[Bug 1001040] [NEW] "TLS library problem" drops incoming mail when sender uses RC4-MD5 cipher
Public bug reported: Everytime my email server (Ubuntu Server 12.04) receives an email sent from google.com (e.g. gmail) using TLS with the RC4-MD5 cipher, it fails. Here is the output of once such interaction. I have set smtpd_tls_loglevel=2 in /etc/postfix/main.cf in hopes this will help. Note that I have replaced my actual hostname with 'myhostname' May 17 15:43:02 myhostname postfix/smtpd[28328]: initializing the server-side TLS engine May 17 15:43:02 myhostname postfix/smtpd[28328]: connect from mail-yw0-f47.google.com[209.85.213.47] May 17 15:43:03 myhostname postfix/smtpd[28328]: setting up TLS connection from mail-yw0-f47.google.com[209.85.213.47] May 17 15:43:03 myhostname postfix/smtpd[28328]: mail-yw0-f47.google.com[209.85.213.47]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:before/accept initialization May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 read client hello A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 write server hello A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 write certificate A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 write server done A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 flush data May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 read client key exchange A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 read finished A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 write change cipher spec A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 write finished A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 flush data May 17 15:43:03 myhostname postfix/smtpd[28328]: mail-yw0-f47.google.com[209.85.213.47]: save session DC174AEAF16104F9B5ACF53EFD8E242ED70DD37C4957B17780 133B84CE85D295&s=smtp to smtpd cache May 17 15:43:03 myhostname postfix/tlsmgr[28319]: put smtpd session id=DC174AEAF16104F9B5ACF53EFD8E242ED70DD37C4957B17 780133B84CE85D295&s=smtp [data 127 bytes] May 17 15:43:03 myhostname postfix/tlsmgr[28319]: write smtpd TLS cache entry DC174AEAF16104F9B5ACF53EFD8E242ED70DD37C4957B17780 133B84CE85D295&s=smtp: time=1337294583 [data 127 bytes] May 17 15:43:03 myhostname postfix/smtpd[28328]: Anonymous TLS connection established from mail-yw0-f47.google.com[209.85.213.47]: TLSv1 with cipher RC4-MD5 (128/128 bits) May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL3 alert read:fatal:bad record mac May 17 15:43:03 myhostname postfix/smtpd[28328]: warning: TLS library problem: 28328:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1247:SSL alert number 20: May 17 15:43:03 myhostname postfix/smtpd[28328]: lost connection after EHLO from mail-yw0-f47.google.com[209.85.213.47] May 17 15:43:03 myhostname postfix/smtpd[28328]: disconnect from mail-yw0-f47.google.com[209.85.213.47] At least one other user is encountering this problem, as discussed here: http://ubuntuforums.org/showthread.php?t=1981839 ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: postfix 2.9.1-4 ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14 Uname: Linux 3.2.0-23-generic x86_64 ApportVersion: 2.0.1-0ubuntu7 Architecture: amd64 Date: Thu May 17 16:02:33 2012 InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1) ProcEnviron: TERM=xterm LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: postfix UpgradeStatus: No upgrade log present (probably fresh install) ** Affects: postfix (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug precise -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to postfix in Ubuntu. https://bugs.launchpad.net/bugs/1001040 Title: "TLS library problem" drops incoming mail when sender uses RC4-MD5 cipher To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1001040/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1001040] Re: "TLS library problem" drops incoming mail when sender uses RC4-MD5 cipher
** Description changed: Everytime my email server (Ubuntu Server 12.04) receives an email sent from google.com (e.g. gmail) using TLS with the RC4-MD5 cipher, it fails. Here is the output of once such interaction. I have set smtpd_tls_loglevel=2 in /etc/postfix/main.cf in hopes this will help. Note that I have replaced my actual hostname with 'myhostname' May 17 15:43:02 myhostname postfix/smtpd[28328]: initializing the server-side TLS engine May 17 15:43:02 myhostname postfix/smtpd[28328]: connect from mail-yw0-f47.google.com[209.85.213.47] May 17 15:43:03 myhostname postfix/smtpd[28328]: setting up TLS connection from mail-yw0-f47.google.com[209.85.213.47] May 17 15:43:03 myhostname postfix/smtpd[28328]: mail-yw0-f47.google.com[209.85.213.47]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:before/accept initialization May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 read client hello A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 write server hello A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 