D083CBAF8AD804161865478A36D4C60C260E5E5DDCF543 Session-ID-ctx: Master-Key: 0F72DD0AEDBDCBCBB5DA9AE7B30E95D19896A4DAB03883416AA8F9B41708B43CDBD485BF323009979426AB58DF3AA2C2 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: - 20 1e 4e 9e 57 0e 13 f7-b1 c9 50
Re: SMTPS 465
On Sun, Apr 14, 2013 at 08:49:11PM +, Joan Moreau wrote: $ openssl s_client -state -connect 127.0.0.1:12345 21 | tee client.out Ok, here it is below Please also report openssl version -a. client.out : New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: (sleep 2; printf %s\r\n QUIT) | openssl s_client -state -connect 127.0.0.1:465 21 | tee client.out and report the output of that (I am assuing Postfix is configured with wrapper mode on port 465 aka smtps) based on your reported master.cf: smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes -- Viktor.
Re: SMTPS 465
Le 14/04/2013 21:21, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 08:49:11PM +, Joan Moreau wrote: $ openssl s_client -state -connect 127.0.0.1:12345 21 | tee client.out Ok, here it is below Please also report openssl version -a. Here : OpenSSL 1.0.1e 11 Feb 2013 built on: Sun Apr 14 17:43:32 CEST 2013 platform: linux-x86_64 options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: /etc/ssl client.out : New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: (sleep 2; printf %srn QUIT) | openssl s_client -state -connect 127.0.0.1:465 21 | tee client.out # (sleep 2; printf %s\r\n QUIT) | openssl s_client -state -connect 127.0.0.1:465 21 | tee client.out SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware verify error:num=19:self signed certificate in certificate chain verify return:0 SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server key exchange A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:error in SSLv3 read server session ticket A SSL_connect:error in SSLv3 read server session ticket A write:errno=104 CONNECTED(0003) --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware --- Server certificate -BEGIN CERTIFICATE- MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw QTELMAkGA1UEBhMCRlIxEjAQBgNVBAoTCUdBTkRJIFNBUzEeMBwGA1UEAxMVR2Fu ZGkgU3RhbmRhcmQgU1NMIENBMB4XDTEyMTIwODAwMDAwMFoXDTEzMTIxMTIzNTk1 OVowVTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRswGQYDVQQL ExJHYW5kaSBTdGFuZGFyZCBTU0wxEzARBgNVBAMTCmdyb3Nqby5uZXQwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCiKO6Pk90QKVi1qFMLY6XLy6PR5H/w JKxqtNuEDSXbIMA5Y5LAsGRL90Ew0MMq47Uazu6Sdc8axT91TwPhPEbiTl2tFjto aNXLvziCDNFzA9jtuCJ2T7gZcUx1bbJamJPsBYGmR6MbNUNHFqhtyiyomRYAIFYN oFGANj1xJrO8hYQVw4LUYf8BX7OjbUmZrWI1JF3dJhFapL0dgQchwypuBJ20fM6C NeHn+NL7bbZb9KAfgPn+nAmVyqqwBCLfHCxYB17sJE05A9kYdkplaZST6oYzDtkM /zJvNxPsPyHLlIUp1R/qwynWIH2Fwx3ASs6CmETLN3tNEZe0RDs06S2PAgMBAAGj ggG0MIIBsDAfBgNVHSMEGDAWgBS2qP+iqC/Qps1LsWjz51AQMad5ITAdBgNVHQ4E FgQU6hNXUs/gyQfRDyDB7VR9E/DIGpYwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB /wQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGAGA1UdIARZMFcw SwYLKwYBBAGyMQECAhowPDA6BggrBgEFBQcCARYuaHR0cDovL3d3dy5nYW5kaS5u ZXQvY29udHJhY3RzL2ZyL3NzbC9jcHMvcGRmLzAIBgZngQwBAgEwPAYDVR0fBDUw MzAxoC+gLYYraHR0cDovL2NybC5nYW5kaS5uZXQvR2FuZGlTdGFuZGFyZFNTTENB LmNybDBqBggrBgEFBQcBAQReMFwwNwYIKwYBBQUHMAKGK2h0dHA6Ly9jcnQuZ2Fu ZGkubmV0L0dhbmRpU3RhbmRhcmRTU0xDQS5jcnQwIQYIKwYBBQUHMAGGFWh0dHA6 Ly9vY3NwLmdhbmRpLm5ldDAlBgNVHREEHjAcggpncm9zam8ubmV0gg53d3cuZ3Jv c2pvLm5ldDANBgkqhkiG9w0BAQUFAAOCAQEARgrw0G7BqzKg7KWYP0mbLEKevI5A 6aNsoxbvu9mQoKVRdF2T3qOeJtp94djI9MMVNCxfOOZukp/W5e/6vkf/3K+UQUBZ TpVn5RxZlt5d4SOdBdXTNRmLQgGryTBVkzQvZZOHs+K5OgHGs2pPcUQcpBiZ1Vbi