Postfix TLS: SSL3_GET_CLIENT_HELLO:no shared cipher
wh...@hushmail.com
Hash: SHA1
Hi,
I have a postfix set-up with TLS activated.
Outlook 2010 and Thunderbird can send any e-mail just fine.
Openssl -connect <servername> -starttls smtp returned no error
either.
The thing is I'm trying to check my SSL configuration using this
tool:
http://www.networking4all.com/en/support/tools/site+check/report/
and while it can validate mt certificate just fine, it says that it
can't establish a secure connection.
I inspected my maillog and this is what I get:
mailog:
Aug 31 21:01:42 johndoe postfix/smtpd[10223]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:42 johndoe postfix/smtpd[10223]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:01:43 johndoe postfix/smtpd[10223]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:43 johndoe postfix/smtpd[10223]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: SSL_accept error from
s097.networking4all.com[213.249.64.242]: -1
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: lost connection after
CONNECT from s097.networking4all.com[213.249.64.242]
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:54 johndoe postfix/smtpd[10223]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: SSL_accept error from
s097.networking4all.com[213.249.64.242]: -1
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: warning: TLS library
problem: 10223:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1221:
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: lost connection after
CONNECT from s097.networking4all.com[213.249.64.242]
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: disconnect from
s097.networking4all.com[213.249.64.242]
So I added
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
This is what I get in the maillog
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: initializing the
server-side TLS engine
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: setting up TLS
connection from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:01 johndoe postfix/smtpd[16200]:
s097.networking4all.com[213.249.64.242]: TLS cipher list
"ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Aug 31 21:38:01 johndoe postfix/smtpd[16200]:
SSL_accept:before/accept initialization
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client hello B
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server hello A
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write certificate A
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write key exchange A
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server done A
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client key exchange A
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
finished A
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write change cipher spec A
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write finished A
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: Anonymous TLS
connection established from
s097.networking4all.com[213.249.64.242]: TLSv1 with cipher DHE-RSA-
AES256-SHA (256/256 bits)
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: setting up TLS
connection from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:02 johndoe postfix/smtpd[16200]:
s097.networking4all.com[213.249.64.242]: TLS cipher list
"ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Aug 31 21:38:02 johndoe postfix/smtpd[16200]:
SSL_accept:before/accept initialization
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept error from
s097.networking4all.com[213.249.64.242]: -1
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: lost connection after
CONNECT from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: setting up TLS
connection from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:12 johndoe postfix/smtpd[16200]:
s097.networking4all.com[213.249.64.242]: TLS cipher list
"ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Aug 31 21:38:12 johndoe postfix/smtpd[16200]:
SSL_accept:before/accept initialization
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client hello B
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server hello A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write key exchange A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server done A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client key exchange A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
finished A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write change cipher spec A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write finished A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: Anonymous TLS
connection established from
s097.networking4all.com[213.249.64.242]: TLSv1 with cipher ADH-
AES256-SHA (256/256 bits)
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: setting up TLS
connection from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:13 johndoe postfix/smtpd[16200]:
s097.networking4all.com[213.249.64.242]: TLS cipher list
"ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Aug 31 21:38:13 johndoe postfix/smtpd[16200]:
SSL_accept:before/accept initialization
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client hello B
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server hello A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write key exchange A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server done A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client key exchange A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
finished A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write change cipher spec A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write finished A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: Anonymous TLS
connection established from
s097.networking4all.com[213.249.64.242]: TLSv1 with cipher ADH-
AES256-SHA (256/256 bits)
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: setting up TLS
connection from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:14 johndoe postfix/smtpd[16200]:
s097.networking4all.com[213.249.64.242]: TLS cipher list
"ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Aug 31 21:38:14 johndoe postfix/smtpd[16200]:
SSL_accept:before/accept initialization
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: SSL3 alert
write:fatal:handshake failure
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: SSL_accept:error in
SSLv3 read client hello C
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: SSL_accept error from
s097.networking4all.com[213.249.64.242]: -1
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: warning: TLS library
problem: 16200:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1221:
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: lost connection after
CONNECT from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:41:34 johndoe postfix/anvil[16203]: statistics: max
connection rate 3/60s for (smtps:213.249.64.242) at Aug 31 21:38:13
Aug 31 21:41:34 johndoe postfix/anvil[16203]: statistics: max
connection count 1 for (smtps:213.249.64.242) at Aug 31 21:38:02
Aug 31 21:41:34 johndoe postfix/anvil[16203]: statistics: max cache
size 1 at Aug 31 21:38:02
FYI in main.cnf
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = medium
smtp_tls_protocols = !SSLv2, !SSLv3
running postfix 2.84 on Centos 6
So anyone got any insight?