write certificate A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 write server done A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 flush data May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 read client key exchange A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 read finished A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 write change cipher spec A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 write finished A May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL_accept:SSLv3 flush data May 17 15:43:03 myhostname postfix/smtpd[28328]: mail-yw0-f47.google.com[209.85.213.47]: save session DC174AEAF16104F9B5ACF53EFD8E242ED70DD37C4957B17780 133B84CE85D295&s=smtp to smtpd cache May 17 15:43:03 myhostname postfix/tlsmgr[28319]: put smtpd session id=DC174AEAF16104F9B5ACF53EFD8E242ED70DD37C4957B17 780133B84CE85D295&s=smtp [data 127 bytes] May 17 15:43:03 myhostname postfix/tlsmgr[28319]: write smtpd TLS cache entry DC174AEAF16104F9B5ACF53EFD8E242ED70DD37C4957B17780 133B84CE85D295&s=smtp: time=1337294583 [data 127 bytes] May 17 15:43:03 myhostname postfix/smtpd[28328]: Anonymous TLS connection established from mail-yw0-f47.google.com[209.85.213.47]: TLSv1 with cipher RC4-MD5 (128/128 bits) May 17 15:43:03 myhostname postfix/smtpd[28328]: SSL3 alert read:fatal:bad record mac May 17 15:43:03 myhostname postfix/smtpd[28328]: warning: TLS library problem: 28328:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1247:SSL alert number 20: May 17 15:43:03 myhostname postfix/smtpd[28328]: lost connection after EHLO from mail-yw0-f47.google.com[209.85.213.47] May 17 15:43:03 myhostname postfix/smtpd[28328]: disconnect from mail-yw0-f47.google.com[209.85.213.47] At least one other user is encountering this problem, as discussed here: - http://ubuntuforums.org/showthread.php?p=11945418#post11945418 + http://ubuntuforums.org/showthread.php?t=1981839 ProblemType: Bug DistroRelease: Ubuntu 12.04 Package: postfix 2.9.1-4 ProcVersionSignature: Ubuntu 3.2.0-23.36-generic 3.2.14 Uname: Linux 3.2.0-23-generic x86_64 ApportVersion: 2.0.1-0ubuntu7 Architecture: amd64 Date: Thu May 17 16:02:33 2012 InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release amd64 (20120424.1) ProcEnviron: - TERM=xterm - LANG=en_US.UTF-8 - SHELL=/bin/bash + TERM=xterm + LANG=en_US.UTF-8 + SHELL=/bin/bash SourcePackage: postfix UpgradeStatus: No upgrade log present (probably fresh install) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to postfix in Ubuntu. https://bugs.launchpad.net/bugs/1001040 Title: "TLS library problem" drops incoming mail when sender uses RC4-MD5 cipher To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1001040/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1001040] Re: "TLS library problem" drops incoming mail when sender uses RC4-MD5 cipher
This server has only been running a couple days. I initially performed all my testing for emails sent from "outside" using gmail.com and it seemd that my emails came through no problem. I now see that google.com also uses cipher ECDHE-RSA-RC4-SHA, and messages received (by me) using this cipher do not error out and seem to arrive just fine. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to postfix in Ubuntu. https://bugs.launchpad.net/bugs/1001040 Title: "TLS library problem" drops incoming mail when sender uses RC4-MD5 cipher To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1001040/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1001040] Re: "TLS library problem" drops incoming mail when sender uses RC4-MD5 cipher
Using self-signed certificate... -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to postfix in Ubuntu. https://bugs.launchpad.net/bugs/1001040 Title: "TLS library problem" drops incoming mail when sender uses RC4-MD5 cipher To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1001040/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1001040] Re: "TLS library problem" drops incoming mail when sender uses RC4-MD5 cipher
Have circumvented the problem by adding "smtpd_tls_exclude_ciphers = RC4-MD5" to my /etc/postfix/main.cf. Google is now using RC4-SHA instead, and I've experienced no further problems so far. Obviously this may not be a postfix bug (it seems openssl-related issues can even be cause by compiler optimization or other issues and it seems likely in any case that the bug is in the openssl library that postfix is using) but I am more than willing to help diagnose it, whatever package it belongs in. It should be 100% reproducible if I stop the cipher exclusion unless google changes something on their end. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to postfix in Ubuntu. https://bugs.launchpad.net/bugs/1001040 Title: "TLS library problem" drops incoming mail when sender uses RC4-MD5 cipher To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1001040/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs