Loading ...
Sorry, an error occurred while loading the content.

292009Re: smtp_tls_security_level = may combined wit smtp_tls_policy_maps

Expand Messages
  • JL Hill
    Mar 15, 2013
    • 0 Attachment
      My apologies, I grabbed the wrong snippet of log file (same host, different server). Here is the entire connection log (I changed only the domain name and xxx'd the ip address):

      Mar  3 06:36:10 host postfix/smtp[22224]: initializing the client-side TLS engine
      Mar  3 06:36:11 host postfix/smtp[22224]: setting up TLS connection to smtp1.example.com[70.186.xxx.xxx]:25
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:before/connect initialization
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:unknown state
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server hello A
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=2 verify=0 subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=2 verify=0 subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=1 verify=1 subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=0 verify=1 subject=/O=smtp1.example.com/OU=Domain Control Validated/CN=smtp1.example.com
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server certificate A
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server done A
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write client key exchange A
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write change cipher spec A
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write finished A
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 flush data
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read finished A
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: subject_CN=smtp1.example.com, issuer_CN=Go Daddy Secure Certification Authority, fingerprint 93:28:E6:D5:F1:6F:FD:34:09:8B:BF:52:35:BB:94:6C, pkey_fingerprint=E4:A4:55:48:AF:85:C5:A0:51:25:94:B8:57:54:D5:50
      Mar  3 06:36:11 host postfix/smtp[22224]: Untrusted TLS connection established to smtp1.example.com[70.186.xxx.xxx]:25: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL3 alert write:fatal:protocol version
      Mar  3 06:36:11 host postfix/smtp[22224]: warning: TLS library problem: 22224:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
      Mar  3 06:36:11 host postfix/smtp[22224]: ACFBAD746C: to=<brian@...>, relay=smtp1.example.com[70.186.xxx.xxx]:25, delay=222575, delays=222574/0.01/1/0, dsn=4.4.2, status=deferred (lost connection with smtp1.example.com[70.186.xxx.xxx] while sending MAIL FROM)

      As I said, I was trying to understand what was supposed to work in turning off TLS for a specific domain. I understand that I should be able to do it by specifying "example.com none" in tls_policy. I will test using  smtp_tls_policy_maps, as well as testing using smtpd_discard_ehlo_keyword_address_maps

      Thank you again, and again my apologies for grabbing the wrong snippet of log file.

      JL Hill

      On Fri, Mar 15, 2013 at 6:33 PM, Viktor Dukhovni <postfix-users@...> wrote:
      On Fri, Mar 15, 2013 at 05:19:30PM -0400, JL Hill wrote:

      > I feel more confused. I had originally tested
      >
      >     example.com   none
      >
      > and it failed. I searched the documentation, and found .example.com to use
      > for subdomains, so I thought that would fit my case as the negotiation is
      > with smtp2.example.com, even though I am emailing john.doe@...
      >
      > When I tested without the dot, sending to john.doe@... my log shows
      > "Host offered STARTTLS: [smtp2.example.com]"

      This means that TLS was NOT used. This is a helpful log message that
      tells you could use TLS, but you're not.  Your configuration turns
      on this non-default helpful log message.

              # default:
              smtp_tls_note_starttls_offer = no

      --
              Viktor.

    • Show all 8 messages in this topic