Loading ...
Sorry, an error occurred while loading the content.

Ubuntu Upgrade broke my TLS

Expand Messages
  • Tony Nelson
    I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix to 2.9.1-4. The postfix server sits behind my firewall, in front of my corporate
    Message 1 of 16 , Dec 12, 2012
    • 0 Attachment
      I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix to 2.9.1-4.  The postfix server sits behind my firewall, in front of my corporate Exchange servers.

      After the upgrade I found that my exchange servers would/could no longer send mail.  I got the following error:

      Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO from NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]

      A bit of googling pointed me to TLS issues.  After trying several things, I commented out my TLS configuration parameters, and sure enough all of the mail flowed out of my Exchange servers, so the problem is definitely TLS related.

      These are my commented out TLS parameters:

      # TLS parameters
      # smtp_tls_security_level = may
      # smtpd_tls_security_level = may
      # smtpd_tls_cert_file = /etc/ssl/certs/starpoint.crt
      # smtpd_tls_key_file = /etc/ssl/private/starpoint.key
      # smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt
      # smtpd_tls_loglevel = 2
      # smtpd_use_tls=yes
      # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
      # smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

      The certificate I am using for the TLS on the Postfix server is a wildcard certificate for starpoint.com from GoDaddy.
      The certificate that Exchange uses is a specific certificate for exchange.starpoint.com, also from GoDaddy.

      I think it's in my best interest to get TLS operational again.  I've re-read http://www.postfix.org/TLS_README.html again and nothing is jumping out at me.

      What is my best next step to solve this problem.

      Thank you very much for any advice.

      Tony Nelson
      Starpoint Solutions




      Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility


      This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it.
    • Will
      ... Changing smtpd_tls_loglevel to 3 might provide more useful debugging output, which could help you find any issues between Exchange and Postfix. -Will
      Message 2 of 16 , Dec 12, 2012
      • 0 Attachment

        On 12/12/12 18:05, Tony Nelson wrote:
        I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix to 2.9.1-4.  The postfix server sits behind my firewall, in front of my corporate Exchange servers.

        After the upgrade I found that my exchange servers would/could no longer send mail.  I got the following error:

        Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO from NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]

        A bit of googling pointed me to TLS issues.  After trying several things, I commented out my TLS configuration parameters, and sure enough all of the mail flowed out of my Exchange servers, so the problem is definitely TLS related.

        These are my commented out TLS parameters:

        # TLS parameters
        # smtp_tls_security_level = may
        # smtpd_tls_security_level = may
        # smtpd_tls_cert_file = /etc/ssl/certs/starpoint.crt
        # smtpd_tls_key_file = /etc/ssl/private/starpoint.key
        # smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt
        # smtpd_tls_loglevel = 2
        # smtpd_use_tls=yes
        # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
        # smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

        The certificate I am using for the TLS on the Postfix server is a wildcard certificate for starpoint.com from GoDaddy.
        The certificate that Exchange uses is a specific certificate for exchange.starpoint.com, also from GoDaddy.

        I think it's in my best interest to get TLS operational again.  I've re-read http://www.postfix.org/TLS_README.html again and nothing is jumping out at me.

        What is my best next step to solve this problem.

        Thank you very much for any advice.

        Tony Nelson
        Starpoint Solutions




        Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility


        This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it.
        Changing smtpd_tls_loglevel to 3 might provide more useful debugging output, which could help you find any issues between Exchange and Postfix.

        -Will
      • Scott Kitterman
        ... Re-enable package updates (they are enabled by default). If you had them enabled, you would have postfix 2.9.3-2~12.04.4. IIRC, there were changes in
        Message 3 of 16 , Dec 12, 2012
        • 0 Attachment
          On Wednesday, December 12, 2012 07:05:51 PM Tony Nelson wrote:
          > I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix
          > to 2.9.1-4. The postfix server sits behind my firewall, in front of my
          > corporate Exchange servers.
          >
          > After the upgrade I found that my exchange servers would/could no longer
          > send mail. I got the following error:
          >
          > Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO from
          > NY-HUBT02.WIN.STARPOINT.COM<http://NY-HUBT02.WIN.STARPOINT.COM>[192.168.43.
          > 19]
          >
          > A bit of googling pointed me to TLS issues. After trying several things, I
          > commented out my TLS configuration parameters, and sure enough all of the
          > mail flowed out of my Exchange servers, so the problem is definitely TLS
          > related.

