[Postfixbuch-users] Postfix TLS

Maximilian Thoma nospam at thoma.cc
Fr Jul 13 00:50:15 CEST 2007


Hallo Zusammen,

ich habe jetzt TLS komplett aufgesetzt und getestet aber ich bin mir
nicht ganz sicher ob ich noch einen fehler habe. (siehe log)


Jul 13 00:38:39 mailx postfix/smtpd[21481]: connect from
mailgtw.muc.m.corp[10.65.33.210]
Jul 13 00:38:39 mailx postfix/smtpd[21481]: setting up TLS connection
from mailgtw.muc.m.corp[10.65.33.210]
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:before/accept
initialization
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:error in SSLv2/v3
read client hello A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:error in SSLv3
read client hello B
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:error in SSLv3
read client hello B
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:SSLv3 read client
hello B
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:SSLv3 write
server hello A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:SSLv3 write
certificate A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:SSLv3 write
server done A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:SSLv3 flush data
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:error in SSLv3
read client certificate A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:error in SSLv3
read client certificate A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:SSLv3 read client
key exchange A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:error in SSLv3
read certificate verify A
Jul 13 00:38:39 mailx last message repeated 3 times
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:SSLv3 read finished A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:SSLv3 write
change cipher spec A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:SSLv3 write
finished A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:SSLv3 flush data
Jul 13 00:38:39 mailx postfix/smtpd[21481]: save session
A80FAD4479AB094369EDEEC122E47D24C42D0E56B3CDD17E77898D17E503E826 to
smtpd cache
Jul 13 00:38:39 mailx postfix/tlsmgr[21478]: put smtpd session
id=A80FAD4479AB094369EDEEC122E47D24C42D0E56B3CDD17E77898D17E503E826
[data 127 bytes]
Jul 13 00:38:39 mailx postfix/tlsmgr[21478]: write smtpd TLS cache entry
A80FAD4479AB094369EDEEC122E47D24C42D0E56B3CDD17E77898D17E503E826:
time=1184279919 [data 127 bytes]
Jul 13 00:38:39 mailx postfix/smtpd[21481]: TLS connection established
from mailgtw.muc.m.corp[10.65.33.210]: TLSv1 with cipher AES256-SHA
(256/256 bits)


Mich beunruhigen die ganzen SSL Fehler:
--->
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:error in SSLv2/v3
read client hello A
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:error in SSLv3
read client hello B
Jul 13 00:38:39 mailx postfix/smtpd[21481]: SSL_accept:error in SSLv3
read client hello B
<---

Kann jemand von euch damit was anfangen hat das jemand schon gehabt ??


postconf -n

---
smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_CAfile = /etc/postfix/cacert.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_database =
btree:/var/spool/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
smtpd_tls_security_level = may
smtpd_tls_loglevel = 2
---

Habe ich noch was bei der TLS Konfig vergessen ???


Auf der Postfixseite steht am Anfang das mit aktivieren von TLS man
evtl. ein Sicherheitsrisiko eingeht -->

 WARNING

By turning on TLS support in Postfix, you not only get the ability to
encrypt mail and to authenticate clients or servers. You also turn on
thousands and thousands of lines of OpenSSL library code. Assuming that
OpenSSL is written as carefully as Wietse's own code, every 1000 lines
introduce one additional bug into Postfix.

Irgendwelche negativen Erfahrungen ???


Habe noch ein nettes Tool gefunden um TLS zu überprüfen.

http://matthias.leisi.net/archives/157-TLS-Test-Script.html


Gruß


Maximilian





Mehr Informationen über die Mailingliste Postfixbuch-users