Prev-20 Home Next-20 2 msg 2 postfix server on the same domain in differen... 3 msg mailer-deamon sends error messages to: question 3 msg Procmail MAIL FROM timeout with ciphers=high \ Martin Schmitt (Schmitt Systems) (30 Nov 2007) . \ Victor Duchovni (30 Nov 2007) . \ Bill Cole (30 Nov 2007) . . \ Victor Duchovni (30 Nov 2007) . . . \ Martin Schmitt (Schmitt Systems) (3 Dec 2007) . . . . \ Victor Duchovni (3 Dec 2007) . . . . . \ Martin Schmitt (Schmitt Systems) (6 Dec 2007) . . . . . . \ Victor Duchovni (6 Dec 2007) . . . . . . . \ Martin Schmitt (Schmitt Systems) (6 Dec 2007) . . . . . . . . \ Victor Duchovni (6 Dec 2007) . . . . . . . . . \ Martin Schmitt (Schmitt Systems) (6 Dec 2007) . . . . . . . . . . \ Victor Duchovni (6 Dec 2007) . . . . . . . . . . . \ Martin Schmitt (Schmitt Systems) (10 Dec 2007) . . . . . . . . . . . . \ Victor Duchovni (10 Dec 2007) . . \ Martin Schmitt (Schmitt Systems) (3 Dec 2007) 2 msg milter, broken pipe 17 msg How to listen on 587 as well as 25? 6 msg reject_sender_login_mismatch doesnt work 2 msg smtp auth 4 msg Postfix with MYSQL compile error 8 msg mynetworks=<empty> vs mynetworks=<defa... 3 msg message_size_limit with ldap search parameter 2 msg Pipe debugging 12 msg destination_concurrency_limit not respected ? 13 msg Virtual spam forwarding issues 2 msg cleaning up deferred queue 2 msg static nexthop per domain 2 msg Simple postmap question 9 msg Issues with Recipient_Canonical mapping 3 msg Mail server reboot after got flood 3 msg can't create a virtual domain Prev-20 Home Next-20

Prev-Msg Prev-Thread Postfix-users Nov-2007 Next-Thread Next-Msg Subject: MAIL FROM timeout with ciphers=high Group: Postfix-users From: Martin Schmitt (Schmitt Systems) Date: 30 Nov 2007 Hello everyone! I've been trying to enable Secure Channel TLS for a remote domain and am at a point where my understanding of TLS and the ciphers seems to be too meager to figure out what is going wrong. With no entry or "encrypt" or "verify" or "secure" for example.com in smtp_tls_policy_maps, mail goes out fine and the log looks like this: Nov 30 07:10:05 gw postfix/smtp[28367]: setting up TLS connection to exchange1.example.com Nov 30 07:10:06 gw postfix/smtp[28367]: Verified: subject_CN=exchange1.example.com, issuer=Thawte Premium Server CA Nov 30 07:10:06 gw postfix/smtp[28367]: TLS connection established to exchange1.example.com: TLSv1 with cipher RC4-MD5 (128/128 bits) Nov 30 07:10:06 gw postfix/smtp[28367]: B0BA25009BA: to=<user>, relay=exchange1.example.com[1.2.3.4]:25, delay=0.54, delays=0.08/0/0.26/0.2, dsn=2.6.0, status=sent (250 2.6.0 <474FB74B.7080901> Queued mail for delivery) However as soon as I introduce my fully bullshit compliant ultra-secure setting of "ciphers=high" in smtp_tls_policy_maps, what happens is this: Nov 30 07:19:27 gw postfix/smtp[26097]: Verified: subject_CN=exchange1.example.com, issuer=Thawte Premium Server CA Nov 30 07:19:27 gw postfix/smtp[26097]: TLS connection established to exchange1.example.com: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) Nov 30 07:19:28 gw postfix/smtp[26097]: AB24E500A16: lost connection with exchange1.example.com[1.2.3.4] while sending MAIL FROM This happens with "verify ciphers=high" as well as with "secure ciphers=high" and "encrypt ciphers=high" in smtp_tls_policy_maps. Delivery then moves on to their backup MX, which doesn't support TLS, so the mail gets deferred. It does not happen with "may ciphers=high", but with "may", the "ciphers=high" setting seems to be ignored and the session uses RC4-MD5. I didn't go over the docs intensely enough to see if this is intended, but as this is an irrelevant use case here, I don't want to focus on it. Judging from the logs, my local mailer is sending out Mail with DES-CBC3-SHA using opportunistic TLS to other domains all the time, such as this: Nov 29 15:04:42 gw postfix/smtp[18005]: Unverified: subject_CN=mx1.example.de, issuer=Some weird CA Nov 29 15:04:42 gw postfix/smtp[18005]: TLS connection established to mx1.example.de: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) Nov 29 15:04:42 gw postfix/smtp[18005]: A7E35500F1A: to=<user>, relay=mx1.example.de[2.3.4.5]:25, delay=0.79, delays=0.08/0/0.51/0.19, dsn=2.0.0, status=sent (250 251777254 message accepted for delivery) For completeness, here's an excerpt of the relevant parts in postconf: # postconf -n | grep tls smtp_tls_CApath = /etc/postfix/tls/cacerts.d smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_security_level = may smtpd_tls_cert_file = /etc/postfix/tls/mx.mydomain-cert.20070319.pem smtpd_tls_key_file = /etc/postfix/tls/mx.mydomain-key.20070319.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may The remote MX is running Exchange 2003, which seems to be a bit selective about whom it wants to talk with. For example, I can't do manual SMTP with openssl s_client, even with the latest OpenSSL release that properly sends EHLO and when using RC4-MD5. So, here are my questions: - Is my Postfix installation to blame for the situation? - If not (which is what I assume), are there any hints I can give the remote admin in order to resolve the situation? - Am I overrating the relevance of "ciphers=high" for my client's trade secrets? I'm really stuck here. Thanks for your attention, -martin -- Martin Schmitt - Schmitt Systemberatung - http://www.scsy.de DE 35415 Pohlheim, Gießener Str. 18 DE 65307 Bad Schwalbach, Am Bräunchesberg 9 Linux/UNIX - Internet - E-Mail Infrastructure - Antispam/Antivirus - "What goes up, must come down. Ask any system administrator." - Prev-Msg Prev-Thread Postfix-users Nov-2007 Next-Thread Next-Msg

© 2004-2008 readlist.com