[Postfixbuch-users] Postfix sendet RST nach TLS handshake
Alexander Busam
a.busam at hofmann-foerdertechnik.com
Fr Nov 28 11:33:00 CET 2014
Hallo zusammen!
Seit einigen Tagen habe ich Probleme mit Mailservern, die ihr Zertifikat
umgestellt haben. So wie es aussieht, kennt Postfix (Version 2.4.5) das
signierte digest des Zertifikats nicht und bricht die Verbindung ab.
Kennt jemand eine "schnelle" Möglichkeit, Postfix/OpenSSL (Version
0.9.8) dazu zu bringen, diese Zertifikaten zu akzeptieren, ohne es
upzugraden?
Vielen Dank
Alex
PacketCapture-Protokoll eines erfolglosen Connects:
No. Time Source Destination Protocol
Length Info
1 0.000000 10.74.0.127 195.145.2.90 TCP
62 59830→25 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1
2 0.021089 195.145.2.90 10.74.0.127 TCP
62 25→59830 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
3 0.021101 10.74.0.127 195.145.2.90 TCP
54 59830→25 [ACK] Seq=1 Ack=1 Win=14600 Len=0
4 0.046547 195.145.2.90 10.74.0.127 SMTP
101 S: 220 mail.xyz.de ESMTP Postfix
5 0.046562 10.74.0.127 195.145.2.90 TCP
54 59830→25 [ACK] Seq=1 Ack=48 Win=14600 Len=0
6 0.046596 10.74.0.127 195.145.2.90 SMTP
79 C: EHLO openssl.client.net
7 0.066974 195.145.2.90 10.74.0.127 TCP
60 25→59830 [ACK] Seq=48 Ack=26 Win=5840 Len=0
8 0.067128 195.145.2.90 10.74.0.127 SMTP
236 S: 250 mail.xyz.de | 250 PIPELINING | 250 SIZE 50000000 | 250
VRFY | 250 ETRN | 250 STARTTLS | 250 AUTH PLAIN | 250 AUTH=PLAIN | 250
ENHANCEDSTATUSCODES | 250 8BITMIME | 250 DSN
9 0.067165 10.74.0.127 195.145.2.90 SMTP
64 C: STARTTLS
10 0.087733 195.145.2.90 10.74.0.127 SMTP
84 S: 220 2.0.0 Ready to start TLS
11 0.088795 10.74.0.127 195.145.2.90 TLSv1
317 Client Hello
12 0.124981 195.145.2.90 10.74.0.127 TLSv1
1514 Server Hello
13 0.126416 195.145.2.90 10.74.0.127 TLSv1
1514 Certificate
14 0.126451 10.74.0.127 195.145.2.90 TCP
54 59830→25 [ACK] Seq=299 Ack=3180 Win=20440 Len=0
15 0.147559 195.145.2.90 10.74.0.127 TLSv1
585 Server Key Exchange
16 0.152381 10.74.0.127 195.145.2.90 TCP
2974 [TCP segment of a reassembled PDU]
17 0.152396 10.74.0.127 195.145.2.90 TLSv1
1157 Certificate
18 0.176325 195.145.2.90 10.74.0.127 TCP
60 25→59830 [ACK] Seq=3711 Ack=3219 Win=11680 Len=0
19 0.179139 195.145.2.90 10.74.0.127 TCP
60 25→59830 [RST, ACK] Seq=3711 Ack=4322 Win=14600 Len=0
Erfolgloser Connect:
Nov 27 15:45:00 hmmailsrv postfix/smtpd[16667]: connect from
cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:00 hmmailsrv postfix/smtpd[16667]: setting up TLS
connection from cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification
failed for cluster-d.mailcontrol.com: num=19:self signed certificate in
certificate chain
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification
failed for cluster-d.mailcontrol.com: num=7:certificate signature failure
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification
failed for cluster-d.mailcontrol.com: num=7:certificate signature failure
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: SSL_accept error from
cluster-d.mailcontrol.com[85.115.60.190]: -1
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: warning: TLS library
problem: 16667:error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:141:
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: warning: TLS library
problem: 16667:error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:141:
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: lost connection after
STARTTLS from cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: disconnect from
cluster-d.mailcontrol.com[85.115.60.190]
Letzter erfolgreicher Connect:
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: connect from
cluster-j.mailcontrol.com[85.115.54.190]
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: setting up TLS
connection from cluster-j.mailcontrol.com[85.115.54.190]
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: certificate verification
failed for cluster-j.mailcontrol.com: num=19:self signed certificate in
certificate chain
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]:
fingerprint=0F:D2:95:D8:D8:F8:B0:6C:07:7B:4C:9B:9F:22:A3:E0
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: Unverified:
subject_CN=*.mailcontrol.com, issuer=DigiCert High Assurance CA-3
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: TLS connection
established from cluster-j.mailcontrol.com[85.115.54.190]: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits)
Nov 13 07:26:50 hmmailsrv postgrey[4818]: action=pass, reason=client
AWL, client_name=cluster-j.mailcontrol.com,
client_address=85.115.54.190, sender=a.b at abc.com, recipient=x.y at xyz.com
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: NOQUEUE:
client=cluster-j.mailcontrol.com[85.115.54.190]
main.cf:
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
allow_min_user = yes
biff = no
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.de-DE.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
delay_warning_time = 4h
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix24/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_queue_lifetime = 3d
message_size_limit = 50000000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = mail.xyz.de
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix24/README_FILES
relay_domains = hash:/etc/postfix/relay_domains,
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix24/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_helo_name = mail.xyz.com
smtp_sasl_auth_enable = no
smtp_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtp_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_enforce_tls = no
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/access_recipient_roleaccounts, check_sender_access
hash:/etc/postfix/access_sender_ok, check_sender_access
hash:/etc/postfix/access_sender_allow_exe, check_recipient_access
hash:/etc/postfix/access_recipient_ok, check_recipient_access
hash:/etc/postfix/access_recipient_reject,
reject_unknown_recipient_domain, permit_sasl_authenticated,
permit_mynetworks, reject_rbl_client zen.spamhaus.org,
reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client
bl.spamcop.net, check_policy_service unix:public/postgrey
reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
strict_8bitmime = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport,
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains,
hash:/etc/postfix/virtual_mailinglisten
virtual_alias_maps = hash:/etc/postfix/virtual,
hash:/etc/postfix/virtual_mailinglisten,
proxy:ldap:/etc/postfix/virtual.ldap,
proxy:ldap:/etc/postfix/virtual_mailverteiler.ldap
Mehr Informationen über die Mailingliste Postfixbuch-users