Loading ...
Sorry, an error occurred while loading the content.

Re: Problem using TLS: lost connection after STARTTLS

Expand Messages
  • Viktor Dukhovni
    ... Only via NAT, if you can divert traffic from this client IP to a different SMTP listener in which the feature is disabled via master.cf. The sender should
    Message 1 of 15 , Jun 14, 2013
    • 0 Attachment
      On Fri, Jun 14, 2013 at 05:53:03PM +0200, Jan P. Kessler wrote:

      > >I would have expected SHA-2 support as of OpenSSL 1.0.0a.
      >
      > Ok, so the problem seems to be clear. The system uses an ancient
      > openssl version (sunfreeware package):
      >
      > libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8
      > libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8
      >
      > # /usr/local/ssl/bin/openssl version
      > OpenSSL 0.9.8k 25 Mar 2009
      >
      > Thank you very much for your help! Is it possible to deactivate the
      > "smtpd_tls_ask_ccert = yes" setting for this special target? Ideally
      > without deactivating the complete STARTTLS extension completely?

      Only via NAT, if you can divert traffic from this client IP to a
      different SMTP listener in which the feature is disabled via
      master.cf.

      The sender should replace their certificate, it is not compliant
      with TLSv1. This too may take time.

      I never enabled ask_ccert on port 25, I had used 587 for that (on
      a machine that nevertheless was not an MSA), and clients with special
      access configured via ccerts had to use a transport table or similar
      to send to a non-default port to get that access.

      > I understand that the correct solution is an openssl upgrade on our
      > side (due to other security related reasons), but I need a
      > maintenance window for this.

      Build OpenSSL 1.0.1e from source without shared libraries, just
      ".a" files (default via OpenSSL's Configure). Then link Postfix
      against that, and deploy. For example with OpenSSL built in
      /var/tmp/openssl (libcrypto.a and libssl.a in that directory, and
      include files in /var/tmp/openssl/include) build as follows (adjusting
      paths as required):

      #! /bin/sh

      DEST=/usr/local
      CCARGS='-DUSE_TLS -I/var/tmp/openssl/include ...'
      AUXLIBS='-L/var/tmp/openssl -lssl -lcrypto ...'

      while read -r name val
      do
      CCARGS="$CCARGS $(printf -- '-D%s=\\"%s\\"' $name $val)"
      done <<EOF
      DEF_COMMAND_DIR $DEST/sbin
      DEF_CONFIG_DIR $DEST/etc
      DEF_DAEMON_DIR $DEST/libexec
      DEF_MAILQ_PATH /usr/bin/mailq
      DEF_HTML_DIR $DEST/html
      DEF_MANPAGE_DIR $DEST/man
      DEF_NEWALIAS_PATH /usr/bin/newaliases
      DEF_README_DIR $DEST/readme
      DEF_SENDMAIL_PATH /usr/sbin/sendmail
      EOF
      make -f Makefile.init "CCARGS=$CCARGS" "AUXLIBS=$AUXLIBS" makefiles
      make

      --
      Viktor.
    • Jan P. Kessler
      ... Thank you for the detailed analysis. I will give them a hint. Although the chance might be small that they will have other partners using old ssl versions
      Message 2 of 15 , Jun 15, 2013
      • 0 Attachment
        > The sender should replace their certificate, it is not compliant with
        > TLSv1. This too may take time.
        >
        > I never enabled ask_ccert on port 25, I had used 587 for that (on a
        > machine that nevertheless was not an MSA), and clients with special
        > access configured via ccerts had to use a transport table or similar
        > to send to a non-default port to get that access.

        Thank you for the detailed analysis. I will give them a hint. Although
        the chance might be small that they will have other partners using old
        ssl versions and asking for their ccert, they should know about that.
        The interesting part for me is, that smtp (means when we sent mails to
        them using tls) had no problems with their sha2 cert.

        I will consider switching to submission port for our
        ccert-whitelisted/authenticated partners, too. It was the first time we
        encounter problems with that setting since several years (I was aware of
        the warning note in the docs, but it always worked for us).

        >> I understand that the correct solution is an openssl upgrade on
        >> our side (due to other security related reasons), but I need a
        >> maintenance window for this.
        >
        > Build OpenSSL 1.0.1e from source without shared libraries, just ".a"
        > files (default via OpenSSL's Configure). Then link Postfix against
        > that, and deploy. For example with OpenSSL built in /var/tmp/openssl
        > (libcrypto.a and libssl.a in that directory, and include files in
        > /var/tmp/openssl/include) build as follows (adjusting paths as
        > required):

        Fortunately I was able to get a change window for one of the nodes last
        night. After the prodecure below everything seems to be fine now on this
        machine. I'll wait some days and update the other nodes, too. Thanks
        again for your assistance!

        # self compiled things here
        BASE=/opt/vrnetze
        # sunstudio compiler
        CC=/opt/SUNWspro/bin/cc
        CXX=/opt/SUNWspro/bin/cc

        # openssl
        ./Configure \
        --prefix=${BASE}/openssl \
        --openssldir=${BASE}/openssl \
        solaris-sparcv9-cc
        make; make install

        # postfix
        MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
        -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
        -L/usr/local/lib"
        MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
        -I/usr/local/include"

        make tidy; make makefiles \
        CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
        AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
        make; make upgrade
      • Viktor Dukhovni
        ... If you re interested, I now have another option for you, a Postfix patch that will likely enable support for SHA-2 digests even when Postfix is compiled
        Message 3 of 15 , Jun 15, 2013
        • 0 Attachment
          On Sat, Jun 15, 2013 at 12:07:26PM +0200, Jan P. Kessler wrote:

          > # openssl
          > ./Configure \
          > --prefix=${BASE}/openssl \
          > --openssldir=${BASE}/openssl \
          > solaris-sparcv9-cc
          > make; make install
          >
          > # postfix
          > MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
          > -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
          > -L/usr/local/lib"
          > MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
          > -I/usr/local/include"
          >
          > make tidy; make makefiles \
          > CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
          > AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
          > make; make upgrade

          If you're interested, I now have another option for you, a Postfix
          patch that will likely enable support for SHA-2 digests even when
          Postfix is compiled and linked with OpenSSL 0.9.8.

          Keep in mind that that latest OpenSSL 0.9.8 patch level is now
          0.9.8y, and I seem to recall that you had 0.9.8k which likely
          various unpatched bugs. So you should probably upgrade the system's
          OpenSSL 0.9.8 libraries to 0.9.8y.

          The patch is for DANE support with OpenSSL 1.0.0 (first release
          before 1.0.0a) and some systems with older 1.1.0-dev snapshots,
          but should also address your problem.