cB/V/Z9lFfStouNzUigSrqH2fUzakiCFfplerdmgKiZeNyCgF4EmEFHbTmbn3L4y puReKLl87tnZgtqxKeNjsrm+6/KLc0qZs2rZtprQ9UGKNZXRW0fzC7DFB/kC+AoX aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA== -END CERTIFICATE- subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent --- SSL handshake has read 4015 bytes and written 134 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: ECDHE-RSA-AES256-SHA Session-ID: Session-ID-ctx: Master-Key: 06931224B1AC2DCC58EB31033B3B9C3D25D3F11472B6B314DA4C02ED5D0D999398534D06D66C0FFEE6393071E3B14BB1
Re: SMTPS 465
On Sun, Apr 14, 2013 at 09:21:16PM +, Viktor Dukhovni wrote: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: (sleep 2; printf %s\r\n QUIT) | openssl s_client -state -connect 127.0.0.1:465 21 | tee client.out and report the output of that (I am assuing Postfix is configured with wrapper mode on port 465 aka smtps) based on your reported master.cf: smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes It sure looks like Postfix is using a library that does not enable SHA-2 (that is SHA256, SHA384 and SHA512) algorithms when Postfix calls: SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); this not the behaviour I see, so something is wrong with your OpenSSL runtime or header files. Which openssl/ssl.h header file does Postfix include and how it define OpenSSL_add_ssl_algorithms? I have: #define OpenSSL_add_ssl_algorithms()SSL_library_init() which adds all libcrypto digests. -- Viktor.
Re: SMTPS 465
Le 14/04/2013 22:02, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 09:21:16PM +, Viktor Dukhovni wrote: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: (sleep 2; printf %srn QUIT) | openssl s_client -state -connect 127.0.0.1:465 21 | tee client.out and report the output of that (I am assuing Postfix is configured with wrapper mode on port 465 aka smtps) based on your reported master.cf: smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes It sure looks like Postfix is using a library that does not enable SHA-2 (that is SHA256, SHA384 and SHA512) algorithms when Postfix calls: SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); this not the behaviour I see, so something is wrong with your OpenSSL runtime or header files. Which openssl/ssl.h header file does Postfix include and how it define OpenSSL_add_ssl_algorithms? I have: #define OpenSSL_add_ssl_algorithms() SSL_library_init() which adds all libcrypto digests. Same : in /usr/include/openssl/ssl.h, I have : #define OpenSSL_add_ssl_algorithms() SSL_library_init() #define SSLeay_add_ssl_algorithms() SSL_library_init() However, in the source of openssl-1.0.1e, I see crypto/sha but no sha-2 anywhere. Is that correct ?
Re: SMTPS 465
On Sun, Apr 14, 2013 at 10:08:52PM +, Joan Moreau wrote: #define OpenSSL_add_ssl_algorithms() SSL_library_init() which adds all libcrypto digests. Same : in /usr/include/openssl/ssl.h, I have : #define OpenSSL_add_ssl_algorithms() SSL_library_init() #define SSLeay_add_ssl_algorithms() SSL_library_init() However, in the source of openssl-1.0.1e, I see crypto/sha but no sha-2 anywhere. Is that correct ? SHA-2 is a family, its members are SHA256, SHA384 and SHA512. We could keep digging and find the problem eventually, but it is not a good use of my time. Your Postfix server surprisingly did not negotiate the same ciphersuite as s_server. This would not normally happen if both used the same OpenSSL runtime. Your Postfix server is reportedly unable to use the negotiated ciphersuite. Find a less broken operating system. -- Viktor.
