Re: tls stopped working after update from 3.1.14 to 3.4.8
On February 24, 2020 8:47:49 AM UTC, Viktor Dukhovni wrote: >> >> On Feb 24, 2020, at 2:27 AM, Michael wrote: >> >> Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from >bendel.debian.org[82.195.75.100] >> Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection >from bendel.debian.org[82.195.75.100] >> Feb 22 08:50:07 mail postfix/smtpd[12952]: >bendel.debian.org[82.195.75.100]: TLS cipher list >"aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL" >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL >initialization >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL >initialization >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read >client hello >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write >server hello >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write >change cipher spec >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write >encrypted extensions >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write >certificate request >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write >certificate >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write >server certificate verify >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write >finished >> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early >data >> Feb 22 08:55:07 mail postfix/smtpd[12952]: SSL_accept:error in >TLSv1.3 early data >> Feb 22 08:55:07 mail postfix/smtpd[12952]: SSL_accept error from >bendel.debian.org[82.195.75.100]: lost connection >> Feb 22 08:55:08 mail postfix/smtpd[12952]: lost connection after >STARTTLS from bendel.debian.org[82.195.75.100] >> Feb 22 08:55:08 mail postfix/smtpd[12952]: disconnect from >bendel.debian.org[82.195.75.100] ehlo=1 starttls=0/1 commands=1/2 > >This looks like a client (or firewall, etc. in between) that does not >correctly support TLS 1.3. What's new on your system is not Postfix >3.4, >but a sufficiently recent version of OpenSSL that has TLS 1.3 support. > >The client appears to have just disconnected after the server's >"finished" >message, with no TLS alert sent to indicate the nature of the problem. > >You could try getting a PCAP file, and decode that, but with TLS 1.3, >a large fraction of the handshake is encrypted, debugging can be >more difficult. > >Were TLS sessions failing from all senders or just particular systems? Since the host in the example is a Debian mail server (it hosts the project mailing lists), I checked. It's running Debian 10 (same as the OP) using Postfix 3.4 (.6, .7, or .8 depending on when it was last updated), so it should support TLS 1.3 with no problem (I don't have access to the Postfix or Openssl configuration, so in theory it could have been manually disabled). That points to your "or something in between" theory. Since it appears to be all hosts, I'd guess something very nearby the OP's system. Scott K
Re: tls stopped working after update from 3.1.14 to 3.4.8
i forgot: On Monday, February 24, 2020 9:47:49 AM CET, Viktor Dukhovni wrote: Were TLS sessions failing from all senders or just particular systems? it seemes to me, that all tls sessions failed, since no mail was delivered at all after the switch. greetings...
Re: tls stopped working after update from 3.1.14 to 3.4.8
hey, On Monday, February 24, 2020 9:47:49 AM CET, Viktor Dukhovni wrote: This looks like a client (or firewall, etc. in between) that does not correctly support TLS 1.3. What's new on your system is not Postfix 3.4, but a sufficiently recent version of OpenSSL that has TLS 1.3 support. i came to the same conclusion. the thing is, if i do an "openssl s_client -starttls ..." from openssl 1.1.0l, there is only a tls1.2 connection established: Feb 24 09:50:02 mail postfix/smtpd[8086]: connect from reverse.hemathor.de[87.253.250.109] Feb 24 09:50:02 mail postfix/smtpd[8086]: setting up TLS connection from reverse.hemathor.de[87.253.250.109] Feb 24 09:50:02 mail postfix/smtpd[8086]: reverse.hemathor.de[87.253.250.109]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:before SSL initialization Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:before SSL initialization Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS read client hello Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write server hello Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write certificate Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write key exchange Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write server done Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write server done Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS read client key exchange Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS read change cipher spec Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS read finished Feb 24 09:50:02 mail postfix/smtpd[8086]: reverse.hemathor.de[87.253.250.109]: Issuing session ticket, key expiration: 1582535905 Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write session ticket Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write change cipher spec Feb 24 09:50:02 mail postfix/smtpd[8086]: SSL_accept:SSLv3/TLS write finished Feb 24 09:50:02 mail postfix/smtpd[8086]: Anonymous TLS connection established from reverse.hemathor.de[87.253.250.109]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Feb 24 09:50:14 mail postfix/smtpd[8086]: disconnect from reverse.hemathor.de[87.253.250.109] ehlo=1 starttls=1 quit=1 commands=3 whereas from the same box where postfix 3.4.8 is running, providing openssl 1.1.1d, the starttls command fails to establish a tls1.3 connection with my public ip address: Feb 24 09:59:51 sunflower postfix/smtpd[8185]: initializing the server-side TLS engine Feb 24 09:59:51 sunflower postfix/smtpd[8185]: connect from reverse.hemathor.de[87.253.250.109] Feb 24 09:59:51 sunflower postfix/smtpd[8185]: setting up TLS connection from reverse.hemathor.de[87.253.250.109] Feb 24 09:59:51 sunflower postfix/smtpd[8185]: reverse.hemathor.de[87.253.250.109]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:before SSL initialization Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:before SSL initialization Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:SSLv3/TLS read client hello Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:SSLv3/TLS write server hello Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:SSLv3/TLS write change cipher spec Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:TLSv1.3 write encrypted extensions Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:SSLv3/TLS write