          --- src/tls/tls_misc.c
          +++ src/tls/tls_misc.c
          @@ -1129,6 +1129,24 @@ int tls_validate_digest(const char *dgst)
          unsigned int md_len;

          /*
          + * Register SHA-2 digests, if implemented and not already registered.
          + * Improves interoperability with clients and servers that prematurely
          + * deploy SHA-2 certificates. Also facilitates DANE and TA support.
          + */
          +#if defined(LN_sha256) && defined(NID_sha256) && !defined(OPENSSL_NO_SHA256)
          + if (!EVP_get_digestbyname(LN_sha224))
          + EVP_add_digest(EVP_sha224());
          + if (!EVP_get_digestbyname(LN_sha256))
          + EVP_add_digest(EVP_sha256());
          +#endif
          +#if defined(LN_sha512) && defined(NID_sha512) && !defined(OPENSSL_NO_SHA512)
          + if (!EVP_get_digestbyname(LN_sha384))
          + EVP_add_digest(EVP_sha384());
          + if (!EVP_get_digestbyname(LN_sha512))
          + EVP_add_digest(EVP_sha512());
          +#endif
          +
          + /*
          * If the administrator specifies an unsupported digest algorithm, fail
          * now, rather than in the middle of a TLS handshake.
          */

          --
          Viktor.
        • Jan P. Kessler
          ... The openssl update from 0.9.8k to 1.0.1e solved the client certificate issue. Unfortunately now we see another problem with the outgoing instance, trying
          Message 4 of 15 , Jun 15, 2013
          • 0 Attachment
            >> # openssl
            >> ./Configure \
            >> --prefix=${BASE}/openssl \
            >> --openssldir=${BASE}/openssl \
            >> solaris-sparcv9-cc
            >> make; make install
            >>
            >> # postfix
            >> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
            >> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
            >> -L/usr/local/lib"
            >> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
            >> -I/usr/local/include"
            >>
            >> make tidy; make makefiles \
            >> CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
            >> AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
            >> make; make upgrade

            The openssl update from 0.9.8k to 1.0.1e solved the client certificate
            issue. Unfortunately now we see another problem with the outgoing
            instance, trying to send to another partner with mandatory TLS:

            Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
            Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
            Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] 704A35DD5: Cannot start TLS: handshake failure
            Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.21] said: 403
            4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
            Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
            Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
            Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] 704A35DD5: Cannot start TLS: handshake failure
            Jun 16 00:28:55 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] 704A35DD5: to=<XXX.YYY@...>,
            relay=mxtls.allianz.com[194.127.3.22]:25, delay=62663,
            delays=62662/0/0.54/0.01, dsn=4.7.0, status=deferred (host
            mxtls.allianz.com[194.127.3.22] said: 403 4.7.0 encryption too weak 0
            less than 256 (in reply to MAIL FROM command))

            BEFORE UPGRADE:
            Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
            mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
            Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
            mail.info] certificate verification failed for
            mxtls.allianz.com[194.127.3.21]:25: untrusted issuer /C=US/O=VeriSign,
            Inc./OU=Class 3 Public Primary Certification Authority
            Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
            mail.info] Untrusted TLS connection established to
            mxtls.allianz.com[194.127.3.21]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
            (256/256 bits)
            Jun 14 11:43:42 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
            mail.info] 19688599D: to=<XXX.YYY@...>,
            relay=mxtls.allianz.com[194.127.3.21]:25, delay=0.94,
            delays=0.03/0/0.48/0.43, dsn=2.0.0, status=sent (250 2.0.0
            r5E9hfN2006147 Message accepted for delivery)

            Other outgoing TLS connections seem to work fine:

            Jun 16 00:29:52 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] setting up TLS connection to
            gmail-smtp-in.l.google.com[173.194.70.26]:25
            Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] Trusted TLS connection established to
            gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher
            ECDHE-RSA-RC4-SHA (128/128 bits)
            Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
            mail.info] CBF8256AD: to=<AAA.BBB@...>,
            relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.85,
            delays=0.01/0/0.18/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1371335393
            b5si7050738eew.190 - gsmtp)

            Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
            setting up TLS connection to smail2-neu.mailintern.local[10.221.24.22]:25
            Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
            Trusted TLS connection established to
            smail2-neu.mailintern.local[10.221.24.22]:25: TLSv1 with cipher
            DHE-RSA-AES256-SHA (256/256 bits)
            Jun 16 00:29:55 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
            6195A56F4: to=<CCC.DDD@...>,
            relay=smail2-neu.mailintern.local[10.221.24.22]:25, delay=11,
            delays=11/0/0.14/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
            98BABC6DA0)

            Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
            mail.info] setting up TLS connection to smtpcl3.fiducia.de[195.200.34.38]:25
            Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
            mail.info] smtpcl3.fiducia.de[195.200.34.38]:25: re-using session with
            untrusted certificate, look for details earlier in the log
            Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
            mail.info] Untrusted TLS connection established to
            smtpcl3.fiducia.de[195.200.34.38]:25: TLSv1 with cipher
            DHE-RSA-AES256-SHA (256/256 bits)
            Jun 16 00:29:58 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
            mail.info] 932B356AF: to=<EEE.FFF@...>,
            relay=smtpcl3.fiducia.de[195.200.34.38]:25, delay=2.1,
            delays=0.58/0.07/0.26/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
            as 7C5731C8C89)

            I have already tried to wipe the smtp_scache.db without success. Could
            you give me another hint? Verbose logs and configuration follow at the
            end of this mail.

            > If you're interested, I now have another option for you, a Postfix
            > patch that will likely enable support for SHA-2 digests even when
            > Postfix is compiled and linked with OpenSSL 0.9.8.

            May I ask if this would have a chance to be included in future postfix
            releases? Just to know if postfix has to be patched again with updates.

            > Keep in mind that that latest OpenSSL 0.9.8 patch level is now
            > 0.9.8y, and I seem to recall that you had 0.9.8k which likely
            > various unpatched bugs. So you should probably upgrade the system's
            > OpenSSL 0.9.8 libraries to 0.9.8y.

            Thanks, but the 0.9.8k openssl lib is anyway not the solaris 10 default.
            It was installed separately some time ago from a different source
            (sunfreeware) to compile postfix. I'd prefer to drop it completely. It
            is not used by other software on these systems.

            # postconf -c /etc/postfix/OUT mail_version
            mail_version = 2.8.13
            # /opt/vrnetze/openssl/bin/openssl version
            OpenSSL 1.0.1e 11 Feb 2013

            # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
            # postqueue -c /etc/postfix/OUT -i 704A35DD5
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] mxtls.allianz.com[194.127.3.22]:25: TLS cipher list
            "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] looking for session
            smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
            in smtp cache
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
            mail.info] lookup smtp session
            id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] SSL_connect:before/connect initialization
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B))
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 b7
            ....f... b..Q....
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0010 a5 91 88 61 35 5b 04 b0|16 00 7a 15 84 3c b5 0b
            ...a5[.. ..z..<..
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0020 59 23 37 d6 e4 7d 6f 15|82 8f c6 00 00 ca c0 19
            Y#7..}o. ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28 .
            ...m.: ...0.,.(
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b
            .$....." .!.....k
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
            .j.9.8.. ...2...*
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17
            .&...... .=.5....
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34
            ........ .....l.4
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09
            ...F./.+ .'.#....
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32
            ........ .g.@.3.2
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25
            .....E.D .1.-.).%
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07
            .......< ./...A..
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04
            ........ ...o....
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19
            .......4 .2......
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00
            ........ .....#..
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02 ...".
            .. ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01
            ........ ...
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] SSL_connect:SSLv2/v3 write client hello A
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
            Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] SSL_connect:error in SSLv2/v3 read server hello A
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] remove session
            smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
            from client cache
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
            mail.info] delete smtp session
            id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 704A35DD5: Cannot start TLS: handshake failure
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.22] said: 403
            4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] mxtls.allianz.com[194.127.3.21]:25: TLS cipher list
            "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] looking for session
            smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
            in smtp cache
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
            mail.info] lookup smtp session
            id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] SSL_connect:before/connect initialization
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] write to 000A3418 [000F6020] (363 bytes => 363 (0x16B))
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 70
            ....f... b..Q...p
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0010 e9 dc 5b a9 11 c3 47 1e|77 5b 4a a8 81 81 26 40
            ..[...G. w[J...&@
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0020 e2 0a 41 b0 2e b9 96 2c|2e 63 e4 00 00 ca c0 19
            ..A...., .c......
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28 .
            ...m.: ...0.,.(
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b
            .$....." .!.....k
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
            .j.9.8.. ...2...*
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17
            .&...... .=.5....
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34
            ........ .....l.4
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09
            ...F./.+ .'.#....
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32
            ........ .g.@.3.2
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25
            .....E.D .1.-.).%
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07
            .......< ./...A..
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04
            ........ ...o....
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19
            .......4 .2......
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00
            ........ .....#..
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02 ...".
            .. ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01
            ........ ........
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01
            ........ ...
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] SSL_connect:SSLv2/v3 write client hello A
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] read from 000A3418 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
            Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] SSL_connect:error in SSLv2/v3 read server hello A
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] remove session
            smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
            from client cache
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
            mail.info] delete smtp session
            id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 704A35DD5: Cannot start TLS: handshake failure
            Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
            mail.info] 704A35DD5: to=<XXX.YYY@...>,
            relay=mxtls.allianz.com[194.127.3.21]:25, delay=64211,
            delays=64211/0/0.54/0.01, dsn=4.7.0, status=deferred (host
            mxtls.allianz.com[194.127.3.21] said: 403 4.7.0 encryption too weak 0
            less than 256 (in reply to MAIL FROM command))


            # egrep -v "^#" /etc/postfix/OUT/master.cf
            smtp26 inet n - n - 200 smtpd
            -o smtpd_client_connection_count_limit=100
            cryptosmtp unix - - n - 50 smtp
            -o smtp_data_done_timeout=1200
            tlsmgr unix - - n 1000? 1 tlsmgr
            pickup fifo n - n 60 1 pickup
            cleanup unix n - n - 0 cleanup
            qmgr fifo n - n 300 1 qmgr
            rewrite unix - - n - - trivial-rewrite
            bounce unix - - n - 0 bounce
            defer unix - - n - 0 bounce
            trace unix - - n - 0 bounce
            verify unix - - n - 1 verify
            flush unix n - n 1000? 0 flush
            proxymap unix - - n - - proxymap
            smtp unix - - n - - smtp
            relay unix - - n - - smtp
            showq unix n - n - - showq
            error unix - - n - - error
            discard unix - - n - - discard
            local unix - n n - - local
            virtual unix - n n - - virtual
            lmtp unix - - n - - lmtp
            anvil unix - - n - 1 anvil
            scache unix - - n - 1 scache
            maildrop unix - n n - - pipe
            flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
            old-cyrus unix - n n - - pipe
            flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
            cyrus unix - n n - - pipe
            user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
            uucp unix - n n - - pipe
            flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
            ($recipient)
            ifmail unix - n n - - pipe
            flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
            bsmtp unix - n n - - pipe
            flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
            $recipient

            # postconf -c /etc/postfix/OUT -n
            alias_database = hash:/etc/postfix/aliases
            alias_maps = $alias_database
            body_checks = pcre:/etc/postfix/OUT/body_checks
            body_checks_size_limit = 512000
            bounce_queue_lifetime = 3d
            bounce_template_file = /etc/postfix/bounce.cf
            command_directory = /opt/vrnetze/postfix/sbin
            config_directory = /etc/postfix/OUT
            daemon_directory = /opt/vrnetze/postfix/libexec
            data_directory = /var/spool/postfix-OUT/DATA
            debug_peer_level = 2
            default_privs = nobody
            default_process_limit = 200
            disable_vrfy_command = yes
            fast_flush_domains = $relay_domains
            header_checks = pcre:/etc/postfix/OUT/header_checks
            html_directory = no
            inet_interfaces = all
            luser_relay = g_cna_fw@...
            mail_name = Mailservice
            mail_owner = postfix
            mailbox_size_limit = 56000001
            mailq_path = /usr/bin/mailq
            manpage_directory = /opt/vrnetze/postfix/man
            maximal_queue_lifetime = 3d
            message_size_limit = 56000000
            mime_header_checks = pcre:/etc/postfix/OUT/mime_header_checks
            mydestination = $myhostname, localhost.$mydomain
            mydomain = EXAMPLE.COM
            myhostname = mail.EXAMPLE.COM
            mynetworks = /etc/postfix/relay_from_networks
            myorigin = $myhostname
            newaliases_path = /usr/bin/newaliases
            proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9
            queue_directory = /var/spool/postfix-OUT
            readme_directory = /opt/vrnetze/postfix/doc
            receive_override_options = no_address_mappings
            relay_domains = /etc/postfix/relay_to_domains
            sample_directory = /etc/postfix
            sender_canonical_maps = btree:/etc/postfix/sender_canonical
            sendmail_path = /usr/lib/sendmail
            setgid_group = postdrop
            smtp_enforce_tls = no
            smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
            smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem
            smtp_tls_key_file = /etc/postfix/CERTS/key.pem
            smtp_tls_loglevel = 1
            smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER
            smtp_tls_scert_verifydepth = 8
            smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
            smtp_tls_session_cache_timeout = 3600s
            smtp_use_tls = yes
            smtpd_banner = $myhostname ESMTP Mailservice
            smtpd_enforce_tls = no
            smtpd_recipient_restrictions = reject_non_fqdn_recipient,
            reject_non_fqdn_sender, permit_mynetworks, reject
            smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
            smtpd_tls_ask_ccert = yes
            smtpd_tls_ccert_verifydepth = 8
            smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem
            smtpd_tls_key_file = /etc/postfix/CERTS/key.pem
            smtpd_tls_loglevel = 1
            smtpd_tls_received_header = yes
            smtpd_tls_req_ccert = no
            smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
            smtpd_tls_session_cache_timeout = 3600s
            smtpd_use_tls = yes
            soft_bounce = no
            syslog_name = postfix-OUT
            transport_maps = btree:/etc/postfix/fehlerdomains,
            btree:/etc/postfix/transport
            unknown_address_reject_code = 554
            unknown_local_recipient_reject_code = 550
          • Jan P. Kessler
            some additional information: # /opt/vrnetze/openssl/bin/openssl s_client -connect mxtls.allianz.com:25 -starttls smtp CONNECTED(00000004) depth=3 C = US, O =
            Message 5 of 15 , Jun 15, 2013
            • 0 Attachment
              some additional information:

              # /opt/vrnetze/openssl/bin/openssl s_client -connect
              mxtls.allianz.com:25 -starttls smtp
              CONNECTED(00000004)
              depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary
              Certification Authority
              verify error:num=19:self signed certificate in certificate chain
              verify return:0
              ---
              Certificate chain
              0 s:/C=DE/ST=Bayern/L=Unterf\xC3\xB6hring/O=Allianz Managed Operations
              & Services SE/OU=Allianz Group/CN=*.allianz.de
              i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
              https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
              1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
              https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
              i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
              VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
              Primary Certification Authority - G5
              2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006
              VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public
              Primary Certification Authority - G5
              i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
              Authority
              3 s:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
              Authority
              i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
              Authority
              ---
              Server certificate
              -----BEGIN CERTIFICATE-----
              MIIFVzCCBD+gAwIBAgIQRje+sRdEDc8quKMQfyp3vTANBgkqhkiG9w0BAQUFADCB
              tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
              ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
              YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
              VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTMwMjE5
              MDAwMDAwWhcNMTQwMjI0MjM1OTU5WjCBmDELMAkGA1UEBhMCREUxDzANBgNVBAgM
              BkJheWVybjEWMBQGA1UEBwwNVW50ZXJmw7ZocmluZzExMC8GA1UECgwoQWxsaWFu
              eiBNYW5hZ2VkIE9wZXJhdGlvbnMgJiBTZXJ2aWNlcyBTRTEWMBQGA1UECwwNQWxs
              aWFueiBHcm91cDEVMBMGA1UEAwwMKi5hbGxpYW56LmRlMIIBIjANBgkqhkiG9w0B
              AQEFAAOCAQ8AMIIBCgKCAQEA34vFk6ijdJ5H/IdHOPvyvFPa/I/CN0+NvhmgluJs
              5p2IebxKNYZb+K7PiQSMD+aeFLw8EEbKdRIya7+KgKKkcrWKXMY68dZ3ehANvm7L
              OEQgSy0DsGsWEH5HUUw2vzY9Se66LNwYausPWwEOP2dBCtPq6xISAzv0WmL89z4b
              CuxjQV1pK9Qm7Ee5bm9gIpTRHm8NXxyRCg0G49e+cU8D2+8NaYO/N1kLhnXXGKFx
              oo/wXEuqCD4SR0JDLq/Ues3o+pH/ObALlaZpl0DLOws4tCADGM36v8VmWA/PEMuT
              kowK2RxlNG1YHpp8CJutta9Ah4JvX/p4J4XrjR8In8gw1QIDAQABo4IBfDCCAXgw
              FwYDVR0RBBAwDoIMKi5hbGxpYW56LmRlMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQD
              AgWgMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZl
              cmlzaWduLmNvbS9TVlJTZWN1cmVHMy5jcmwwQwYDVR0gBDwwOjA4BgpghkgBhvhF
              AQc2MCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9jcHMw
              HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQYMBaAFA1EXBZT
              RMGCfh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEFBQcwAYYYaHR0
              cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRwOi8vU1ZSU2Vj
              dXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2VyMA0GCSqGSIb3
              DQEBBQUAA4IBAQCTj4I2An6Sg02mjUwdNpbw+QwBZPnjixLFOTY02ehBGJ80eF1Y
              HkyCJQXiyuL9yiqdDU0iB+HfPkz8ASAPKpH2GZqU57hq0GEADrqift/3XVg681UF
              hvKBG6ciVrS2bgXpdBAE8XMMoLbbvruom4UrjphFMY4gNMkjFUn8kzNP8pFFuODx
              /26V6m/VSuqUq9H51F1G4NpsfAWJMrPatmnKBLV2nGhTMXe1AOraDGKTEFiM4DLf
              hOO3G/LjE0PLt1ALv3HagnWR5PbtSxVwaMHWdClHzWiwhaimtwiBZkbn1UN6FENI
              mF7X2lcyxk5n5Q5mGCNQQaIxkre04F8oXtAM
              -----END CERTIFICATE-----
              subject=/C=DE/ST=Bayern/L=Unterf\xC3\xB6hring/O=Allianz Managed
              Operations & Services SE/OU=Allianz Group/CN=*.allianz.de
              issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
              at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server
              CA - G3
              ---
              Acceptable client certificate CA names
              /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
              https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
              ---
              SSL handshake has read 6159 bytes and written 566 bytes
              ---
              New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
              Server public key is 2048 bit
              Secure Renegotiation IS NOT supported
              Compression: NONE
              Expansion: NONE
              SSL-Session:
              Protocol : TLSv1
              Cipher : DHE-RSA-AES256-SHA
              Session-ID:
              27BA0212310594A9E6BFA40D0ECB0D11C6B5AC6C0D43262B551072C99AE6AEF6
              Session-ID-ctx:
              Master-Key:
              00F84A8BEE171D1DD0DDE339984755CD253E804DDD7039A1C496D7348F03CF170F1B485133EFC1E67F5669279761A2D0
              Key-Arg : None
              PSK identity: None
              PSK identity hint: None
              SRP username: None
              TLS session ticket:
              0000 - 2c cb a1 28 60 8d dd ab-22 b3 fd 81 d4 bd 2d fd
              ,..(`...".....-.
              0010 - 35 30 7e 80 4a ea 42 fd-2a 17 ec 73 3d b7 51 7d
              50~.J.B.*..s=.Q}
              0020 - 48 7b 70 69 eb ed 92 2b-df 11 af 10 7a 81 30 63
              H{pi...+....z.0c
              0030 - b1 04 54 a9 e3 e8 80 63-e4 72 a3 01 95 c4 56 e9
              ..T....c.r....V.
              0040 - 32 b5 2e 55 8b ae 34 da-29 73 90 82 1f 4a e0 f7
              2..U..4.)s...J..
              0050 - ff f9 dd 3e d5 f1 33 6c-34 7a ed 59 4a 8f 38 ae
              ...>..3l4z.YJ.8.
              0060 - 6b e0 49 5d 4b 1b bf 27-5b 64 86 a4 e5 38 3e 9b
              k.I]K..'[d...8>.
              0070 - e8 a7 81 75 92 78 02 10-5d e5 be a2 c8 f9 87 7b
              ...u.x..]......{
              0080 - eb bb c7 90 c7 70 0f 63-83 cf 20 d5 b3 65 33 a4 .....p.c..
              ..e3.
              0090 - 65 34 18 75 10 6b 91 0f-73 af 9b 79 43 a4 a8 de
              e4.u.k..s..yC...