          Re-enable package updates (they are enabled by default). If you had them
          enabled, you would have postfix 2.9.3-2~12.04.4. IIRC, there were changes in
          postfix 2.9.2 or 3 to integrate better with openssl 1.0.1, which Ubuntu 12.04
          also ships.

          Scott K
        • Tony Nelson
          On Dec 12, 2012, at 7:10 PM, Will wrote: On 12/12/12 18:05, Tony Nelson wrote: I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix to
          Message 4 of 16 , Dec 12, 2012
          • 0 Attachment

            On Dec 12, 2012, at 7:10 PM, Will wrote:


            On 12/12/12 18:05, Tony Nelson wrote:
            I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix to 2.9.1-4.  The postfix server sits behind my firewall, in front of my corporate Exchange servers.

            After the upgrade I found that my exchange servers would/could no longer send mail.  I got the following error:

            Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO from NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]

            A bit of googling pointed me to TLS issues.  After trying several things, I commented out my TLS configuration parameters, and sure enough all of the mail flowed out of my Exchange servers, so the problem is definitely TLS related.

            These are my commented out TLS parameters:

            # TLS parameters
            # smtp_tls_security_level = may
            # smtpd_tls_security_level = may
            # smtpd_tls_cert_file = /etc/ssl/certs/starpoint.crt
            # smtpd_tls_key_file = /etc/ssl/private/starpoint.key
            # smtpd_tls_CAfile = /etc/ssl/certs/gd_bundle.crt
            # smtpd_tls_loglevel = 2
            # smtpd_use_tls=yes
            # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
            # smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

            The certificate I am using for the TLS on the Postfix server is a wildcard certificate for starpoint.com from GoDaddy.
            The certificate that Exchange uses is a specific certificate for exchange.starpoint.com, also from GoDaddy.

            I think it's in my best interest to get TLS operational again.  I've re-read http://www.postfix.org/TLS_README.html again and nothing is jumping out at me.

            What is my best next step to solve this problem.

            Thank you very much for any advice.

            Tony Nelson
            Starpoint Solutions

            Changing smtpd_tls_loglevel to 3 might provide more useful debugging output, which could help you find any issues between Exchange and Postfix.

            -Will

            Thanks for the suggestion.  I'm going to paste the result here, but I don't see anything helpful.  Right after an anonymous connection is made, the connection is dropped.  

            Thank you very much for the help.