Re: SMTPS 465
Le 14/04/2013 22:08, Joan Moreau a écrit : Le 14/04/2013 22:02, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 09:21:16PM +, Viktor Dukhovni wrote: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 This looks fine, OpenSSL inter-operates with itself selecting a TLSv1.2 ciphersuite. Now try: (sleep 2; printf %srn QUIT) | openssl s_client -state -connect 127.0.0.1:465 21 | tee client.out and report the output of that (I am assuing Postfix is configured with wrapper mode on port 465 aka smtps) based on your reported master.cf: smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes It sure looks like Postfix is using a library that does not enable SHA-2 (that is SHA256, SHA384 and SHA512) algorithms when Postfix calls: SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); this not the behaviour I see, so something is wrong with your OpenSSL runtime or header files. Which openssl/ssl.h header file does Postfix include and how it define OpenSSL_add_ssl_algorithms? I have: #define OpenSSL_add_ssl_algorithms() SSL_library_init() which adds all libcrypto digests. Same : in /usr/include/openssl/ssl.h, I have : #define OpenSSL_add_ssl_algorithms() SSL_library_init() #define SSLeay_add_ssl_algorithms() SSL_library_init() However, in the source of openssl-1.0.1e, I see crypto/sha but no sha-2 anywhere. Is that correct ? SHA256 is correctly setup in openssl : openssl x509 -sha256 -noout -fingerprint -in /etc/ssl/certs/gjnet.crt SHA256 Fingerprint=4C:F3:9C:6C:EA:47:04:12:60:60:D5:B5:18:5D:BD:D4:DA:03:03:44:22:2F:01:C6:F7:A3:76:D6:45:15:3F:89 However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ?
Re: SMTPS 465
On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used, and finding out what's wrong with yours is not a good use of your time or mine. -- Viktor.
Re: SMTPS 465
Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used, and finding out what's wrong with yours is not a good use of your time or mine. Well, this server has worked since ever, supporting plenty of web operations (so I can not really 'delete and re-install' and broke only after updating the kernel. Any other clue ? Thanks a million
Re: SMTPS 465
Am 15.04.2013 00:30, schrieb Joan Moreau: Le 14/04/2013 22:24, Viktor Dukhovni a écrit : On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used, and finding out what's wrong with yours is not a good use of your time or mine. Well, this server has worked since ever, supporting plenty of web operations (so I can not really 'delete and re-install' and broke only after updating the kernel well, the operating systems i use have package managers like yum and updates can be predictable reverted by yum downgrade because these is no single file which is not covered by a package signature.asc Description: OpenPGP digital signature
Re: SMTPS 465
On 4/12/2013 2:03 PM, Joan Moreau wrote: I am stuck with making my SSL SMTPS (port 465) works, while it was working fine since ever. I upgraded my kernel to 3.8.6 and since then, nothing works :( On 4/14/2013 5:24 PM, Viktor Dukhovni wrote: On Sun, Apr 14, 2013 at 10:21:58PM +, Joan Moreau wrote: However, how can postfix NOT use the only openssl library ? or fail to have SHA2 when loading the .so ? Find a less broken operating system. This works on every system I've ever used, and finding out what's wrong with yours is not a good use of your time or mine. The current stable Linux www.kernel.org source is 3.8.7. Which suggests the OP rolled a custom kernel from 3.8.6 source not long ago, and at the time it was the current stable source. This is living as close to the bleeding edge as one can get without using -RC development kernels. We've been told that this kernel upgrade created the problem. Simply reverting to the previous kernel should fix it. The OP should have done so before ever posting here, as the problem obviously isn't with Postfix, but a kernel-libary mismatch, bug, or a mistake in .config, etc. -- Stan
Re: SMTPS 465
On Apr 13, 2013, at 00:50, b...@bitrate.net wrote: On Apr 12, 2013, at 15.25, Joan Moreau j...@grosjo.net wrote: Hi, I am stuck with making my SSL SMTPS (port 465) works, while it was working fine since ever. others have helped with the specifics of your question, so i'll address the philosophical aspect of it :) . while it may take some coordination to do so if you have an existing user base using smtps, you should be using submission+starttls instead. smtps is a long since deprecated, never standardized protocol, which now misappropriates a port which has been formally assigned by iana to another protocol, for quite some time. +1. Use port 587 with STARTTLS, require encryption. HTH, Jona