              Start Time: 1371343913
              Timeout : 300 (sec)
              Verify return code: 19 (self signed certificate in certificate chain)
              ---
              250 HELP
              HELO mail.EXAMPLE.COM
              250 mailgw.allianz.de Hello mail.EXAMPLE.COM [91.235.236.8], pleased to
              meet you
              MAIL FROM:jpk@...
              250 2.1.0 jpk@...... Sender ok
              RCPT TO:XXX.YYY@...
              RENEGOTIATING
              [CTRL+C]



              Am 16.06.2013 01:58, schrieb Jan P. Kessler:
              > >> # openssl
              > >> ./Configure \
              > >> --prefix=${BASE}/openssl \
              > >> --openssldir=${BASE}/openssl \
              > >> solaris-sparcv9-cc
              > >> make; make install
              > >>
              > >> # postfix
              > >> MYLIBS="-R${BASE}/openssl/lib -R/usr/local/BerkeleyDB.4.7/lib
              > >> -R/usr/local/lib -L${BASE}/openssl/lib -L/usr/local/BerkeleyDB.4.7/lib
              > >> -L/usr/local/lib"
              > >> MYINCL="-I${BASE}/openssl/include -I/usr/local/BerkeleyDB.4.7/include
              > >> -I/usr/local/include"
              > >>
              > >> make tidy; make makefiles \
              > >> CCARGS="-DHAS_DB -DUSE_TLS -DHAS_PCRE ${MYINCL}" \
              > >> AUXLIBS="${MYLIBS} -ldb -lssl -lcrypto -lpcre"
              > >> make; make upgrade
              >
              > The openssl update from 0.9.8k to 1.0.1e solved the client certificate
              > issue. Unfortunately now we see another problem with the outgoing
              > instance, trying to send to another partner with mandatory TLS:
              >
              > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
              > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
              > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] 704A35DD5: Cannot start TLS: handshake failure
              > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.21] said: 403
              > 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
              > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
              > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
              > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] 704A35DD5: Cannot start TLS: handshake failure
              > Jun 16 00:28:55 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] 704A35DD5: to=<XXX.YYY@...>,
              > relay=mxtls.allianz.com[194.127.3.22]:25, delay=62663,
              > delays=62662/0/0.54/0.01, dsn=4.7.0, status=deferred (host
              > mxtls.allianz.com[194.127.3.22] said: 403 4.7.0 encryption too weak 0
              > less than 256 (in reply to MAIL FROM command))
              >
              > BEFORE UPGRADE:
              > Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
              > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
              > Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
              > mail.info] certificate verification failed for
              > mxtls.allianz.com[194.127.3.21]:25: untrusted issuer /C=US/O=VeriSign,
              > Inc./OU=Class 3 Public Primary Certification Authority
              > Jun 14 11:43:41 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
              > mail.info] Untrusted TLS connection established to
              > mxtls.allianz.com[194.127.3.21]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
              > (256/256 bits)
              > Jun 14 11:43:42 rv-smtpext-101 postfix-OUT/smtp[22235]: [ID 197553
              > mail.info] 19688599D: to=<XXX.YYY@...>,
              > relay=mxtls.allianz.com[194.127.3.21]:25, delay=0.94,
              > delays=0.03/0/0.48/0.43, dsn=2.0.0, status=sent (250 2.0.0
              > r5E9hfN2006147 Message accepted for delivery)
              >
              > Other outgoing TLS connections seem to work fine:
              >
              > Jun 16 00:29:52 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] setting up TLS connection to
              > gmail-smtp-in.l.google.com[173.194.70.26]:25
              > Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] Trusted TLS connection established to
              > gmail-smtp-in.l.google.com[173.194.70.26]:25: TLSv1.2 with cipher
              > ECDHE-RSA-RC4-SHA (128/128 bits)
              > Jun 16 00:29:53 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
              > mail.info] CBF8256AD: to=<AAA.BBB@...>,
              > relay=gmail-smtp-in.l.google.com[173.194.70.26]:25, delay=0.85,
              > delays=0.01/0/0.18/0.65, dsn=2.0.0, status=sent (250 2.0.0 OK 1371335393
              > b5si7050738eew.190 - gsmtp)
              >
              > Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
              > setting up TLS connection to smail2-neu.mailintern.local[10.221.24.22]:25
              > Jun 16 00:29:54 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
              > Trusted TLS connection established to
              > smail2-neu.mailintern.local[10.221.24.22]:25: TLSv1 with cipher
              > DHE-RSA-AES256-SHA (256/256 bits)
              > Jun 16 00:29:55 rv-smtpext-101 postfix/smtp[298]: [ID 197553 mail.info]
              > 6195A56F4: to=<CCC.DDD@...>,
              > relay=smail2-neu.mailintern.local[10.221.24.22]:25, delay=11,
              > delays=11/0/0.14/0.15, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as
              > 98BABC6DA0)
              >
              > Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
              > mail.info] setting up TLS connection to smtpcl3.fiducia.de[195.200.34.38]:25
              > Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
              > mail.info] smtpcl3.fiducia.de[195.200.34.38]:25: re-using session with
              > untrusted certificate, look for details earlier in the log
              > Jun 16 00:29:57 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
              > mail.info] Untrusted TLS connection established to
              > smtpcl3.fiducia.de[195.200.34.38]:25: TLSv1 with cipher
              > DHE-RSA-AES256-SHA (256/256 bits)
              > Jun 16 00:29:58 rv-smtpext-101 postfix-OUT/smtp[28897]: [ID 197553
              > mail.info] 932B356AF: to=<EEE.FFF@...>,
              > relay=smtpcl3.fiducia.de[195.200.34.38]:25, delay=2.1,
              > delays=0.58/0.07/0.26/1.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
              > as 7C5731C8C89)
              >
              > I have already tried to wipe the smtp_scache.db without success. Could
              > you give me another hint? Verbose logs and configuration follow at the
              > end of this mail.
              >
              > > If you're interested, I now have another option for you, a Postfix
              > > patch that will likely enable support for SHA-2 digests even when
              > > Postfix is compiled and linked with OpenSSL 0.9.8.
              >
              > May I ask if this would have a chance to be included in future postfix
              > releases? Just to know if postfix has to be patched again with updates.
              >
              > > Keep in mind that that latest OpenSSL 0.9.8 patch level is now
              > > 0.9.8y, and I seem to recall that you had 0.9.8k which likely
              > > various unpatched bugs. So you should probably upgrade the system's
              > > OpenSSL 0.9.8 libraries to 0.9.8y.
              >
              > Thanks, but the 0.9.8k openssl lib is anyway not the solaris 10 default.
              > It was installed separately some time ago from a different source
              > (sunfreeware) to compile postfix. I'd prefer to drop it completely. It
              > is not used by other software on these systems.
              >
              > # postconf -c /etc/postfix/OUT mail_version
              > mail_version = 2.8.13
              > # /opt/vrnetze/openssl/bin/openssl version
              > OpenSSL 1.0.1e 11 Feb 2013
              >
              > # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
              > # postqueue -c /etc/postfix/OUT -i 704A35DD5
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] mxtls.allianz.com[194.127.3.22]:25: TLS cipher list
              > "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] looking for session
              > smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
              > in smtp cache
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
              > mail.info] lookup smtp session
              > id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] SSL_connect:before/connect initialization
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B))
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 b7
              > ....f... b..Q....
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0010 a5 91 88 61 35 5b 04 b0|16 00 7a 15 84 3c b5 0b
              > ...a5[.. ..z..<..
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0020 59 23 37 d6 e4 7d 6f 15|82 8f c6 00 00 ca c0 19
              > Y#7..}o. ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28 .
              > ...m.: ...0.,.(
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b
              > .$....." .!.....k
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
              > .j.9.8.. ...2...*
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17
              > .&...... .=.5....
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34
              > ........ .....l.4
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09
              > ...F./.+ .'.#....
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32
              > ........ .g.@.3.2
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25
              > .....E.D .1.-.).%
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07
              > .......< ./...A..
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04
              > ........ ...o....
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19
              > .......4 .2......
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00
              > ........ .....#..
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02 ...".
              > .. ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01
              > ........ ...
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] SSL_connect:SSLv2/v3 write client hello A
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
              > Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] SSL_connect:error in SSLv2/v3 read server hello A
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.22]:25: -1
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] remove session
              > smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
              > from client cache
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
              > mail.info] delete smtp session
              > id=smtp:194.127.3.22:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 704A35DD5: Cannot start TLS: handshake failure
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 704A35DD5: host mxtls.allianz.com[194.127.3.22] said: 403
              > 4.7.0 encryption too weak 0 less than 256 (in reply to MAIL FROM command)
