News for wibblers. Stuff that really doesn't matter. |
|
News for wibblers. Stuff that really doesn't matter. |
|
Save the teapot fund
New CSS web design for Wibble proudly provided by Kelv. Please contact the webmaster with any questions or concerns. |
Wibble > List archives > postfix > 2004 > September [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Postfix/TLS and Exchange 2003 'HIGH' cipher problem
On Tue, Aug 31, 2004 at 08:27:14PM -0700, David F. Severski wrote: > I'm having a hard a time tracking down a failure with a test Exchange 2003 > SP1 (W2K3 VM - waits.deadheaven.com) to relay mail to a Postfix TLS > enabled server (FreeBSD 4.10 - geoff.deadheaven.com). The Exchange box is > set to send all mail via TLS w/basic authentication to my Postfix server. > When my smtpd_tls_cipherlist is set to DEFAULT, everything works fine. When > that parameter is set to HIGH, postfix reports that the connection is lost > after the TLS secured EHLO from the Exchange box. > > The logs from debug_peer show only that the connection is lost after the > aforementioned second EHLO. Cranking the smtpd_tls_loglevel all the way > up to 4 shows the line 'Aug 29 15:18:59 geoff postfix/smtpd[429]: SSL3 > alert write:fatal:protocol version'. A packet capture of the traffic > (available at http://www.deadheaven.com/tls_high_auth.pcap), correlated > with the debug_peer output (included, along with postfinger output, below) > seems to show, in the TLS portion, the EHLO, Postfix's 250 response, and > then what looks to be the Exchange box trying to send an AUTH request, only > to be dropped by Postfix. > > Both the Postfix server and the Exchange instance have local CAs that > have issued certificates to the local systems. The Exchange box has a > copy of the Postfix's server certificate installed as well as the > postfix's issue CA installed. All other TLS communications, include TLS > protected SASL logins from Outlook clients, are working fine. > > I'd be inclined to blame my limited Exchange knowledge, but having traffic > flow fine as soon as I allow a different cipher, such as RC4-MD5, has me > stumped. With both TLS patches and SASL being involved, this strays > pretty far from 'supported' installations, but I'm hoping wiser heads > than myself may know where to look further in troubleshooting. Any help in > tracking this down would be most appreciated. Hmm. I am somewhat out of ideas on this one. Please see below the "ssldump" output of the session. ssldump indicates a protocol violation On the postfix side this is indicated by the "SSL3 alert write:fatal:protocol version". I must admit that I do not yet have an idea on what is going on... Regards, Lutz -snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip- New TCP connection #1: 192.168.0.9(2317) <-> 192.168.0.1(25) 0.0038 (0.0038) S>C --------------------------------------------------------------- 220 geoff.deadheaven.com ESMTP Postfix --------------------------------------------------------------- 0.0288 (0.0250) C>S --------------------------------------------------------------- EHLO waits.example.tld --------------------------------------------------------------- 0.0304 (0.0016) S>C --------------------------------------------------------------- 250-geoff.deadheaven.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME --------------------------------------------------------------- 0.0679 (0.0374) C>S --------------------------------------------------------------- STARTTLS --------------------------------------------------------------- 0.0684 (0.0005) S>C --------------------------------------------------------------- 220 Ready to start TLS --------------------------------------------------------------- 1 1 0.0692 (0.0007) C>S Handshake ClientHello Version 3.1 resume [32]= 04 c0 b3 4a 94 e7 d3 01 f6 b8 ec 20 a9 d6 69 7c e7 7e d3 37 0f 1a 95 46 8a 7b e6 4b 18 0e 81 7e cipher suites TLS_RSA_WITH_RC4_128_MD5 TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC4_56_SHA TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_RC4_40_MD5 TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA compression methods NULL 1 2 0.0707 (0.0014) S>C Handshake ServerHello Version 3.1 session_id[32]= cc bb 53 d6 9f 85 a3 c1 37 4a 3b d6 bd be 21 dd dd 19 45 94 ca 92 40 6f 4f c9 f9 a4 f1 1a d7 fb cipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA compressionMethod NULL 1 3 0.0707 (0.0000) S>C Handshake Certificate 1 4 0.0707 (0.0000) S>C Handshake CertificateRequest certificate_types rsa_sign certificate_types dss_sign certificate_authority 30 72 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 53 65 61 74 74 6c 65 31 14 30 12 06 03 55 04 0a 13 0b 44 65 61 64 20 48 65 61 76 65 6e 31 26 30 24 06 09 2a 86 48 86 f7 0d 01 09 01 16 17 64 61 76 69 64 73 6b 69 40 64 65 61 64 68 65 61 76 65 6e 2e 63 6f 6d ServerHelloDone 1 5 0.0765 (0.0058) C>S Handshake Certificate ClientKeyExchange 1 6 0.0765 (0.0000) C>S ChangeCipherSpec 1 7 0.0765 (0.0000) C>S Handshake 1 8 0.1007 (0.0242) S>C ChangeCipherSpec 1 9 0.1007 (0.0000) S>C Handshake 1 10 0.1018 (0.0010) C>S application_data 1 11 0.1036 (0.0018) S>C application_data Unknown SSL content type 2 1 0.1057 (0.0020) S>C TCP FIN 1 12 0.1058 (0.0001) C>SShort record 1 0.1060 (0.0001) C>S TCP FIN -snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip- ssldump also cannot understand > > Thanks! > > David > > - -begin maillog section- > Aug 29 10:26:05 geoff postfix/smtpd[68347]: connect from waits.deadheaven.com[192.168.0.9] > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 220 geoff.deadheaven.com ESMTP Postfix > Aug 29 10:26:05 geoff postfix/smtpd[68347]: watchdog_pat: 0x80ac208 > Aug 29 10:26:05 geoff postfix/smtpd[68347]: < waits.deadheaven.com[192.168.0.9]: EHLO waits.example.tld > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-geoff.deadheaven.com > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-PIPELINING > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-SIZE 10240000 > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-VRFY > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-ETRN > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-STARTTLS > Aug 29 10:26:05 geoff postfix/smtpd[68347]: match_list_match: waits.deadheaven.com: no match > Aug 29 10:26:05 geoff postfix/smtpd[68347]: match_list_match: 192.168.0.9: no match > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250 8BITMIME > Aug 29 10:26:05 geoff postfix/smtpd[68347]: watchdog_pat: 0x80ac208 > Aug 29 10:26:05 geoff postfix/smtpd[68347]: < waits.deadheaven.com[192.168.0.9]: STARTTLS > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 220 Ready to start TLS > Aug 29 10:26:05 geoff postfix/smtpd[68347]: setting up TLS connection from waits.deadheaven.com[192.168.0.9] > Aug 29 10:26:05 geoff postfix/smtpd[68347]: TLS connection established from waits.deadheaven.com[192.168.0.9]: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) > Aug 29 10:26:05 geoff postfix/smtpd[68347]: name_mask: noanonymous > Aug 29 10:26:05 geoff postfix/smtpd[68347]: watchdog_pat: 0x80ac208 > Aug 29 10:26:05 geoff postfix/smtpd[68347]: < waits.deadheaven.com[192.168.0.9]: EHLO waits.example.tld > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-geoff.deadheaven.com > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-PIPELINING > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-SIZE 10240000 > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-VRFY > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-ETRN > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-AUTH LOGIN PLAIN > Aug 29 10:26:05 geoff postfix/smtpd[68347]: match_list_match: waits.deadheaven.com: no match > Aug 29 10:26:05 geoff postfix/smtpd[68347]: match_list_match: 192.168.0.9: no match > Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250 8BITMIME > Aug 29 10:26:05 geoff postfix/smtpd[68347]: watchdog_pat: 0x80ac208 > Aug 29 10:26:05 geoff postfix/smtpd[68347]: smtp_get: EOF > Aug 29 10:26:05 geoff postfix/smtpd[68347]: lost connection after EHLO from waits.deadheaven.com[192.168.0.9] > Aug 29 10:26:05 geoff postfix/smtpd[68347]: disconnect from waits.deadheaven.com[192.168.0.9] > - -end maillog section- > > postfinger - postfix configuration on Sun Aug 29 16:04:16 PDT 2004 > version: 1.29 > > - --System Parameters-- > mail_version = 2.1.4 > hostname = geoff.deadheaven.com > uname = FreeBSD geoff.deadheaven.com 4.10-STABLE FreeBSD 4.10-STABLE #26: Fri Aug 20 06:37:32 PDT 2004 > > - --Packaging information-- > looks like this postfix comes from BSD package: postfix-2.1.4,1 > > - --main.cf non-default parameters-- > alias_database = hash:/etc/mail/aliases > alias_maps = hash:/etc/mail/aliases, hash:/usr/local/mailman/data/aliases > command_directory = /usr/local/sbin > daemon_directory = /usr/local/libexec/postfix > debug_peer_list = waits.deadheaven.com > home_mailbox = Maildir/ > lmtp_send_xforward_command = yes > mailq_path = /usr/local/bin/mailq > mydestination = $myhostname, localhost.