Re: SMTPS 465
yes, I kind of agree with you, however, would it be with SSL or STARTTLS, I get the same error (which did not appear before I upgraded my kernel) What could be the solution ? Le 12/04/2013 22:50, b...@bitrate.net a écrit : On Apr 12, 2013, at 15.25, Joan Moreau j...@grosjo.net wrote: Hi, I am stuck with making my SSL SMTPS (port 465) works, while it was working fine since ever. others have helped with the specifics of your question, so i'll address the philosophical aspect of it :) . while it may take some coordination to do so if you have an existing user base using smtps, you should be using submission+starttls instead. smtps is a long since deprecated, never standardized protocol, which now misappropriates a port which has been formally assigned by iana to another protocol, for quite some time. -ben
Re: SMTPS 465
This lead to a error 404. Maybe can you rather explain how toppost would solve the SSL problem ? Thank in advance joan Le 12/04/2013 22:14, Quanah Gibson-Mount a écrit : --On Friday, April 12, 2013 9:05 PM + Joan Moreau j...@grosjo.net wrote: Please don't top-post. I do not understand http://www.idallen.com/topposting.html [1] --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration Links: -- [1] http://www.idallen.com/topposting.html
Re: SMTPS 465
Am 13.04.2013 12:43, schrieb Joan Moreau: This lead to a error 404. Maybe can you rather explain how toppost would solve the SSL problem? you should post your reply BELOW the quote to make a thread readable by people which may come later to it and they may ignore it if it is unreadable for them by having ansers randomly at top and bottom of qquotes to your problem: you said after kernel update well, did you try to boot with the previous kernel? any unix i personally know supports to boot from the last kernel if a newer one makes troubles and if this solves the problem it is no longer a postfix-issue signature.asc Description: OpenPGP digital signature
Re: SMTPS 465
Le 12/04/2013 23:05, Joan Moreau a écrit : Please don't top-post. I do not understand smtpd_tls_loglevel = 1 is sufficient for debugging. ok 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: This suggests your TLS library is broken. The TLS library being which one ? I am using openSSL and all https web site are working fine. Is there another library involved ? most probably, the compiled/configured version of openssl does not match what postfix expects. you said that your upgraded the kernel. did this cause an upgrade of openssl? if so, try rebuilding postfix. Is your openssl library striped to only include selected algorithms? if so, you need to make sure that this mtaches the algos configured in postfix: $ postconf |grep medium lmtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_ciphers = medium smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH you can try: openssl ciphers -v 'aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH' (single quotees to avoid the shell barfing because of the '!' char).
Re: SMTPS 465
On Sat, Apr 13, 2013 at 03:40:59PM +0200, mouss wrote: 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: This suggests your TLS library is broken. The TLS library being which one ? I am using openSSL and all https web site are working fine. Is there another library involved ? most probably, the compiled/configured version of openssl does not match what postfix expects. The only versions of OpenSSL I could find in which s3_enc.c has SSLerr(SSL_F_SSL3_SETUP_KEY_BLOCK,SSL_R_CIPHER_OR_HASH_UNAVAILABLE); on line 423, are the unreleased OpenSSL 1.0.2 branch and the master development branch. The OP has upgraded to a bleeding-edge OpenSSL, which may have unresolved bugs, or may be incompatible with the installed libcrypto due to an incomplete upgrade, ... The solution is to use stable OpenSSL releases if you're not an OpenSSL developer. When running development versions of your O/S distribution you need to be willing to find and solve problems independently. [ I've been ignoring this thread, because the OP replied to an unrelated message to postfix-devel instead of starting a new message, and I don't like to untangle messed up threads. When composing a new message, don't hit Reply. ] -- Viktor.