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] mxtls.allianz.com[194.127.3.21]:25: TLS cipher list
              > "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] looking for session
              > smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
              > in smtp cache
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
              > mail.info] lookup smtp session
              > id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] SSL_connect:before/connect initialization
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] write to 000A3418 [000F6020] (363 bytes => 363 (0x16B))
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0000 16 03 01 01 66 01 00 01|62 03 03 51 bc f0 b3 70
              > ....f... b..Q...p
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0010 e9 dc 5b a9 11 c3 47 1e|77 5b 4a a8 81 81 26 40
              > ..[...G. w[J...&@
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0020 e2 0a 41 b0 2e b9 96 2c|2e 63 e4 00 00 ca c0 19
              > ..A...., .c......
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0030 c0 20 00 a7 00 6d 00 3a|00 89 c0 30 c0 2c c0 28 .
              > ...m.: ...0.,.(
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0040 c0 24 c0 14 c0 0a c0 22|c0 21 00 a3 00 9f 00 6b
              > .$....." .!.....k
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0050 00 6a 00 39 00 38 00 88|00 87 c0 32 c0 2e c0 2a
              > .j.9.8.. ...2...*
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0060 c0 26 c0 0f c0 05 00 9d|00 3d 00 35 00 84 c0 17
              > .&...... .=.5....
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0070 c0 1a 00 1b c0 12 c0 08|c0 1c c0 1b 00 16 00 13
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0080 c0 0d c0 03 00 0a c0 18|c0 1d 00 a6 00 6c 00 34
              > ........ .....l.4
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0090 00 9b 00 46 c0 2f c0 2b|c0 27 c0 23 c0 13 c0 09
              > ...F./.+ .'.#....
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00a0 c0 1f c0 1e 00 a2 00 9e|00 67 00 40 00 33 00 32
              > ........ .g.@.3.2
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00b0 00 9a 00 99 00 45 00 44|c0 31 c0 2d c0 29 c0 25
              > .....E.D .1.-.).%
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00c0 c0 0e c0 04 00 9c 00 3c|00 2f 00 96 00 41 00 07
              > .......< ./...A..
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00d0 c0 16 00 18 c0 11 c0 07|c0 0c c0 02 00 05 00 04
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00e0 00 1a 00 15 00 12 00 09|00 19 00 14 00 11 00 08
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 00f0 00 06 00 17 00 03 00 ff|01 00 00 6f 00 0b 00 04
              > ........ ...o....
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0100 03 00 01 02 00 0a 00 34|00 32 00 0e 00 0d 00 19
              > .......4 .2......
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0110 00 0b 00 0c 00 18 00 09|00 0a 00 16 00 17 00 08
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0120 00 06 00 07 00 14 00 15|00 04 00 05 00 12 00 13
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0130 00 01 00 02 00 03 00 0f|00 10 00 11 00 23 00 00
              > ........ .....#..
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0140 00 0d 00 22 00 20 06 01|06 02 06 03 05 01 05 02 ...".
              > .. ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0150 05 03 04 01 04 02 04 03|03 01 03 02 03 03 02 01
              > ........ ........
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 0160 02 02 02 03 01 01 00 0f|00 01 01
              > ........ ...
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] SSL_connect:SSLv2/v3 write client hello A
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] read from 000A3418 [000E8098] (7 bytes => -1 (0xFFFFFFFF))
              > Jun 16 00:54:43 rv-smtpext-101 last message repeated 1 time
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] SSL_connect:error in SSLv2/v3 read server hello A
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] SSL_connect error to mxtls.allianz.com[194.127.3.21]:25: -1
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] remove session
              > smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
              > from client cache
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/tlsmgr[3008]: [ID 197553
              > mail.info] delete smtp session
              > id=smtp:194.127.3.21:25:mailgw.allianz.de&p=1&c=aNULL:-aNULL:ALL:+RC4:@STRENGTH&l=268439647
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 704A35DD5: Cannot start TLS: handshake failure
              > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
              > mail.info] 704A35DD5: to=<XXX.YYY@...>,
              > relay=mxtls.allianz.com[194.127.3.21]:25, delay=64211,
              > delays=64211/0/0.54/0.01, dsn=4.7.0, status=deferred (host
              > mxtls.allianz.com[194.127.3.21] said: 403 4.7.0 encryption too weak 0
              > less than 256 (in reply to MAIL FROM command))
              >
              >
              > # egrep -v "^#" /etc/postfix/OUT/master.cf
              > smtp26 inet n - n - 200 smtpd
              > -o smtpd_client_connection_count_limit=100
              > cryptosmtp unix - - n - 50 smtp
              > -o smtp_data_done_timeout=1200
              > tlsmgr unix - - n 1000? 1 tlsmgr
              > pickup fifo n - n 60 1 pickup
              > cleanup unix n - n - 0 cleanup
              > qmgr fifo n - n 300 1 qmgr
              > rewrite unix - - n - - trivial-rewrite
              > bounce unix - - n - 0 bounce
              > defer unix - - n - 0 bounce
              > trace unix - - n - 0 bounce
              > verify unix - - n - 1 verify
              > flush unix n - n 1000? 0 flush
              > proxymap unix - - n - - proxymap
              > smtp unix - - n - - smtp
              > relay unix - - n - - smtp
              > showq unix n - n - - showq
              > error unix - - n - - error
              > discard unix - - n - - discard
              > local unix - n n - - local
              > virtual unix - n n - - virtual
              > lmtp unix - - n - - lmtp
              > anvil unix - - n - 1 anvil
              > scache unix - - n - 1 scache
              > maildrop unix - n n - - pipe
              > flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
              > old-cyrus unix - n n - - pipe
              > flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
              > cyrus unix - n n - - pipe
              > user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
              > uucp unix - n n - - pipe
              > flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail
              > ($recipient)
              > ifmail unix - n n - - pipe
              > flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
              > bsmtp unix - n n - - pipe
              > flags=Fq. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop
              > $recipient
              >
              > # postconf -c /etc/postfix/OUT -n
              > alias_database = hash:/etc/postfix/aliases
              > alias_maps = $alias_database
              > body_checks = pcre:/etc/postfix/OUT/body_checks
              > body_checks_size_limit = 512000
              > bounce_queue_lifetime = 3d
              > bounce_template_file = /etc/postfix/bounce.cf
              > command_directory = /opt/vrnetze/postfix/sbin
              > config_directory = /etc/postfix/OUT
              > daemon_directory = /opt/vrnetze/postfix/libexec
              > data_directory = /var/spool/postfix-OUT/DATA
              > debug_peer_level = 2
              > default_privs = nobody
              > default_process_limit = 200
              > disable_vrfy_command = yes
              > fast_flush_domains = $relay_domains
              > header_checks = pcre:/etc/postfix/OUT/header_checks
              > html_directory = no
              > inet_interfaces = all
              > luser_relay = g_cna_fw@...
              > mail_name = Mailservice
              > mail_owner = postfix
              > mailbox_size_limit = 56000001
              > mailq_path = /usr/bin/mailq
              > manpage_directory = /opt/vrnetze/postfix/man
              > maximal_queue_lifetime = 3d
              > message_size_limit = 56000000
              > mime_header_checks = pcre:/etc/postfix/OUT/mime_header_checks
              > mydestination = $myhostname, localhost.$mydomain
              > mydomain = EXAMPLE.COM
              > myhostname = mail.EXAMPLE.COM
              > mynetworks = /etc/postfix/relay_from_networks
              > myorigin = $myhostname
              > newaliases_path = /usr/bin/newaliases
              > proxy_interfaces = 91.235.236.6, 91.235.236.7, 91.235.236.8, 91.235.236.9
              > queue_directory = /var/spool/postfix-OUT
              > readme_directory = /opt/vrnetze/postfix/doc
              > receive_override_options = no_address_mappings
              > relay_domains = /etc/postfix/relay_to_domains
              > sample_directory = /etc/postfix
              > sender_canonical_maps = btree:/etc/postfix/sender_canonical
              > sendmail_path = /usr/lib/sendmail
              > setgid_group = postdrop
              > smtp_enforce_tls = no
              > smtp_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
              > smtp_tls_cert_file = /etc/postfix/CERTS/cert.pem
              > smtp_tls_key_file = /etc/postfix/CERTS/key.pem
              > smtp_tls_loglevel = 1
              > smtp_tls_policy_maps = btree:/etc/postfix/TLS_EMPFAENGER
              > smtp_tls_scert_verifydepth = 8
              > smtp_tls_session_cache_database = btree:$data_directory/smtp_scache
              > smtp_tls_session_cache_timeout = 3600s
              > smtp_use_tls = yes
              > smtpd_banner = $myhostname ESMTP Mailservice
              > smtpd_enforce_tls = no
              > smtpd_recipient_restrictions = reject_non_fqdn_recipient,
              > reject_non_fqdn_sender, permit_mynetworks, reject
              > smtpd_tls_CAfile = /etc/postfix/CERTS/CAcert.pem
              > smtpd_tls_ask_ccert = yes
              > smtpd_tls_ccert_verifydepth = 8
              > smtpd_tls_cert_file = /etc/postfix/CERTS/cert.pem
              > smtpd_tls_key_file = /etc/postfix/CERTS/key.pem
              > smtpd_tls_loglevel = 1
              > smtpd_tls_received_header = yes
              > smtpd_tls_req_ccert = no
              > smtpd_tls_session_cache_database = btree:$data_directory/smtpd_scache
              > smtpd_tls_session_cache_timeout = 3600s
              > smtpd_use_tls = yes
              > soft_bounce = no
              > syslog_name = postfix-OUT
              > transport_maps = btree:/etc/postfix/fehlerdomains,
              > btree:/etc/postfix/transport
              > unknown_address_reject_code = 554
              > unknown_local_recipient_reject_code = 550
              >
              >
            • Viktor Dukhovni
              ... Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols attribute in the Postfix policy table. ... My suggestion for Wietse was to include
              Message 6 of 15 , Jun 15, 2013
              • 0 Attachment
                On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:

                > The openssl update from 0.9.8k to 1.0.1e solved the client certificate
                > issue. Unfortunately now we see another problem with the outgoing
                > instance, trying to send to another partner with mandatory TLS:

                > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
                > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553

                Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols
                attribute in the Postfix policy table.

                > > If you're interested, I now have another option for you, a Postfix
                > > patch that will likely enable support for SHA-2 digests even when
                > > Postfix is compiled and linked with OpenSSL 0.9.8.
                >
                > May I ask if this would have a chance to be included in future postfix
                > releases? Just to know if postfix has to be patched again with updates.

                My suggestion for Wietse was to include this in 2.10.1, and any
                future updates for earlier releases. I'll also add another small
                patch to solve bitrot with the server TLS session cache that is
                triggered by OpenSSL enabling TLSv1 session tickets. (Basically,
                just add SSL_OP_NO_TICKETS to the server-side session options).

                > # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3

                Don't enable levels higher than 2 unless requested.

                > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
                > mail.info] write to 000AD358 [000F6020] (363 bytes => 363 (0x16B))
                > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
                > mail.info] SSL_connect:SSLv2/v3 write client hello A
                > Jun 16 00:54:43 rv-smtpext-101 postfix-OUT/smtp[3022]: [ID 197553
                > mail.info] read from 000AD358 [000E8098] (7 bytes => -1 (0xFFFFFFFF))

                Server hangs up after client SSL hello. Perhaps too many ciphers,
                or perhaps protocol compatibility issues, or something else entirely,
                but what's new with 1.0.1e is mostly more ciphers and new protocols.

                Try adding "protocols=TLSv1" to the policy entry for this site,
                and if your Postfix is sufficiently new (and knows about TLSv1.1
                and TLSv1.2) all other protocols will be disabled, and you may find
                that TLS works for you again.

                You've sure had some wicked bad luck with picking TLS partner sites. :-(

                --
                Viktor.
              • Jan P. Kessler
                ... Thanks, that worked (postfix 2.8.13): policy_table: [mxtls.allianz.com] verify protocols=SSLv3:TLSv1 # postqueue -c /etc/postfix/OUT -i
                Message 7 of 15 , Jun 16, 2013
                • 0 Attachment
                  Am 16.06.2013 05:00, schrieb Viktor Dukhovni:
                  > On Sun, Jun 16, 2013 at 01:58:27AM +0200, Jan P. Kessler wrote:
                  >
                  > > The openssl update from 0.9.8k to 1.0.1e solved the client certificate
                  > > issue. Unfortunately now we see another problem with the outgoing
                  > > instance, trying to send to another partner with mandatory TLS:
                  >
                  > > mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.21]:25
                  > > Jun 16 00:28:54 rv-smtpext-101 postfix-OUT/smtp[28488]: [ID 197553
                  >
                  > Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols
                  > attribute in the Postfix policy table.

                  Thanks, that worked (postfix 2.8.13):

                  policy_table:
                  [mxtls.allianz.com] verify protocols=SSLv3:TLSv1

                  # postqueue -c /etc/postfix/OUT -i 704A35DD5
                  Jun 16 10:31:04 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553
                  mail.info] setting up TLS connection to mxtls.allianz.com[194.127.3.22]:25
                  Jun 16 10:31:05 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553
                  mail.info] Trusted TLS connection established to
                  mxtls.allianz.com[194.127.3.22]:25: TLSv1 with cipher DHE-RSA-AES256-SHA
                  (256/256 bits)
                  Jun 16 10:31:06 rv-smtpext-101 postfix-OUT/smtp[20600]: [ID 197553
                  mail.info] 704A35DD5: to=<XXX.YYY@...>,
                  relay=mxtls.allianz.com[194.127.3.22]:25, delay=98794,
                  delays=98792/0/0.43/1.8, dsn=2.0.0, status=sent (250 2.0.0
                  r5G8V4q9023307 Message accepted for delivery)

                  > > # postconf -c /etc/postfix/OUT smtp_tls_loglevel = 3
                  >
                  > Don't enable levels higher than 2 unless requested.