$mydomain, lists.$mydomain > mynetworks = 127.0.0.1/32 > myorigin = $mydomain > newaliases_path = /usr/local/bin/newaliases > notify_classes = 2bounce,resource,software > recipient_delimiter = - > sendmail_path = /usr/local/sbin/sendmail > smtp_tls_cert_file = /etc/ssl/deadheavenCA/cacert.pem > smtp_tls_cipherlist = HIGH > smtp_tls_key_file = /etc/ssl/deadheavenCA/private/cakey.pem > smtp_tls_loglevel = 3 > smtp_tls_note_starttls_offer = yes > smtp_use_tls = yes > smtpd_hard_error_limit = 5 > smtpd_helo_required = yes > smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_recipient_access hash:/usr/local/etc/postfix/recipient_filter, reject_unauth_destination, check_client_access hash:/usr/local/etc/postfix/client_blacklist, check_helo_access regexp:/usr/local/etc/postfix/helo_blacklist, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client dnsbl.njabl.org, reject_rbl_client korea.services.net, reject_rbl_client list.dsbl.org, reject_rbl_client relays.ordb.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client opm.blitzed.org, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, check_client_access hash:/usr/local/etc/postfix/bypass_rdns_checks, reject_unknown_client > smtpd_sasl_auth_enable = yes > smtpd_sender_login_maps = hash:/usr/local/etc/postfix/sender_login > smtpd_tls_CAfile = /etc/ssl/deadheavenCA/cacert.pem > smtpd_tls_ask_ccert = yes > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/ssl/newcert.pem > smtpd_tls_cipherlist = HIGH > smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/dh_1024.pem > smtpd_tls_dh512_param_file = /usr/local/etc/postfix/dh_512.pem > smtpd_tls_key_file = /etc/ssl/nopass.pem > smtpd_tls_loglevel = 1 > smtpd_tls_received_header = yes > smtpd_use_tls = yes > tls_daemon_random_source = dev:/dev/urandom > tls_random_source = dev:/dev/urandom > unknown_local_recipient_reject_code = 450 > virtual_gid_maps = static:1008 > virtual_mailbox_base = / > virtual_mailbox_domains = piranesia.net, deadheaven.com, fuzzypoodles.com > virtual_mailbox_maps = ldap:ldapvirtual > virtual_transport = maildrop > virtual_uid_maps = static:1008 > > - --master.cf-- > smtp-amavis unix - - n - 2 lmtp > -o lmtp_data_done_timeout=1200 > -o max_use=10 > 127.0.0.1:10025 inet n - n - - smtpd > -o content_filter= > -o local_recipient_maps= > -o relay_recipient_maps= > -o smtpd_restriction_classes= > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o mynetworks=127.0.0.0/8 > -o strict_rfc821_envelopes=yes > smtp inet n - n - - smtpd > pickup fifo n - n 60 1 pickup > pre-cleanup unix n - n - 0 cleanup > -o virtual_alias_maps= > -o canonical_maps= > -o sender_canonical_maps= > -o recipient_canonical_maps= > -o masquerade_domains= > cleanup unix n - n - 0 cleanup > -o mime_header_checks= > -o nested_header_checks= > -o body_checks= > -o header_checks= > qmgr fifo n - n 300 1 qmgr > tlsmgr fifo - - n 300 1 tlsmgr > rewrite unix - - n - - trivial-rewrite > bounce unix - - n - 0 bounce > defer unix - - n - 0 bounce > flush unix n - n 1000? 0 flush > smtp unix - - n - - smtp > showq unix n - n - - showq > error unix - - n - - error > local unix - n n - - local > virtual unix - n n - - virtual > lmtp unix - - n - - lmtp > cyrus unix - n n - - pipe > flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} > uucp unix - n n - - pipe > flags=F user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) > ifmail unix - n n - - pipe > flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) > bsmtp unix - n n - - pipe > flags=F. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient > relay unix - - n - - smtp > proxymap unix - - n - - proxymap > maildrop unix - n n - - pipe > flags=DRhu user=vmail argv=/usr/local/bin/maildrop > -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop} > trace unix - - n - 0 bounce > verify unix - - n - 1 verify > > - -- end of postfinger output -- -- Lutz Jaenicke Lutz.Jaenicke@xxxxxxxxxxxxxxxxx http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus
|