certificate Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:TLSv1.3 write server certificate verify Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:SSLv3/TLS write finished Feb 24 09:59:51 sunflower postfix/smtpd[8185]: SSL_accept:TLSv1.3 early data Feb 24 09:59:56 sunflower postfix/smtpd[8185]: SSL_accept:error in TLSv1.3 early data Feb 24 09:59:56 sunflower postfix/smtpd[8185]: SSL_accept error from reverse.hemathor.de[87.253.250.109]: lost connection Feb 24 09:59:56 sunflower postfix/smtpd[8185]: lost connection after STARTTLS from reverse.hemathor.de[87.253.250.109] Feb 24 09:59:56 sunflower postfix/smtpd[8185]: disconnect from reverse.hemathor.de[87.253.250.109] ehlo=1 starttls=0/1 commands=1/2 if i do a "openssl s_client -starttls -connect localhost:25" everything seems to work fine: Feb 24 10:04:45 sunflower postfix/smtpd[8219]: initializing the server-side TLS engine Feb 24 10:04:45 sunflower postfix/smtpd[8219]: connect from localhost.localdomain[127.0.0.1] Feb 24 10:04:45 sunflower postfix/smtpd[8219]: setting up TLS connection from localhost.localdomain[127.0.0.1] Feb 24 10:04:45 sunflower postfix/smtpd[8219]: localhost.localdomain[127.0.0.1]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" Feb 24 10:04:45 sunflower postfix/smtpd[8219]: SSL_accept:before SSL initialization Feb 24 10:04:45
Re: tls stopped working after update from 3.1.14 to 3.4.8
> > On Feb 24, 2020, at 2:27 AM, Michael wrote: > > Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from > bendel.debian.org[82.195.75.100] > Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection from > bendel.debian.org[82.195.75.100] > Feb 22 08:50:07 mail postfix/smtpd[12952]: bendel.debian.org[82.195.75.100]: > TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL" > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL > initialization > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL > initialization > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read client > hello > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write server > hello > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write change > cipher spec > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write encrypted > extensions > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write > certificate request > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write > certificate > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write server > certificate verify > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write finished > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early data > Feb 22 08:55:07 mail postfix/smtpd[12952]: SSL_accept:error in TLSv1.3 early > data > Feb 22 08:55:07 mail postfix/smtpd[12952]: SSL_accept error from > bendel.debian.org[82.195.75.100]: lost connection > Feb 22 08:55:08 mail postfix/smtpd[12952]: lost connection after STARTTLS > from bendel.debian.org[82.195.75.100] > Feb 22 08:55:08 mail postfix/smtpd[12952]: disconnect from > bendel.debian.org[82.195.75.100] ehlo=1 starttls=0/1 commands=1/2 This looks like a client (or firewall, etc. in between) that does not correctly support TLS 1.3. What's new on your system is not Postfix 3.4, but a sufficiently recent version of OpenSSL that has TLS 1.3 support. The client appears to have just disconnected after the server's "finished" message, with no TLS alert sent to indicate the nature of the problem. You could try getting a PCAP file, and decode that, but with TLS 1.3, a large fraction of the handshake is encrypted, debugging can be more difficult. Were TLS sessions failing from all senders or just particular systems? -- -- Viktor.
Re: tls stopped working after update from 3.1.14 to 3.4.8
hey, first, let me thank you for your answer. i really appreciate this! On Monday, February 24, 2020 12:20:27 AM CET, Viktor Dukhovni wrote: smtpd_tls_security_level = may smtpd_tls_lloglevel = 1 That's fine, but not consistent with the verbose logging below, did you temporarily set a higher log level? yes, i'm sorry. i posted the original settings from my working postfix 3.1.14 installation that didn't work with postfix 3.4.8. i tried to get to the bottom of this problem by gradually increasing "smtpd_tls_loglevel", but with level "3" i was overwhelmed with the output and stopped understanding most of it. smtpd_tls_ciphers = low These days, "medium" makes more sense, the "low" and "export" ciphers are dead. i new that even back then, but i had to support an old android 4.1.x phone which didn't support higher ciphers. but since that phone is gone now, i will change it to "medium". And is now ready to hear back from the client, but what happened next? This isn't the end of the logging from smtpd[12952]... i am sorry, seems like i was too tired after dealing with this problem the whole weekend. here's the rest (along with all the previous lines for context): # grep -F 'smtpd[12952]' /var/log/mail.log.1 Feb 22 08:50:07 mail postfix/smtpd[12952]: initializing the server-side TLS engine Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from bendel.debian.org[82.195.75.100] Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection from bendel.debian.org[82.195.75.100] Feb 22 08:50:07 mail postfix/smtpd[12952]: bendel.debian.org[82.195.75.100]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL" Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL initialization Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL initialization Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read client hello Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write server hello Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write change cipher spec Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write encrypted extensions Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write certificate request Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write certificate Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write server certificate verify Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write finished Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early data Feb 22 08:55:07 mail postfix/smtpd[12952]: SSL_accept:error in TLSv1.3 early data Feb 22 08:55:07 mail postfix/smtpd[12952]: SSL_accept error from bendel.debian.org[82.195.75.100]: lost connection Feb 22 08:55:08 mail postfix/smtpd[12952]: lost connection after STARTTLS from bendel.debian.org[82.195.75.100] Feb 22 08:55:08 mail postfix/smtpd[12952]: disconnect from bendel.debian.org[82.195.75.100] ehlo=1 starttls=0/1 commands=1/2 if you need anything else, please let me know. greetings...