            root@mail:/var/log# cat /tmp/t
            Dec 12 19:21:13 mail postfix/smtpd[4660]: connect from NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]
            Dec 12 19:21:13 mail postfix/smtpd[4660]: setting up TLS connection from NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]
            Dec 12 19:21:13 mail postfix/smtpd[4660]: NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
            Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:before/accept initialization
            Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF10] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
            Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF10] (11 bytes => 11 (0xB))
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 16 03 01 00 68 01 00 00|64 03 01                 ....h... d..
            Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF1E] (98 bytes => 98 (0x62))
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 50 c9 1f 71 79 91 a0 59|57 55 30 a6 32 a9 fa d2  P..qy..Y WU0.2...
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0010 5a ac 9b f5 a7 7f e6 0c|37 58 42 cc 9d 4b f8 7a  Z....... 7XB..K.z
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0020 20 5a 3f f3 e5 79 b7 89|7e cf b9 e3 87 11 21 5a   Z?..y.. ~.....!Z
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0030 f7 24 f0 17 1d b7 4d ad|e7 40 31 85 bf cd bf 5a  .$....M. .@1....Z
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0040 f3 00 16 00 04 00 05 00|0a 00 09 00 64 00 62 00  ........ ....d.b.
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0050 03 00 06 00 13 00 12 00|63 01 00 00 05 ff 01 00  ........ c.......
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0060 01                                               .
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0061 - <SPACES/NULLS>
            Dec 12 19:21:13 mail postfix/smtpd[4660]: ny-hubt02.win.starpoint.com[192.168.43.19]: looking up session 5A3FF3E579B7897ECFB9E38711215AF724F0171DB74DADE7403185BFCDBF5AF3&s=192.168.39.36:smtp in smtpd cache
            Dec 12 19:21:13 mail postfix/smtpd[4660]: ny-hubt02.win.starpoint.com[192.168.43.19]: reloaded session 5A3FF3E579B7897ECFB9E38711215AF724F0171DB74DADE7403185BFCDBF5AF3&s=192.168.39.36:smtp from smtpd cache
            Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 read client hello A
            Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 write server hello A
            Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 write change cipher spec A
            Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 write finished A
            Dec 12 19:21:13 mail postfix/smtpd[4660]: write to 7FC3AA00E840 [7FC3AA021C10] (129 bytes => 129 (0x81))
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 16 03 01 00 51 02 00 00|4d 03 01 50 c9 1f 79 3b  ....Q... M..P..y;
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0010 bb 8a 38 f6 af 46 74 9c|fa 99 69 18 bd 23 7d b4  ..8..Ft. ..i..#}.
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0020 68 e8 da 79 b6 2b af 00|d6 cb 44 20 5a 3f f3 e5  h..y.+.. ..D Z?..
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0030 79 b7 89 7e cf b9 e3 87|11 21 5a f7 24 f0 17 1d  y..~.... .!Z.$...
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0040 b7 4d ad e7 40 31 85 bf|cd bf 5a f3 00 04 00 00  .M..@1.. ..Z.....
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0050 05 ff 01 00 01 00 14 03|01 00 01 01 16 03 01 00  ........ ........
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0060 20 51 e3 37 e6 93 90 fb|49 3d 0c 2b 78 5b e3 a7   Q.7.... I=.+x[..
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0070 ca 0e 2a 52 2a 3e d3 75|e6 af ff 8c fa 49 18 89  ..*R*>.u .....I..
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0080 58                                               X
            Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 flush data
            Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF13] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
            Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF13] (5 bytes => 5 (0x5))
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 14 03 01 00 01                                   .....
            Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF18] (1 bytes => 1 (0x1))
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 01                                               .
            Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF13] (5 bytes => 5 (0x5))
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 16 03 01                                         ...
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0003 - <SPACES/NULLS>
            Dec 12 19:21:13 mail postfix/smtpd[4660]: read from 7FC3AA00E840 [7FC3AA02AF18] (32 bytes => 32 (0x20))
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0000 24 c8 f3 9d 9b df 37 c9|d8 de 52 aa fa 0f a5 21  $.....7. ..R....!
            Dec 12 19:21:13 mail postfix/smtpd[4660]: 0010 c9 f3 59 55 ad 82 8a 49|f7 77 db a9 94 bf 13 8e  ..YU...I .w......
            Dec 12 19:21:13 mail postfix/smtpd[4660]: SSL_accept:SSLv3 read finished A
            Dec 12 19:21:13 mail postfix/smtpd[4660]: ny-hubt02.win.starpoint.com[192.168.43.19]: Reusing old session
            Dec 12 19:21:13 mail postfix/smtpd[4660]: Anonymous TLS connection established from ny-hubt02.win.starpoint.com[192.168.43.19]: TLSv1 with cipher RC4-MD5 (128/128 bits)
            Dec 12 19:21:13 mail postfix/smtpd[4660]: lost connection after EHLO from NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]
            Dec 12 19:21:13 mail postfix/smtpd[4660]: disconnect from NY-HUBT02.WIN.STARPOINT.COM[192.168.43.19]
            root@mail:/var/log# 



            Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility


            This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it.
          • Tony Nelson
            ... Scott, you hit the nail on the head. It appears that my upgrade didn t go so well. After running apt-get update/upgrade I ended up upgrading some 250+
            Message 5 of 16 , Dec 12, 2012
            • 0 Attachment
              On Dec 12, 2012, at 7:20 PM, Scott Kitterman wrote:

              > On Wednesday, December 12, 2012 07:05:51 PM Tony Nelson wrote:
              >> I just upgraded my Ubuntu server from 10.04 to 12.04 which upgraded Postfix
              >> to 2.9.1-4. The postfix server sits behind my firewall, in front of my
              >> corporate Exchange servers.
              >>
              >> After the upgrade I found that my exchange servers would/could no longer
              >> send mail. I got the following error:
              >>
              >> Dec 12 18:48:41 mail postfix/smtpd[3093]: lost connection after EHLO from
              >> NY-HUBT02.WIN.STARPOINT.COM<http://NY-HUBT02.WIN.STARPOINT.COM>[192.168.43.
              >> 19]
              >>
              >> A bit of googling pointed me to TLS issues. After trying several things, I
              >> commented out my TLS configuration parameters, and sure enough all of the
              >> mail flowed out of my Exchange servers, so the problem is definitely TLS
              >> related.
              >
              > Re-enable package updates (they are enabled by default). If you had them
              > enabled, you would have postfix 2.9.3-2~12.04.4. IIRC, there were changes in
              > postfix 2.9.2 or 3 to integrate better with openssl 1.0.1, which Ubuntu 12.04
              > also ships.
              >
              > Scott K


              Scott, you hit the nail on the head.

              It appears that my upgrade didn't go so well. After running apt-get update/upgrade I ended up upgrading some 250+ packages, including Postfix. I now have 2.9.3-2~12.04.4 as you suggested and TLS has started working again.

              Thank everyone very much for their time.

              Tony Nelson
              Starpoint Solutions


              Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility

              This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it.
            • Stan Hoeppner
              ... So, you encrypt the transmission from the internal corporate groupware server to the gateway server via a private network that you completely control. But
              Message 6 of 16 , Dec 12, 2012
              • 0 Attachment
                On 12/12/2012 6:05 PM, Tony Nelson wrote:

                > I think it's in my best interest to get TLS operational again.

                So, you encrypt the transmission from the internal corporate groupware
                server to the gateway server via a private network that you completely
                control. But then you relay the same message over the public internet
                in plain text.

                There seems to be a flaw in your logic, in your threat assessment. Your
                stated posture makes it seem you are more worried about malicious packet
                sniffing inside your perimeter than outside.

                --
                Stan
              • Reindl Harald
                ... which is reality in the real life there is MUCH more danger that someone connects to your LAN than somebody is able to do the same at ISP level
                Message 7 of 16 , Dec 12, 2012
                • 0 Attachment
                  Am 13.12.2012 07:26, schrieb Stan Hoeppner:
                  > On 12/12/2012 6:05 PM, Tony Nelson wrote:
                  >
                  >> I think it's in my best interest to get TLS operational again.
                  >
                  > So, you encrypt the transmission from the internal corporate groupware
                  > server to the gateway server via a private network that you completely
                  > control. But then you relay the same message over the public internet
                  > in plain text.
                  >
                  > There seems to be a flaw in your logic, in your threat assessment. Your
                  > stated posture makes it seem you are more worried about malicious packet
                  > sniffing inside your perimeter than outside

                  which is reality in the real life

                  there is MUCH more danger that someone connects to your
                  LAN than somebody is able to do the same at ISP level
                • Ned Slider
                  ... TLS encrypts the whole connection including the authentication - maybe the OP is more concerned about passwords being sent in plain text than the contents
                  Message 8 of 16 , Dec 13, 2012
                  • 0 Attachment
                    On 13/12/12 06:26, Stan Hoeppner wrote:
                    > On 12/12/2012 6:05 PM, Tony Nelson wrote:
                    >
                    >> I think it's in my best interest to get TLS operational again.
                    >
                    > So, you encrypt the transmission from the internal corporate groupware
                    > server to the gateway server via a private network that you completely
                    > control. But then you relay the same message over the public internet
                    > in plain text.
                    >

                    TLS encrypts the whole connection including the authentication - maybe
                    the OP is more concerned about passwords being sent in plain text than
                    the contents of the actual email.

