Loading ...
Sorry, an error occurred while loading the content.

Re: smtp_tls_security_level = may combined wit smtp_tls_policy_maps

Expand Messages
  • JL Hill
    My apologies, I grabbed the wrong snippet of log file (same host, different server). Here is the entire connection log (I changed only the domain name and
    Message 1 of 8 , Mar 15, 2013
    • 0 Attachment
      My apologies, I grabbed the wrong snippet of log file (same host, different server). Here is the entire connection log (I changed only the domain name and xxx'd the ip address):

      Mar  3 06:36:10 host postfix/smtp[22224]: initializing the client-side TLS engine
      Mar  3 06:36:11 host postfix/smtp[22224]: setting up TLS connection to smtp1.example.com[70.186.xxx.xxx]:25
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:before/connect initialization
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:unknown state
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server hello A
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=2 verify=0 subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=2 verify=0 subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=1 verify=1 subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=0 verify=1 subject=/O=smtp1.example.com/OU=Domain Control Validated/CN=smtp1.example.com
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server certificate A
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server done A
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write client key exchange A
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write change cipher spec A
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write finished A
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 flush data
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read finished A
      Mar  3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: subject_CN=smtp1.example.com, issuer_CN=Go Daddy Secure Certification Authority, fingerprint 93:28:E6:D5:F1:6F:FD:34:09:8B:BF:52:35:BB:94:6C, pkey_fingerprint=E4:A4:55:48:AF:85:C5:A0:51:25:94:B8:57:54:D5:50
      Mar  3 06:36:11 host postfix/smtp[22224]: Untrusted TLS connection established to smtp1.example.com[70.186.xxx.xxx]:25: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
      Mar  3 06:36:11 host postfix/smtp[22224]: SSL3 alert write:fatal:protocol version
      Mar  3 06:36:11 host postfix/smtp[22224]: warning: TLS library problem: 22224:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340:
      Mar  3 06:36:11 host postfix/smtp[22224]: ACFBAD746C: to=<brian@...>, relay=smtp1.example.com[70.186.xxx.xxx]:25, delay=222575, delays=222574/0.01/1/0, dsn=4.4.2, status=deferred (lost connection with smtp1.example.com[70.186.xxx.xxx] while sending MAIL FROM)

      As I said, I was trying to understand what was supposed to work in turning off TLS for a specific domain. I understand that I should be able to do it by specifying "example.com none" in tls_policy. I will test using  smtp_tls_policy_maps, as well as testing using smtpd_discard_ehlo_keyword_address_maps

      Thank you again, and again my apologies for grabbing the wrong snippet of log file.

      JL Hill

      On Fri, Mar 15, 2013 at 6:33 PM, Viktor Dukhovni <postfix-users@...> wrote:
      On Fri, Mar 15, 2013 at 05:19:30PM -0400, JL Hill wrote:

      > I feel more confused. I had originally tested
      >
      >     example.com   none
      >
      > and it failed. I searched the documentation, and found .example.com to use
      > for subdomains, so I thought that would fit my case as the negotiation is
      > with smtp2.example.com, even though I am emailing john.doe@...
      >
      > When I tested without the dot, sending to john.doe@... my log shows
      > "Host offered STARTTLS: [smtp2.example.com]"

      This means that TLS was NOT used. This is a helpful log message that
      tells you could use TLS, but you're not.  Your configuration turns
      on this non-default helpful log message.

              # default:
              smtp_tls_note_starttls_offer = no

      --
              Viktor.

    • Viktor Dukhovni
      ... No, don t apologize, in fact you grabbed exactly the right logs then, and the wrong logs now. With TLS for example.com disabled the logs with the
      Message 2 of 8 , Mar 15, 2013
      • 0 Attachment
        On Fri, Mar 15, 2013 at 07:20:24PM -0400, JL Hill wrote:

        > My apologies, I grabbed the wrong snippet of log file (same host, different
        > server). Here is the entire connection log (I changed only the domain name
        > and xxx'd the ip address):

        No, don't apologize, in fact you grabbed exactly the right logs then,
        and the wrong logs now. With TLS for "example.com" disabled the logs
        with the "STARTTLS offer" are exactly how Postfix behaves with TLS
        disabled and:

        smtp_tls_note_starttls_offer = yes

        For peace of mind, set that parameter to no, and if you for some
        reason want TLS off for some domain, place:

        example.com none

        in the policy table, you've already seen it work.

        --
        Viktor.
      Your message has been successfully submitted and would be delivered to recipients shortly.