Re: SMTPS 465
Le 13/04/2013 13:40, mouss a écrit : Le 12/04/2013 23:05, Joan Moreau a écrit : Please don't top-post. I do not understand smtpd_tls_loglevel = 1 is sufficient for debugging. ok 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: This suggests your TLS library is broken. The TLS library being which one ? I am using openSSL and all https web site are working fine. Is there another library involved ? most probably, the compiled/configured version of openssl does not match what postfix expects. you said that your upgraded the kernel. did this cause an upgrade of openssl? if so, try rebuilding postfix. Is your openssl library striped to only include selected algorithms? if so, you need to make sure that this mtaches the algos configured in postfix: $ postconf |grep medium lmtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_ciphers = medium smtpd_tls_mandatory_ciphers = medium tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH you can try: openssl ciphers -v 'aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH' (single quotees to avoid the shell barfing because of the '!' char). With those parameters, I get : 2013-04-13T17:41:48.562917+02:00 server postfix/smtpd[16148]: initializing the server-side TLS engine 2013-04-13T17:41:48.582261+02:00 server postfix/smtpd[16148]: connect from unknown[41.137.65.121] 2013-04-13T17:41:48.582275+02:00 server postfix/smtpd[16148]: setting up TLS connection from unknown[41.137.65.121] 2013-04-13T17:41:48.582290+02:00 server postfix/smtpd[16148]: unknown[41.137.65.121]: TLS cipher list aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4STRENGTH 2013-04-13T17:41:48.582492+02:00 server postfix/smtpd[16148]: SSL_accept:before/accept initialization 2013-04-13T17:41:48.582586+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 read client hello A 2013-04-13T17:41:48.582594+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 write server hello A 2013-04-13T17:41:48.582701+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 write certificate A 2013-04-13T17:41:48.584639+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 write key exchange A 2013-04-13T17:41:48.584647+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 write server done A 2013-04-13T17:41:48.584650+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 flush data 2013-04-13T17:41:48.670134+02:00 server postfix/smtpd[16148]: SSL_accept:SSLv3 read client key exchange A 2013-04-13T17:41:48.670144+02:00 server postfix/smtpd[16148]: SSL_accept:error in SSLv3 read certificate verify A 2013-04-13T17:41:48.670147+02:00 server postfix/smtpd[16148]: SSL_accept error from unknown[41.137.65.121]: -1 2013-04-13T17:41:48.670156+02:00 server postfix/smtpd[16148]: warning: TLS library problem: 16148:error:1411C146:SSL routines:tls1_prf:unsupported digest type:t1_enc.c:276: 2013-04-13T17:41:48.670167+02:00 server postfix/smtpd[16148]: warning: TLS library problem: 16148:error:140D308A:SSL routines:tls1_setup_key_block:cipher or hash unavailable:t1_enc.c:621:
Re: SMTPS 465
On 4/12/2013 2:25 PM, Joan Moreau wrote: Hi, I am stuck with making my SSL SMTPS (port 465) works, while it was working fine since ever. I upgraded my kernel to 3.8.6 and since then, nothing works :( What happens when you test it? # openssl s_client -connect 127.0.0.1:465 What does postfix log? http://www.postfix.org/DEBUG_README.html#logging -- Noel Jones Here my postconf -n alias_maps = hash:/etc/aliases biff = no bounce_queue_lifetime = 6h broken_sasl_auth_clients = yes canonical_maps = hash:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix daemon_directory = /usr/lib/postfix data_directory = /var/lib/postfix defer_transports = delay_warning_time = 1h disable_dns_lookups = no disable_mime_output_conversion = no dovecot_destination_recipient_limit = 1 header_checks = pcre:/etc/postfix/smtp_header_checks html_directory = no inet_interfaces = all inet_protocols = ipv4 local_recipient_maps = mail_owner = postfix mail_spool_directory = /var/spool/mail mailbox_size_limit = 0 mailbox_transport = dovecot mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root maximal_queue_lifetime = 1d message_size_limit = 20480 mydestination = $myhostname, localhost.