Loading ...
Sorry, an error occurred while loading the content.
 

warning TLS 1.2 postfix 2.11

Expand Messages
  • Robert Schetterer
    Hi, on ubuntu lucid openssl is 0.9x with self compiled postfix 2.11 and smtpd tls log level 1 a warning apear like warning: TLS library problem:
    Message 1 of 5 , Mar 26, 2014
      Hi, on ubuntu lucid
      openssl is 0.9x

      with self compiled postfix 2.11

      and smtpd tls log level 1

      a warning apear like

      warning: TLS library problem: error:1409442E:SSL
      routines:SSL3_READ_BYTES:tlsv1 alert protocol version:s3_pkt.c:1099:SSL
      alert number 70:

      with i.e test

      openssl s_client -connect mail01.example.com:25 -starttls smtp -tls1_2
      -CApath /etc/ssl/

      this can not be avoided

      with i.e

      smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1_1, !TLSv1_2

      cause tls will get disabled

      warning: Invalid TLS protocol list "TLSv1, !SSLv2, !SSLv3, !TLSv1_1,
      !TLSv1_2": disabling TLS support

      speculate TLSv1_1 TLSv1_2 are not known cause of openssl vers 0.9.x

      am i right ?, Best practice ignore warning ?

      Best Regards
      MfG Robert Schetterer

      --
      [*] sys4 AG

      http://sys4.de, +49 (89) 30 90 46 64
      Franziskanerstraße 15, 81669 München

      Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
      Vorstand: Patrick Ben Koetter, Marc Schiffbauer
      Aufsichtsratsvorsitzender: Florian Kirstein
    • Andreas Schulze
      ... your smtpd do not support TLS1.1/1.2 so you cannot disable it s usage. But you cannot avoid other smtp clients trying to speek to you that protocol
      Message 2 of 5 , Mar 26, 2014
        Robert Schetterer:

        > warning: TLS library problem: error:1409442E:SSL
        > routines:SSL3_READ_BYTES:tlsv1 alert protocol version:s3_pkt.c:1099:SSL
        > alert number 70:

        your smtpd do not support TLS1.1/1.2 so you cannot disable it's usage.
        But you cannot avoid other smtp clients trying to speek to you that
        protocol version.

        These sessions will fail and it's up to the client to retry a lower
        protocol version.
        At least postfix-2.11 in this client role does handle this situation
        very well.

        > am i right ?
        yes

        > Best practice ignore warning ?
        yes too.
        you may find host unable to send to you because they try/have only a
        higher protocol version.
        But these should fallback to plaintext anyway.

        Andreas
      • Robert Schetterer
        ... Ok ,thx Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der
        Message 3 of 5 , Mar 26, 2014
          Am 26.03.2014 13:22, schrieb Andreas Schulze:
          >
          > Robert Schetterer:
          >
          >> warning: TLS library problem: error:1409442E:SSL
          >> routines:SSL3_READ_BYTES:tlsv1 alert protocol version:s3_pkt.c:1099:SSL
          >> alert number 70:
          >
          > your smtpd do not support TLS1.1/1.2 so you cannot disable it's usage.
          > But you cannot avoid other smtp clients trying to speek to you that
          > protocol version.
          >
          > These sessions will fail and it's up to the client to retry a lower
          > protocol version.
          > At least postfix-2.11 in this client role does handle this situation
          > very well.
          >
          >> am i right ?
          > yes
          >
          >> Best practice ignore warning ?
          > yes too.
          > you may find host unable to send to you because they try/have only a
          > higher protocol version.
          > But these should fallback to plaintext anyway.
          >
          > Andreas
          >

          Ok ,thx


          Best Regards
          MfG Robert Schetterer

          --
          [*] sys4 AG

          http://sys4.de, +49 (89) 30 90 46 64
          Franziskanerstraße 15, 81669 München

          Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
          Vorstand: Patrick Ben Koetter, Marc Schiffbauer
          Aufsichtsratsvorsitzender: Florian Kirstein
        • Viktor Dukhovni
          ... This combination of ancient OpenSSL and bleeding edge Postfix is suboptimal from a TLS perspective. Most of the newer features in Postfix TLS support
          Message 4 of 5 , Mar 26, 2014
            On Wed, Mar 26, 2014 at 10:58:12AM +0100, Robert Schetterer wrote:

            > Hi, on ubuntu lucid
            > openssl is 0.9x
            >
            > with self compiled postfix 2.11

            This combination of ancient OpenSSL and bleeding edge Postfix is
            suboptimal from a TLS perspective. Most of the newer features
            in Postfix TLS support require OpenSSL 1.0.0 or newer.

            Real mail clients do not generally enable just TLSv1.2, there are
            still MTAs out there that support only SSLv3, not even TLSv1.

            --
            Viktor.
          • Robert Schetterer
            ... tmp problem, servers will get replaced in total this year ... ok i will reenable SSLv3 ... thx for info Best Regards MfG Robert Schetterer -- [*] sys4 AG
            Message 5 of 5 , Mar 26, 2014
              Am 26.03.2014 16:25, schrieb Viktor Dukhovni:
              > On Wed, Mar 26, 2014 at 10:58:12AM +0100, Robert Schetterer wrote:
              >
              >> Hi, on ubuntu lucid
              >> openssl is 0.9x
              >>
              >> with self compiled postfix 2.11
              >
              > This combination of ancient OpenSSL and bleeding edge Postfix is
              > suboptimal from a TLS perspective. Most of the newer features
              > in Postfix TLS support require OpenSSL 1.0.0 or newer.

              tmp problem, servers will get replaced in total this year

              >
              > Real mail clients do not generally enable just TLSv1.2, there are
              > still MTAs out there that support only SSLv3, not even TLSv1.

              ok i will reenable SSLv3

              >

              thx for info


              Best Regards
              MfG Robert Schetterer

              --
              [*] sys4 AG

              http://sys4.de, +49 (89) 30 90 46 64
              Franziskanerstraße 15, 81669 München

              Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
              Vorstand: Patrick Ben Koetter, Marc Schiffbauer
              Aufsichtsratsvorsitzender: Florian Kirstein
            Your message has been successfully submitted and would be delivered to recipients shortly.