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
wsBcBAEBAgAGBQJOZHnmAAoJEIsVW8QaqqJOuooH/jjUas28D70pFKOZR8evFIwXQVnE
B+/B6vLFTr+63ibaYxJ8RIFxcZmOUbdA2O/2ToenI9RUlKeJ/709O5mZoshJJPdXWFqh
RLXD38igxyEIaQOa3OYjS+bpgyvQ/oOr+qjQw5oVfyxlIJ3kohigcHXrXv0XwwmHWjRi
rPybGDoBTyfPyIUscOFB7iGu4JzyzEEccT5uCBIaGUescdNZK81B9mf/PGUpaPLXPhls
ndvfITcjrMWCTc09UQyJoHPNkuwUqnh0RukFd8E4S8HO87nsQuRKwWmIJUyPflkWOfQp
6DgykBenOziBJWSqJv9NdoeVHimFOy+hbLiyh57Ez0k=
=FY1M
-----END PGP SIGNATURE-----
Wietse Venema
> Aug 31 21:38:14 johndoe postfix/smtpd[16200]:
> s097.networking4all.com[213.249.64.242]: TLS cipher list
> "ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
> smtpd_tls_security_level = may
> smtpd_tls_mandatory_ciphers = medium
> smtp_tls_protocols = !SSLv2, !SSLv3
Comment out all your smtpd_tls lines (including the lines that you
did not show) until the output from the command "postconf -n" shows
only these four:
smtpd_tls_CAfile
smtpd_tls_cert_file
smtpd_tls_key_file
smtpd_tls_security_level
Then add back your tweaks one by one (executing the command "postfix
reload" after each change) and learn which change breaks inter-operability.
You may also find some helpful hints in www.postfix.org/TLS_README.html.
Wietse
Greg Hackney
> The thing is I'm trying to check my SSL configuration using this
> tool:
> http://www.networking4all.com/en/support/tools/site+check/report/
>
> and while it can validate mt certificate just fine, it says that it
> can't establish a secure connection.
>
Be aware that test site looks at SMTPS port 465, and not STARTTLS over
port 25.
Make sure that master.cf has any -o options for smtps that you might
require.
wh...@hushmail.com
Hash: SHA1
I did, I went as far as installing Postfix on a vanilla system on
different distro (Ubuntu server).
I can confirm even only with those four smptd_tls lines the result
is no different.
hac...@cincomail.com wrote:
Thanks for pointing that out. Tcpdump does confirm that
networking4all.com tool only probes port 465 on its smtps check.
This is my current master.cf config:
(. . . . .)
smtp inet n - - - - smtpd
#submission inet n - - - - smtpd
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
(. . . . )
Anything I should change?
FWIW Outlook is able connect to port 465 using SASL.
Interestingly, networking4all.com smtp server
(smtp.networking4all.com) is also using postfix and it can pass its
own tool.
I wonder what config do they put in main.cf and master.cf
Thank you for your reply, Wietse and Greg.
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
wsBcBAEBAgAGBQJOZatBAAoJEIsVW8QaqqJOXjMH/jt/FU6NQ91vCxgzXhJuAeLFlsQM
rDV/vThEvPQICM2jeBF04eSHB9RrcDavDA/GHopzfImQ8Gd4FYu3Wr0mm0AqJnZvu0Pl
q6Klb0IaxoRkvzClQPdWnwuUYtcgRyIjjCNREBkXaOawA2xoHmlAg9zBjJP9dPzzZvKP
kSbVoDUKOqpDGljmShQ/m30Hi2QFxsewvYlk4iIQN9MVyhpgdO1TThhonh3HryMNTaY2
WRB1fgxvCytRcNV1DoIqsz2IrNgrqnnkS9hOPTBpw4TIpxPqJR7DZDsKtE+3qYX64nYS
H6pkNuP1tJ2irBjFhOeUooXrcP9ATFvkiqBsDjzM18w=
=yXDf
-----END PGP SIGNATURE-----
Noel Jones
Hash: SHA1
On 9/6/2011 12:10 AM, wh...@hushmail.com wrote:
>> wh...@hushmail.com wrote:
>>> The thing is I'm trying to check my SSL configuration using
>>> this tool:
>>>
> http://www.networking4all.com/en/support/tools/site+check/report/
I
>
think that tool is broken in some way. It reports failure for
several sites that test OK with openssl. I wouldn't worry about
it if your site works properly with other tests or with a real
mail client.
-- Noel Jones
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOZgWxAAoJEJGRUHb5Oh6gRukH+wSEMhhbL7pAdR6cVbzu3zKP
HAVmRhf07NhuM0ayVX4owjuKJ7cIn5aLk2rGChBhbvUq9WzFnaGfKTO9ge8milpv
mnSrzvAg0CXwosKxM38NyUjNAcKLWI7vCPbFzavRWjmVmHjpjO3lLSnNqr8pcT9U
UACrnrPPjQhmFSgSzo2EbQ0NcFpv00uR6A0S+mtTJnBbHdSno+hNtAq4mAdQ3iCT
gigpj3htwi9i3ycPqL2oTD+UJZI5AH9C0UCZUwbM2GRluLt2ZV80iT7PpSm2SvR/
UXyHtvdcE/nF4XuvFeKS/d7atQR323+Ci4/wDQracNJzsU6o1JgN7tsSpni0DP4=
=3Q6i
-----END PGP SIGNATURE-----