$mydomain mydomain = grosjo.net myhostname = grosjo.net mynetworks = 127.0.0.0/8 204.93.196.46/32 myorigin = $mydomain newaliases_path = /usr/bin/newaliases proxy_read_maps = $virtual_mailbox_domains $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps queue_directory = /var/spool/postfix readme_directory = no relayhost = relocated_maps = hash:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = hash:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop slow_destination_concurrency_limit = 2 slow_destination_recipient_limit = 1 smtp_header_checks = pcre:/etc/postfix/smtp_header_checks smtp_sasl_auth_enable = no smtp_tls_CAfile = /etc/ssl/ca-bundle.crt smtp_tls_cert_file = /etc/ssl/certs/gjnet.crt smtp_tls_key_file = /etc/ssl/certs/gjnet.key smtp_tls_session_cache_database = hash:/var/lib/postfix/smtp_scache smtp_use_tls = no smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, permit smtpd_helo_required = no smtpd_helo_restrictions = smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination,reject_non_fqdn_hostname,reject_non_fqdn_sender,reject_non_fqdn_recipient,reject_unauth_destination,reject_unauth_pipelining,reject_invalid_hostname,reject_rbl_client bl.spamcop.net,reject_rbl_client sbl-xbl.spamhaus.org,check_policy_service inet:127.0.0.1:10023 smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_sasl_auth_enable = no smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sender_restrictions = permit_sasl_authenticated smtpd_tls_CAfile = /etc/ssl/ca-bundle.crt smtpd_tls_CApath = /etc/ssl/certs smtpd_tls_cert_file = /etc/ssl/certs/gjnet.crt smtpd_tls_key_file = /etc/ssl/certs/gjnet.key smtpd_tls_loglevel = 3 strict_8bitmime = no strict_rfc821_envelopes = no transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:1002 virtual_mailbox_base = /data/mail virtual_mailbox_domains = mysql:/etc/postfix/mysql_virtual_domains_maps.cf virtual_mailbox_limit = 0 virtual_mailbox_limit_maps = mysql:/etc/postfix/mysql_virtual_mailbox_limit_maps.cf virtual_mailbox_maps = mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf virtual_minimum_uid = 10001 virtual_transport = dovecot virtual_uid_maps = static:10001 my master.cf mtp inet n - n - - smtpd # -o content_filter=spamassassin #smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes smtps inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes submission inet n - n - - smtpd -o smtpd_enforce_tls=yes pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr rewrite unix - - n - -
Re: SMTPS 465
Hi, I need to type server:~ # openssl s_client -CAPATH /ETC/SSL -connect 127.0.0.1:465 to get a OK at the end. Is the the cause of the problem ? if yes, how to fix it in 'main.cf ? CONNECTED(0003) depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = grosjo.net verify return:1 write:errno=104 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware --- Server certificate -BEGIN CERTIFICATE- MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw ... aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA== -END CERTIFICATE- subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4017 bytes and written 135 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: CE923A87CC6CC9B18C1B9C8F8B0A0BA05A96194501CC54EDD95A29F61D1C82D85E253F756E9D1568CF850C02D5DDBF9C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Compression: 1 (zlib compression) Start Time: 1365795552 Timeout : 300 (sec) VERIFY RETURN CODE: 0 (OK) ---
Re: SMTPS 465
Actually, if type openssl s_client -CAPATH BKQSDQSD -connect 127.0.0.1:465 (Ie. whatever in the CApath field), the connection works fine but if not, I get an error. Putting log level at 3 in postfix, I get : 2013-04-12T21:49:03.25+02:00 server postfix/smtpd[12238]: initializing the server-side TLS engine 2013-04-12T21:49:03.068492+02:00 server postfix/smtpd[12238]: connect from unknown[41.137.65.121] 2013-04-12T21:49:03.068514+02:00 server postfix/smtpd[12238]: setting up TLS connection from unknown[41.137.65.121] 2013-04-12T21:49:03.068639+02:00 server postfix/smtpd[12238]: unknown[41.137.65.121]: TLS cipher list aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH 2013-04-12T21:49:03.068872+02:00 server postfix/smtpd[12238]: SSL_accept:before/accept initialization 2013-04-12T21:49:03.068964+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 