On Sun, Jun 16, 2013 at 11:13:05AM +0200, Jan P. Kessler wrote:
> > Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols
> > attribute in the Postfix policy table.
>
> Thanks, that worked (postfix 2.8.13):
>
> policy_table:
> [mxtls.allianz.com] verify protocols=SSLv3
Beside the point, yet possibly of interest:
On Sun, Jun 16, 2013 at 03:07:01AM +0200, Jan P. Kessler wrote:
> # /opt/vrnetze/openssl/bin/openssl s_client -connect
> mxtls.allianz.com:25 -starttls smtp
> CONNECTED(0004)
snip
> ---
> 250 HELP
> HELO mail.EXAMPLE.COM
> 250 mailgw.allianz.de Hello
Am 16.06.2013 05:00, schrieb Viktor Dukhovni:
> On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:
>
> > The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> > issue. Unfortunately now we see another problem with the outgoing
> > instance, trying to send to another
On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:
> The openssl update from 0.9.8k to 1.0.1e solved the client certificate
> issue. Unfortunately now we see another problem with the outgoing
> instance, trying to send to another partner with mandatory TLS:
> mail.info] setting up TL
some additional information:
# /opt/vrnetze/openssl/bin/openssl s_client -connect
mxtls.allianz.com:25 -starttls smtp
CONNECTED(0004)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
Certification Authority
verify error:num=19:self signed certificate in certificate chain
verif
>> # openssl
>> ./Configure \
>> --prefix=${BASE}/openssl \
>> --openssldir=${BASE}/openssl \
>> solaris-sparcv9-cc
>> make; make install
>>
>> # postfix
>> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
>> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4
On Sat, Jun 15, 2013 at 12:07:26PM +0200, Jan P. Kessler wrote:
> # openssl
> ./Configure \
> --prefix=${BASE}/openssl \
> --openssldir=${BASE}/openssl \
> solaris-sparcv9-cc
> make; make install
>
> # postfix
> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
> -R/usr/lo
> The sender should replace their certificate, it is not compliant with
> TLSv1. This too may take time.
>
> I never enabled ask_ccert on port 25, I had used 587 for that (on a
> machine that nevertheless was not an MSA), and clients with special
> access configured via ccerts had to use a transpo
On Fri, Jun 14, 2013 at 05:53:03PM +0200, Jan P. Kessler wrote:
> >I would have expected SHA-2 support as of OpenSSL 1.0.0a.
>
> Ok, so the problem seems to be clear. The system uses an ancient
> openssl version (sunfreeware package):
>
> libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0
Signature Algorithm: sha256WithRSAEncryption
It looks your OpenSSL library does not enable this via
OpenSSL_add_ssl_algorithms().
The use of certificates with signature algorithms other than MD5
and SHA-1 is supposed to be negotiated via TLSv1.2, plain SSLv3/TLSv1
do not have a way to neg
On Fri, Jun 14, 2013 at 12:24:39PM +0200, Jan P. Kessler wrote:
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
> mail.info] mail.dgverlag.de[145.253.80.6]: Untrusted:
> subject_CN=DGVDEX.DGVERLAG.DE, issuer=VR IDENT SSL CA 2011,
> fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:8
>> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
>> mail.info] certificate verification failed for
>> mail.dgverlag.de[145.253.80.6]: untrusted issuer
>> /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
> Why do you check client certificates?
Because we authenticate/w
On Fri, Jun 14, 2013 at 12:24:39PM +0200, Jan P. Kessler wrote:
> currently we are experiencing problems with an incoming SMTP/TLS
> connection. Remote side is an Ironport device, we are using postfix
> 2.8.13 on solaris 10.
Please show "postconf -n".
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtp
Jan P. Kessler:
> Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731
> mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1
> encoding routines:ASN1_item_verify:unknown message digest
> algorithm:a_verify.c:146:
> Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID
Hi,
currently we are experiencing problems with an incoming SMTP/TLS
connection. Remote side is an Ironport device, we are using postfix
2.8.13 on solaris 10. The problem exists only for incoming mails
(ironport to postfix), the other direction works fine. It happens for
both opportunistic (which
15 matches
Mail list logo