                    > There seems to be a flaw in your logic, in your threat assessment. Your
                    > stated posture makes it seem you are more worried about malicious packet
                    > sniffing inside your perimeter than outside.
                    >
                  • Stan Hoeppner
                    ... In order to sniff the SMTP traffic from the Exchange server to the Postfix server, someone on the LAN , as you put it, would first need to gain admin
                    Message 9 of 16 , Dec 13, 2012
                    • 0 Attachment
                      On 12/13/2012 1:51 AM, Reindl Harald wrote:
                      >
                      >
                      > Am 13.12.2012 07:26, schrieb Stan Hoeppner:
                      >> On 12/12/2012 6:05 PM, Tony Nelson wrote:
                      >>
                      >>> I think it's in my best interest to get TLS operational again.
                      >>
                      >> So, you encrypt the transmission from the internal corporate groupware
                      >> server to the gateway server via a private network that you completely
                      >> control. But then you relay the same message over the public internet
                      >> in plain text.
                      >>
                      >> There seems to be a flaw in your logic, in your threat assessment. Your
                      >> stated posture makes it seem you are more worried about malicious packet
                      >> sniffing inside your perimeter than outside
                      >
                      > which is reality in the real life
                      >
                      > there is MUCH more danger that someone connects to your
                      > LAN than somebody is able to do the same at ISP level

                      In order to sniff the SMTP traffic from the Exchange server to the
                      Postfix server, someone "on the LAN", as you put it, would first need to
                      gain admin access to one of the switches or segment routers, then clone
                      one of the two ports, then sniff the traffic. Or clone the traffic on
                      an ISL, assuming the two servers are not on the same switch. In a well
                      managed network with strong authentication on network devices, I find
                      this scenario extremely unlikely.

                      However, this is a tangential argument. The point of my post is that if
                      one isn't doing TLS (opportunistic or full time) between the gateway and
                      remote MX hosts, then using TLS between the Exchange sever and gateway
                      is irrelevant and unnecessary.

                      --
                      Stan
                    • Stan Hoeppner
                      ... Interesting. How many passwords would potentially be exposed in this scenario Ned? -- Stan
                      Message 10 of 16 , Dec 13, 2012
                      • 0 Attachment
                        On 12/13/2012 5:01 AM, Ned Slider wrote:
                        > On 13/12/12 06:26, Stan Hoeppner wrote:
                        >> On 12/12/2012 6:05 PM, Tony Nelson wrote:
                        >>
                        >>> I think it's in my best interest to get TLS operational again.
                        >>
                        >> So, you encrypt the transmission from the internal corporate groupware
                        >> server to the gateway server via a private network that you completely
                        >> control. But then you relay the same message over the public internet
                        >> in plain text.
                        >>
                        >
                        > TLS encrypts the whole connection including the authentication - maybe
                        > the OP is more concerned about passwords being sent in plain text than
                        > the contents of the actual email.

                        Interesting. How many passwords would potentially be exposed in this
                        scenario Ned?

                        --
                        Stan
                      • Benny Pedersen
                        ... thanks for using opensource that are precompiled :=) with freebsd/gentoo this problem would not exists
                        Message 11 of 16 , Dec 13, 2012
                        • 0 Attachment
                          Tony Nelson skrev den 13-12-2012 02:04:

                          > It appears that my upgrade didn't go so well. After running apt-get
                          > update/upgrade I ended up upgrading some 250+ packages, including
                          > Postfix. I now have 2.9.3-2~12.04.4 as you suggested and TLS has
                          > started working again.