read client hello A 2013-04-12T21:49:03.068973+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write server hello A 2013-04-12T21:49:03.069102+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write certificate A 2013-04-12T21:49:03.071683+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write key exchange A 2013-04-12T21:49:03.071693+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 write server done A 2013-04-12T21:49:03.071697+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 flush data 2013-04-12T21:49:03.160413+02:00 server postfix/smtpd[12238]: SSL_accept:SSLv3 read client key exchange A 2013-04-12T21:49:03.160429+02:00 server postfix/smtpd[12238]: SSL_accept:error in SSLv3 read certificate verify A 2013-04-12T21:49:03.160431+02:00 server postfix/smtpd[12238]: SSL_accept error from unknown[41.137.65.121]: -1 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: 2013-04-12T21:49:03.165268+02:00 server postfix/smtpd[12238]: lost connection after CONNECT from unknown[41.137.65.121] 2013-04-12T21:49:03.165281+02:00 server postfix/smtpd[12238]: disconnect from unknown[41.137.65.121] Le 12/04/2013 19:41, Joan Moreau a écrit : Hi, I need to type server:~ # openssl s_client -CAPATH /ETC/SSL -connect 127.0.0.1:465 to get a OK at the end. Is the the cause of the problem ? if yes, how to fix it in 'main.cf ? CONNECTED(0003) depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA verify return:1 depth=0 OU = Domain Control Validated, OU = Gandi Standard SSL, CN = grosjo.net verify return:1 write:errno=104 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net i:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware --- Server certificate -BEGIN CERTIFICATE- MIIE1zCCA7+gAwIBAgIRAKEFB6KnYccTgVUT3bw3RGYwDQYJKoZIhvcNAQEFBQAw ... aNrCILvl6KKvIe04MKimkkB9HwN4hY9vb4hGYX2qqn5ihFgZEg6gyc3rzA== -END CERTIFICATE- subject=/OU=Domain Control Validated/OU=Gandi Standard SSL/CN=grosjo.net issuer=/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 4017 bytes and written 135 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: CE923A87CC6CC9B18C1B9C8F8B0A0BA05A96194501CC54EDD95A29F61D1C82D85E253F756E9D1568CF850C02D5DDBF9C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Compression: 1 (zlib compression) Start Time: 1365795552 Timeout : 300 (sec) VERIFY RETURN CODE: 0 (OK) ---
Re: SMTPS 465
On 4/12/2013 2:49 PM, Joan Moreau wrote: Actually, if type openssl s_client*-CApath BKQSDQSD* -connect 127.0.0.1:465 (Ie. whatever in the CApath field), the connection works fine but if not, I get an error. Putting log level at 3 in postfix, I get : Please don't top-post. smtpd_tls_loglevel = 1 is sufficient for debugging. Higher log levels tend to hide problems in the noise. 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: This suggests your TLS library is broken. -- Noel Jones
Re: SMTPS 465
Please don't top-post. I do not understand smtpd_tls_loglevel = 1 is sufficient for debugging. ok 2013-04-12T21:49:03.160443+02:00 server postfix/smtpd[12238]: warning: TLS library problem: 12238:error:1409D08A:SSL routines:ssl3_setup_key_block:cipher or hash unavailable:s3_enc.c:423: This suggests your TLS library is broken. The TLS library being which one ? I am using openSSL and all https web site are working fine. Is there another library involved ? Thank you in advance Joan
Re: SMTPS 465
--On Friday, April 12, 2013 9:05 PM + Joan Moreau j...@grosjo.net wrote: Please don't top-post. I do not understand http://www.idallen.com/topposting.html --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. Zimbra :: the leader in open source messaging and collaboration
Re: SMTPS 465
On Apr 12, 2013, at 15.25, Joan Moreau j...@grosjo.net wrote: Hi, I am stuck with making my SSL SMTPS (port 465) works, while it was working fine since ever. others have helped with the specifics of your question, so i'll address the philosophical aspect of it :) . while it may take some coordination to do so if you have an existing user base using smtps, you should be using submission+starttls instead. smtps is a long since deprecated, never standardized protocol, which now misappropriates a port which has been formally assigned by iana to another protocol, for quite some time. -ben