                  Yes, of course. Our normal setting is 1. Used this only for a second.

                  > Try adding "protocols=TLSv1" to the policy entry for this site,
                  > and if your Postfix is sufficiently new (and knows about TLSv1.1
                  > and TLSv1.2) all other protocols will be disabled, and you may find
                  > that TLS works for you again.
                  >
                  > You've sure had some wicked bad luck with picking TLS partner sites. :-(

                  Yep, that's what I thought, too ;)

                  Currently I fear, that other partners might be also affected about this.
                  Now the queues are almost empty but most traffic with other mandatory
                  TLS partner sites will start to continue during work hours Mo-Fr and
                  I'll be out of office for a week. What do you think about deactivating
                  v1.1 and v1.2 globally?

                  Currently:
                  smtp_tls_mandatory_protocols = !SSLv2
                  smtp_tls_protocols = !SSLv2

                  Suggestion:
                  smtp_tls_mandatory_protocols = !SSLv2 !TLSv1.1 !TLSv1.2
                  smtp_tls_protocols = !SSLv2

                  Will this work or are we expected to run into other compatibility issues
                  with that from your experience?

                  P.S.: On one machine I tried to switch to a shared openssl 1.0.1e build
                  which also seems to work fine:

                  # ldd /opt/vrnetze/postfix/libexec/smtpd|grep -i ssl
                  libssl.so.1.0.0 => /opt/vrnetze/openssl/lib/libssl.so.1.0.0
                  libcrypto.so.1.0.0 => /opt/vrnetze/openssl/lib/libcrypto.so.1.0.0

                  Am I right concluding that this won't require a postfix rebuild on new
                  openssl 1.0.x versions?

                  Again, thank you very much for your time and thoughts!
                • /dev/rob0
                  Beside the point, yet possibly of interest: ... snip ... Excerpt from s_client(1) manual: CONNECTED COMMANDS If a connection is established with an SSL
                  Message 8 of 15 , Jun 16, 2013
                  • 0 Attachment
                    Beside the point, yet possibly of interest:

                    On Sun, Jun 16, 2013 at 03:07:01AM +0200, Jan P. Kessler wrote:
                    > # /opt/vrnetze/openssl/bin/openssl s_client -connect
                    > mxtls.allianz.com:25 -starttls smtp
                    > CONNECTED(00000004)
                    snip
                    > ---
                    > 250 HELP
                    > HELO mail.EXAMPLE.COM
                    > 250 mailgw.allianz.de Hello mail.EXAMPLE.COM [91.235.236.8],
                    > pleased to meet you
                    > MAIL FROM:jpk@...
                    > 250 2.1.0 jpk@...... Sender ok
                    > RCPT TO:XXX.YYY@...
                    > RENEGOTIATING
                    > [CTRL+C]

                    Excerpt from s_client(1) manual:

                    "
                    CONNECTED COMMANDS
                    If a connection is established with an SSL server then any data
                    received from the server is displayed and any key presses will be
                    sent to the server. When used interactively (which means neither
                    -quiet nor -ign_eof have been given), the session will be
                    renegotiated if the line begins with an R, and if the line begins
                    with a Q or if end of file is reached, the connection will be closed
                    down.
                    "

                    Your workaround is to use lowercase "r" in your RCPT TO command:

                    rcpt to:<XXX.YYY@...>
                    rCPT TO:<XXX.YYY@...>
                    --
                    http://rob0.nodns4.us/ -- system administration and consulting
                    Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                  • Viktor Dukhovni
                    ... With the destination domain in [], or when match=... is explicitly specified, the verify and secure levels are identical, otherwise I would probably
                    Message 9 of 15 , Jun 18, 2013
                    • 0 Attachment
                      On Sun, Jun 16, 2013 at 11:13:05AM +0200, Jan P. Kessler wrote:

                      > > Disable TLSv1.1 and TLSv1.2 for this destination. Use the protocols
                      > > attribute in the Postfix policy table.
                      >
                      > Thanks, that worked (postfix 2.8.13):
                      >
                      > policy_table:
                      > [mxtls.allianz.com] verify protocols=SSLv3:TLSv1

                      With the destination domain in [], or when "match=..." is explicitly
                      specified, the "verify" and "secure" levels are identical, otherwise
                      I would probably shun "verify" and use "secure" with explicit "match"
                      clauses as required.

                      > Currently I fear, that other partners might be also affected about this.
                      > Now the queues are almost empty but most traffic with other mandatory
                      > TLS partner sites will start to continue during work hours Mo-Fr and
                      > I'll be out of office for a week. What do you think about deactivating
                      > v1.1 and v1.2 globally?

                      Unlikely to cause any harm, and may help with some destinations.
                      You lose support for AEAD modes which protect against "CRIME" and
                      "BEAST", but those attacks are browser-specific.

                      > smtp_tls_mandatory_protocols = !SSLv2
                      > smtp_tls_protocols = !SSLv2
                      >
                      > Suggestion:
                      > smtp_tls_mandatory_protocols = !SSLv2 !TLSv1.1 !TLSv1.2
                      > smtp_tls_protocols = !SSLv2

                      You can set both the same for now. Ideally there'll be some pressure
                      on sites with broken TLSv1.2 (TLSv1.1 is a far more modest change)
                      to get their implementations upgraded. But if you have critical
                      traffic, it may be reasonable to be conservative in what you send...

                      > Will this work or are we expected to run into other compatibility issues
                      > with that from your experience?

                      TLSv1 is tried and true and largely sufficient, it is a very safe choice.

                      > P.S.: On one machine I tried to switch to a shared openssl 1.0.1e build
                      > which also seems to work fine:
                      >
                      > # ldd /opt/vrnetze/postfix/libexec/smtpd|grep -i ssl
                      > libssl.so.1.0.0 => /opt/vrnetze/openssl/lib/libssl.so.1.0.0
                      > libcrypto.so.1.0.0 => /opt/vrnetze/openssl/lib/libcrypto.so.1.0.0
                      >
                      > Am I right concluding that this won't require a postfix rebuild on new
                      > openssl 1.0.x versions?

                      I can't speak for the stability of the OpenSSL ABI. It is *supposed*
                      to work, whether it will, only time will tell. Many other users will
                      rely on this stability on systems where 1.0.0 or 1.0.1 is the default
                      OpenSSL library:

                      $ openssl version
                      OpenSSL 1.0.1e 11 Feb 2013

                      $ ldd $(type -p openssl) |
                      grep /usr/lib |
                      awk '{printf "%-20s %s\n", $1,$3}'
                      libssl.so.1.0.0 /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0
                      libcrypto.so.1.0.0 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0

                      --
                      Viktor.
                    Your message has been successfully submitted and would be delivered to recipients shortly.