Re: tls stopped working after update from 3.1.14 to 3.4.8
On Sun, Feb 23, 2020 at 10:45:14PM +0100, Michael wrote: > After upgrading from debian stretch (providing postfix 3.1.14) to > buster (providing postfix 3.4.8), I just found out that no incoming > mail was received any longer. Digging a little deeper showed me that > turning of tls resolved this issue. but then again, there was no > tls... > > I would appreciate a little help on why postfix doesn't like my old > settings any longer and what I have to change to get it working with > 3.4.8. > > > I used the very same main.cf and master.cf file with the following tls > related settings: > smtpd_tls_security_level = may > smtpd_tls_loglevel = 1 That's fine, but not consistent with the verbose logging below, did you temporarily set a higher log level? > smtpd_tls_ciphers = low These days, "medium" makes more sense, the "low" and "export" ciphers are dead. > here's what the log file says: > Feb 22 08:50:07 mail postfix/smtpd[12952]: initializing the server-side TLS > engine > Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from > bendel.debian.org[82.195.75.100] TLS library initialization was successful. > Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection from > bendel.debian.org[82.195.75.100] > Feb 22 08:50:07 mail postfix/smtpd[12952]: bendel.debian.org[82.195.75.100]: > TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL" That's the "low" cipherlist, so far so good... > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL > initialization > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL > initialization > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read client > hello > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write server > hello > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write change > cipher spec > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write encrypted > extensions Based on the TLS ClientHello, the server believes the client supports TLS 1.3. > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write > certificate request And is soliciting a client certificate. > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write > certificate And sends its own. > Feb 22 08:50:07 mail postfix/smtpd[12815]: SSL_accept error from > bendel.debian.org[82.195.75.100]: lost connection > Feb 22 08:50:07 mail postfix/smtpd[12816]: SSL_accept error from > bendel.debian.org[82.195.75.100]: lost connection These two are from an unrelated concurrent session and should be ignored. > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write server > certificate verify The server signs its certificate message. > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write finished > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early data And is now ready to hear back from the client, but what happened next? This isn't the end of the logging from smtpd[12952]... -- Viktor.
tls stopped working after update from 3.1.14 to 3.4.8
hey, after upgrading from debian stretch (providing postfix 3.1.14) to buster (providing postfix 3.4.8), i just found out that no incoming mail was received any longer. digging a little deeper showed me that turning of tls resolved this issue. but then again, there was no tls... i would appreciate a little help on why postfix doesn't like my old settings any longer and what i have to change to get it working with 3.4.8. i used the very same main.cf and master.cf file with the following tls related settings: smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_ciphers = low smtpd_tls_cert_file = /etc/letsencrypt/certs/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/certs/privkey.pem smtpd_tls_dh1024_param_file = /etc/postfix/dhparams/dh2048.pem smtpd_tls_dh512_param_file = /etc/postfix/dhparams/dh512.pem smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_ask_ccert = yes relay_clientcerts = hash:/etc/postfix/relay_clientcerts smtpd_client_restrictions = permit_tls_clientcerts, check_client_access hash:/etc/postfix/client_access, reject_rbl_client zen.spamhaus.org smtpd_relay_restrictions = permit_tls_clientcerts, permit_mynetworks, defer_unauth_destination here's what the log file says: Feb 22 08:50:07 mail postfix/smtpd[12952]: initializing the server-side TLS engine Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from bendel.debian.org[82.195.75.100] Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection from bendel.debian.org[82.195.75.100] Feb 22 08:50:07 mail postfix/smtpd[12952]: bendel.debian.org[82.195.75.100]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL" Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL initialization Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL initialization Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read client hello Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write server hello Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write change cipher spec Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write encrypted extensions Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write certificate request Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write certificate Feb 22 08:50:07 mail postfix/smtpd[12815]: SSL_accept error from bendel.debian.org[82.195.75.100]: lost connection Feb 22 08:50:07 mail postfix/smtpd[12816]: SSL_accept error from bendel.debian.org[82.195.75.100]: lost connection Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write server certificate verify Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write finished Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early data greetings...