[Postfixbuch-users] Postfix sendet RST nach TLS handshake

Alexander Busam a.busam at hofmann-foerdertechnik.com
Fr Nov 28 11:33:00 CET 2014 

Hallo zusammen!

Seit einigen Tagen habe ich Probleme mit Mailservern, die ihr Zertifikat
umgestellt haben. So wie es aussieht, kennt Postfix (Version 2.4.5) das
signierte digest des Zertifikats nicht und bricht die Verbindung ab.

Kennt jemand eine "schnelle" Möglichkeit, Postfix/OpenSSL (Version
0.9.8) dazu zu bringen, diese Zertifikaten zu akzeptieren, ohne es
upzugraden?

Vielen Dank
Alex

PacketCapture-Protokoll eines erfolglosen Connects:

No.     Time        Source                Destination           Protocol
Length Info
      1 0.000000    10.74.0.127           195.145.2.90          TCP     
62     59830→25 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1
      2 0.021089    195.145.2.90          10.74.0.127           TCP     
62     25→59830 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
      3 0.021101    10.74.0.127           195.145.2.90          TCP     
54     59830→25 [ACK] Seq=1 Ack=1 Win=14600 Len=0
      4 0.046547    195.145.2.90          10.74.0.127           SMTP    
101    S: 220 mail.xyz.de ESMTP Postfix
      5 0.046562    10.74.0.127           195.145.2.90          TCP     
54     59830→25 [ACK] Seq=1 Ack=48 Win=14600 Len=0
      6 0.046596    10.74.0.127           195.145.2.90          SMTP    
79     C: EHLO openssl.client.net
      7 0.066974    195.145.2.90          10.74.0.127           TCP     
60     25→59830 [ACK] Seq=48 Ack=26 Win=5840 Len=0
      8 0.067128    195.145.2.90          10.74.0.127           SMTP    
236    S: 250 mail.xyz.de | 250 PIPELINING | 250 SIZE 50000000 | 250
VRFY | 250 ETRN | 250 STARTTLS | 250 AUTH PLAIN | 250 AUTH=PLAIN | 250
ENHANCEDSTATUSCODES | 250 8BITMIME | 250 DSN
      9 0.067165    10.74.0.127           195.145.2.90          SMTP    
64     C: STARTTLS
     10 0.087733    195.145.2.90          10.74.0.127           SMTP    
84     S: 220 2.0.0 Ready to start TLS
     11 0.088795    10.74.0.127           195.145.2.90          TLSv1   
317    Client Hello
     12 0.124981    195.145.2.90          10.74.0.127           TLSv1   
1514   Server Hello
     13 0.126416    195.145.2.90          10.74.0.127           TLSv1   
1514   Certificate
     14 0.126451    10.74.0.127           195.145.2.90          TCP     
54     59830→25 [ACK] Seq=299 Ack=3180 Win=20440 Len=0
     15 0.147559    195.145.2.90          10.74.0.127           TLSv1   
585    Server Key Exchange
     16 0.152381    10.74.0.127           195.145.2.90          TCP     
2974   [TCP segment of a reassembled PDU]
     17 0.152396    10.74.0.127           195.145.2.90          TLSv1   
1157   Certificate
     18 0.176325    195.145.2.90          10.74.0.127           TCP     
60     25→59830 [ACK] Seq=3711 Ack=3219 Win=11680 Len=0
     19 0.179139    195.145.2.90          10.74.0.127           TCP     
60     25→59830 [RST, ACK] Seq=3711 Ack=4322 Win=14600 Len=0

Erfolgloser Connect:

Nov 27 15:45:00 hmmailsrv postfix/smtpd[16667]: connect from
cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:00 hmmailsrv postfix/smtpd[16667]: setting up TLS
connection from cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification
failed for cluster-d.mailcontrol.com: num=19:self signed certificate in
certificate chain
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification
failed for cluster-d.mailcontrol.com: num=7:certificate signature failure
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification
failed for cluster-d.mailcontrol.com: num=7:certificate signature failure
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: SSL_accept error from
cluster-d.mailcontrol.com[85.115.60.190]: -1
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: warning: TLS library
problem: 16667:error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:141:
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: warning: TLS library
problem: 16667:error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:141:
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: lost connection after
STARTTLS from cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: disconnect from
cluster-d.mailcontrol.com[85.115.60.190]


Letzter erfolgreicher Connect:

Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: connect from
cluster-j.mailcontrol.com[85.115.54.190]
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: setting up TLS
connection from cluster-j.mailcontrol.com[85.115.54.190]
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: certificate verification
failed for cluster-j.mailcontrol.com: num=19:self signed certificate in
certificate chain
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]:
fingerprint=0F:D2:95:D8:D8:F8:B0:6C:07:7B:4C:9B:9F:22:A3:E0
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: Unverified:
subject_CN=*.mailcontrol.com, issuer=DigiCert High Assurance CA-3
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: TLS connection
established from cluster-j.mailcontrol.com[85.115.54.190]: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits)
Nov 13 07:26:50 hmmailsrv postgrey[4818]: action=pass, reason=client
AWL, client_name=cluster-j.mailcontrol.com,
client_address=85.115.54.190, sender=a.b at abc.com, recipient=x.y at xyz.com
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: NOQUEUE:
client=cluster-j.mailcontrol.com[85.115.54.190]


main.cf:

alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
allow_min_user = yes
biff = no
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.de-DE.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
delay_warning_time = 4h
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix24/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_queue_lifetime = 3d
message_size_limit = 50000000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = mail.xyz.de
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix24/README_FILES
relay_domains = hash:/etc/postfix/relay_domains,
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix24/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_helo_name = mail.xyz.com
smtp_sasl_auth_enable = no
smtp_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtp_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_enforce_tls = no
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/access_recipient_roleaccounts,  check_sender_access
hash:/etc/postfix/access_sender_ok,               check_sender_access
hash:/etc/postfix/access_sender_allow_exe,  check_recipient_access
hash:/etc/postfix/access_recipient_ok,   check_recipient_access
hash:/etc/postfix/access_recipient_reject,    
reject_unknown_recipient_domain,        permit_sasl_authenticated,     
permit_mynetworks,      reject_rbl_client zen.spamhaus.org,  
reject_rbl_client ix.dnsbl.manitu.net,  reject_rbl_client
bl.spamcop.net,       check_policy_service unix:public/postgrey   
reject_unauth_destination,       permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
strict_8bitmime = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport,
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains,
hash:/etc/postfix/virtual_mailinglisten
virtual_alias_maps = hash:/etc/postfix/virtual,
hash:/etc/postfix/virtual_mailinglisten,
proxy:ldap:/etc/postfix/virtual.ldap,
proxy:ldap:/etc/postfix/virtual_mailverteiler.ldap

Mehr Informationen über die Mailingliste Postfixbuch-users