Loading ...
Sorry, an error occurred while loading the content.

[OT] How to get damn outlook 2007 to accept my x.509 certificates?

Expand Messages
  • Ralf Hildebrandt
    Our postamt.charite.de uses x.509 certificates signed by the DFN-CA. Now, usually our users have no problems whatsoever connecting to postamt.charite.de via
    Message 1 of 4 , Feb 28, 2007
    • 0 Attachment
      Our postamt.charite.de uses x.509 certificates signed by the DFN-CA.

      Now, usually our users have no problems whatsoever connecting to
      postamt.charite.de via IMAPS on port 993 or port 25 with STARTTLS.
      They simply import the CA certificates or choose to accept the
      certificate permanently.

      Except for this one user with Outlook 2007. He can't -- for the life
      of it -- establish any TLS/SSL connection, Outlook reports a
      non-descript SSL error. It works for the same person with Outlook
      2003, but not with 2007.

      WTF?

      --
      Ralf Hildebrandt (Ralf.Hildebrandt@...) plonk@...
      Postfix - Einrichtung, Betrieb und Wartung Tel. +49 (0)30-450 570-155
      http://www.arschkrebs.de
      "Fifty years of programming language research, and we end up with C++ ???"
      - Richard A. O'Keefe.
    • Chris St. Pierre
      ... We ve seen similar problems with a handful of users, and I m afraid we never found a solution except to allow those users to use plain text auth. My best
      Message 2 of 4 , Mar 1, 2007
      • 0 Attachment
        On Wed, 28 Feb 2007, Ralf Hildebrandt wrote:

        > Except for this one user with Outlook 2007. He can't -- for the life
        > of it -- establish any TLS/SSL connection, Outlook reports a
        > non-descript SSL error. It works for the same person with Outlook
        > 2003, but not with 2007.

        We've seen similar problems with a handful of users, and I'm afraid we
        never found a solution except to allow those users to use plain text
        auth. My best guess is that one of the libraries that the broken
        Outlook depends on has gotten hosed somehow, but we never got to the
        bottom of it. IIRC, the Postfix logs just recorded that the client
        tried to start a TLS/SSL connection, and then spontaneously
        disconnected or otherwise failed.

        Best of luck to you, and let us know if you find a solution.

        Chris St. Pierre
        Unix Systems Administrator
        Nebraska Wesleyan University
        ---------------------
        Never send mail to thobrux@...
      • Sandy Drobic
        ... AFAIK Victor posted some weeks ago that Exchange 2007 has a bug dealing with certain Ciphers. It could be that this bug is also included in Outlook 2007.
        Message 3 of 4 , Mar 3, 2007
        • 0 Attachment
          Chris St. Pierre wrote:
          > On Wed, 28 Feb 2007, Ralf Hildebrandt wrote:
          >
          >> Except for this one user with Outlook 2007. He can't -- for the life
          >> of it -- establish any TLS/SSL connection, Outlook reports a
          >> non-descript SSL error. It works for the same person with Outlook
          >> 2003, but not with 2007.
          >
          > We've seen similar problems with a handful of users, and I'm afraid we
          > never found a solution except to allow those users to use plain text
          > auth. My best guess is that one of the libraries that the broken
          > Outlook depends on has gotten hosed somehow, but we never got to the
          > bottom of it. IIRC, the Postfix logs just recorded that the client
          > tried to start a TLS/SSL connection, and then spontaneously
          > disconnected or otherwise failed.
          >
          > Best of luck to you, and let us know if you find a solution.

          AFAIK Victor posted some weeks ago that Exchange 2007 has a bug dealing
          with certain Ciphers. It could be that this bug is also included in
          Outlook 2007. Please check the archive.
          --
          Sandy

          List replies only please!
          Please address PMs to: news-reply2 (@) japantest (.) homelinux (.) com
        • Victor Duchovni
          ... The bug is actually in the Windows Crypto-API. It is most often observed with Exchange 2003, but may also be observed with Exchange 2007 if used on a
          Message 4 of 4 , Mar 3, 2007
          • 0 Attachment
            On Sat, Mar 03, 2007 at 03:54:31PM +0100, Sandy Drobic wrote:

            > Chris St. Pierre wrote:
            > > On Wed, 28 Feb 2007, Ralf Hildebrandt wrote:
            > >
            > >> Except for this one user with Outlook 2007. He can't -- for the life
            > >> of it -- establish any TLS/SSL connection, Outlook reports a
            > >> non-descript SSL error. It works for the same person with Outlook
            > >> 2003, but not with 2007.
            > >
            > > We've seen similar problems with a handful of users, and I'm afraid we
            > > never found a solution except to allow those users to use plain text
            > > auth. My best guess is that one of the libraries that the broken
            > > Outlook depends on has gotten hosed somehow, but we never got to the
            > > bottom of it. IIRC, the Postfix logs just recorded that the client
            > > tried to start a TLS/SSL connection, and then spontaneously
            > > disconnected or otherwise failed.
            > >
            > > Best of luck to you, and let us know if you find a solution.
            >
            > AFAIK Victor posted some weeks ago that Exchange 2007 has a bug dealing
            > with certain Ciphers. It could be that this bug is also included in
            > Outlook 2007. Please check the archive.

            The bug is actually in the Windows Crypto-API. It is most often observed
            with Exchange 2003, but may also be observed with Exchange 2007 if used on
            a Windows 2003 server. The problem is an incorrect "on-the-wire" packet
            size calculation for "application-data" packets after the TLS handshake
            completes. You get a problem reading the 2nd application message because
            the first one has trailing garbage:

            Exchange: 220 server
            Postfix : EHLO client

            Exchange: 250-server
            Exchange: 250 STARTTLS

            Postfix : STARTTLS
            Exchange: 250 Ok

            Postfix : SSLClientHelo
            Exchange: SSLServerHelo
            Postfix : ... ChangeCipherSpec (Handshake completes)
            Exchange: ... ChangeCipherSpec (Handshake completes)

            Postfix : SSL_APP_DATA(EHLO client)
            Exchange: SSL_APP_DATA(250 server) + 5 bytes junk
            Postfix : SSL_APP_DATA(MAIL FROM:<sender>)
            Exchange: SSL_APP_DATA(250 Ok) + 5 bytes junk

            Postfix : first group of junk bytes is a broken SSL packet: abort!

            This happens when the cipher selected is either of:

            EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
            DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1

            rather than:

            RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

            when the client restricts the cipher grade to "HIGH" (the Exchange server
            offers the broken ciphers at a lower preference, and overrules the client's
            cipher preferences, leading to RC4-MD5 provided that the client offers it).

            With Outlook as the client, things are a bit different, because the
            client's cipher preferences *are* honoured by the Postfix SMTP server,
            so if Outlook prefers RC4-MD5, that's what it gets. Perhaps the cipherlist
            got tweaked with Outlook 2007. If this is still the 3DES problem, the problem
            would look like this:

            Postfix: 220 server
            Outlook: EHLO client

            Postfix: 250-server
            Postfix: 250 STARTTLS

            Outlook: STARTTLS
            Postfix: 250 Ok

            Outlook: SSLClientHelo
            Postfix: SSLServerHelo
            Outlook: ... ChangeCipherSpec (Handshake completes)
            Postfix: ... ChangeCipherSpec (Handshake completes)

            Outlook: SSL_APP_DATA(EHLO client) + 5 bytes junk
            Postfix: SSL_APP_DATA(250 server)
            Outlook: SSL_APP_DATA(MAIL FROM:<sender>) + 5 bytes junk
            Postfix : first group of junk bytes is a broken SSL packet: abort!

            SSL disconnect with an error about invalid packet length/type/... after
            client EHLO. To test whether using just RC4 solves the problem:

            # Postfix 2.3:
            tls_export_cipherlist = RC4:@STRENGTH
            #
            # If some clients insist on a HIGH grade cipher, throw in AES-128
            # at the end, this too could break Outlook.
            # tls_export_cipherlist = RC4:@STRENGTH:AES128-SHA

            # Postfix 2.2
            smtpd_tls_cipherlist = RC4:@STRENGTH
            #
            # If some clients insist on a HIGH grade cipher, throw in AES-128
            # at the end, this too could break Outlook.
            # smtpd_tls_cipherlist = RC4:@STRENGTH:AES128-SHA

            --
            Viktor.

            Disclaimer: off-list followups get on-list replies or get ignored.
            Please do not ignore the "Reply-To" header.

            To unsubscribe from the postfix-users list, visit
            http://www.postfix.org/lists.html or click the link below:
            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

            If my response solves your problem, the best way to thank me is to not
            send an "it worked, thanks" follow-up. If you must respond, please put
            "It worked, thanks" in the "Subject" so I can delete these quickly.
          Your message has been successfully submitted and would be delivered to recipients shortly.