                          thanks for using opensource that are precompiled :=)

                          with freebsd/gentoo this problem would not exists
                        • Tony Nelson
                          Actually I have TLS working both internally and externally. The only problem I was experiencing that I could adequately describe to the list was internally to
                          Message 12 of 16 , Dec 13, 2012
                          • 0 Attachment
                            Actually I have TLS working both internally and externally. The only problem I was experiencing that I could adequately describe to the list was internally to my exchange servers. It was 100% repeatable. My theory was that if I resolved the internal problem any other similar related problems would be fixed as well.

                            Thank you again to everyone who helped me resolve my issue. Everything seems fine today.

                            -Tony

                            On Dec 13, 2012, at 1:27 AM, "Stan Hoeppner" <stan@...> wrote:

                            > On 12/12/2012 6:05 PM, Tony Nelson wrote:
                            >
                            >> I think it's in my best interest to get TLS operational again.
                            >
                            > So, you encrypt the transmission from the internal corporate groupware
                            > server to the gateway server via a private network that you completely
                            > control. But then you relay the same message over the public internet
                            > in plain text.
                            >
                            > There seems to be a flaw in your logic, in your threat assessment. Your
                            > stated posture makes it seem you are more worried about malicious packet
                            > sniffing inside your perimeter than outside.
                            >
                            > --
                            > Stan
                            >

                            Since 1982, Starpoint Solutions has been a trusted source of human capital and solutions. We are committed to our clients, employees, environment, community and social concerns. We foster an inclusive culture based on trust, respect, honesty and solid performance. Learn more about Starpoint and our social responsibility at http://www.starpoint.com/social_responsibility

                            This email message from Starpoint Solutions LLC is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. Opinions, conclusions and other information in this message that do not relate to the official business of Starpoint Solutions shall be understood as neither given nor endorsed by it.
                          • Scott Kitterman
                            ... Thanks for spread FUD about other FOSS projects. If the OP had left his system in the default configuration and installed all available updates, the
                            Message 13 of 16 , Dec 13, 2012
                            • 0 Attachment
                              On Thursday, December 13, 2012 03:05:12 PM Benny Pedersen wrote:
                              > Tony Nelson skrev den 13-12-2012 02:04:
                              > > It appears that my upgrade didn't go so well. After running apt-get
                              > > update/upgrade I ended up upgrading some 250+ packages, including
                              > > Postfix. I now have 2.9.3-2~12.04.4 as you suggested and TLS has
                              > > started working again.
                              >
                              > thanks for using opensource that are precompiled :=)
                              >
                              > with freebsd/gentoo this problem would not exists

                              Thanks for spread FUD about other FOSS projects. If the OP had left his
                              system in the default configuration and installed all available updates, the
                              problem would not have existed.

                              Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up to date.

                              Scott K
                            • Jerry
                              On Thu, 13 Dec 2012 09:40:50 -0500 ... +1 -- Jerry ✌ postfix-user@seibercom.net _____________________________________________________________________ TO
                              Message 14 of 16 , Dec 13, 2012
                              • 0 Attachment
                                On Thu, 13 Dec 2012 09:40:50 -0500
                                Scott Kitterman articulated:

                                > Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up
                                > to date.

                                +1

                                --
                                Jerry ✌
                                postfix-user@...
                                _____________________________________________________________________
                                TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
                                TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
                              • Benny Pedersen
                                ... same problem goes with windows :) i miss DS in junc.org thanks to org tld i can not secure dkim :(
                                Message 15 of 16 , Dec 13, 2012
                                • 0 Attachment
                                  Scott Kitterman skrev den 13-12-2012 15:40:

                                  > Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up
                                  > to date.

                                  same problem goes with windows :)

                                  i miss DS in junc.org thanks to org tld i can not secure dkim :(
                                • Benny Pedersen
                                  ... +2, point is the problem is less on the above 2
                                  Message 16 of 16 , Dec 13, 2012
                                  • 0 Attachment
                                    Jerry skrev den 13-12-2012 17:24:

                                    >> Being on FreeBSD or Gentoo wouldn't help if the system isn't kept up
                                    >> to date.
                                    > +1

                                    +2, point is the problem is less on the above 2
                                  Your message has been successfully submitted and would be delivered to recipients shortly.