[Postfixbuch-users] Postfix sendet RST nach TLS handshake
Alexander Busam
a.busam at hofmann-foerdertechnik.com
Fr Nov 28 12:27:21 CET 2014
Hallo zusammen!
... nochmal, ohne Zeilenumbruch :-)
Seit einigen Tagen habe ich Probleme mit Mailservern, die ihr Zertifikat umgestellt haben. So wie es aussieht, kennt Postfix (Version 2.4.5) das signierte digest des Zertifikats nicht und bricht die Verbindung ab.
Kennt jemand eine "schnelle" Möglichkeit, Postfix/OpenSSL (Version 0.9.8) dazu zu bringen, die Verbindung nicht abzubrechen, ohne auf eine aktuelle Version upzugraden?
Vielen Dank & Gruß
Alex
PacketCapture-Protokoll eines erfolglosen Connects:
No. Time Source Destination Protocol Length Info
1 0.000000 10.74.0.127 195.145.2.90 TCP 62 59830→25 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 SACK_PERM=1
2 0.021089 195.145.2.90 10.74.0.127 TCP 62 25→59830 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
3 0.021101 10.74.0.127 195.145.2.90 TCP 54 59830→25 [ACK] Seq=1 Ack=1 Win=14600 Len=0
4 0.046547 195.145.2.90 10.74.0.127 SMTP 101 S: 220 mail.xyz-intern.de ESMTP Postfix
5 0.046562 10.74.0.127 195.145.2.90 TCP 54 59830→25 [ACK] Seq=1 Ack=48 Win=14600 Len=0
6 0.046596 10.74.0.127 195.145.2.90 SMTP 79 C: EHLO openssl.client.net
7 0.066974 195.145.2.90 10.74.0.127 TCP 60 25→59830 [ACK] Seq=48 Ack=26 Win=5840 Len=0
8 0.067128 195.145.2.90 10.74.0.127 SMTP 236 S: 250 mail.xyz-intern.de | 250 PIPELINING | 250 SIZE 50000000 | 250 VRFY | 250 ETRN | 250 STARTTLS | 250 AUTH PLAIN | 250 AUTH=PLAIN | 250 ENHANCEDSTATUSCODES | 250 8BITMIME | 250 DSN
9 0.067165 10.74.0.127 195.145.2.90 SMTP 64 C: STARTTLS
10 0.087733 195.145.2.90 10.74.0.127 SMTP 84 S: 220 2.0.0 Ready to start TLS
11 0.088795 10.74.0.127 195.145.2.90 TLSv1 317 Client Hello
12 0.124981 195.145.2.90 10.74.0.127 TLSv1 1514 Server Hello
13 0.126416 195.145.2.90 10.74.0.127 TLSv1 1514 Certificate
14 0.126451 10.74.0.127 195.145.2.90 TCP 54 59830→25 [ACK] Seq=299 Ack=3180 Win=20440 Len=0
15 0.147559 195.145.2.90 10.74.0.127 TLSv1 585 Server Key Exchange
16 0.152381 10.74.0.127 195.145.2.90 TCP 2974 [TCP segment of a reassembled PDU]
17 0.152396 10.74.0.127 195.145.2.90 TLSv1 1157 Certificate
18 0.176325 195.145.2.90 10.74.0.127 TCP 60 25→59830 [ACK] Seq=3711 Ack=3219 Win=11680 Len=0
19 0.179139 195.145.2.90 10.74.0.127 TCP 60 25→59830 [RST, ACK] Seq=3711 Ack=4322 Win=14600 Len=0
Erfolgloser Connect:
Nov 27 15:45:00 hmmailsrv postfix/smtpd[16667]: connect from cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:00 hmmailsrv postfix/smtpd[16667]: setting up TLS connection from cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification failed for cluster-d.mailcontrol.com: num=19:self signed certificate in certificate chain
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification failed for cluster-d.mailcontrol.com: num=7:certificate signature failure
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: certificate verification failed for cluster-d.mailcontrol.com: num=7:certificate signature failure
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: SSL_accept error from cluster-d.mailcontrol.com[85.115.60.190]: -1
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: warning: TLS library problem: 16667:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:141:
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: warning: TLS library problem: 16667:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:141:
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: lost connection after STARTTLS from cluster-d.mailcontrol.com[85.115.60.190]
Nov 27 15:45:01 hmmailsrv postfix/smtpd[16667]: disconnect from cluster-d.mailcontrol.com[85.115.60.190]
Letzter erfolgreicher Connect:
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: connect from cluster-j.mailcontrol.com[85.115.54.190]
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: setting up TLS connection from cluster-j.mailcontrol.com[85.115.54.190]
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: certificate verification failed for cluster-j.mailcontrol.com: num=19:self signed certificate in certificate chain
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: fingerprint=0F:D2:95:D8:D8:F8:B0:6C:07:7B:4C:9B:9F:22:A3:E0
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: Unverified: subject_CN=*.mailcontrol.com, issuer=DigiCert High Assurance CA-3
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: TLS connection established from cluster-j.mailcontrol.com[85.115.54.190]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Nov 13 07:26:50 hmmailsrv postgrey[4818]: action=pass, reason=client AWL, client_name=cluster-j.mailcontrol.com, client_address=85.115.54.190, sender=a.b at abc.com, recipient=x.y at xyz.com
Nov 13 07:26:50 hmmailsrv postfix/smtpd[10533]: NOQUEUE: client=cluster-j.mailcontrol.com[85.115.54.190]
main.cf:
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
allow_min_user = yes
biff = no
bounce_queue_lifetime = 3d
bounce_template_file = /etc/postfix/bounce.de-DE.cf
broken_sasl_auth_clients = yes
canonical_maps = hash:/etc/postfix/canonical
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
defer_transports =
delay_warning_time = 4h
disable_dns_lookups = no
disable_mime_output_conversion = no
html_directory = /usr/share/doc/packages/postfix24/html
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailbox_command =
mailbox_size_limit = 0
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains =
masquerade_exceptions = root
maximal_queue_lifetime = 3d
message_size_limit = 50000000
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
myhostname = mail.xyz.de
mynetworks_style = host
newaliases_path = /usr/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix24/README_FILES
relay_domains = hash:/etc/postfix/relay_domains,
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
relayhost =
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /usr/share/doc/packages/postfix24/samples
sender_canonical_maps = hash:/etc/postfix/sender_canonical
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtp_helo_name = mail.xyz.com
smtp_sasl_auth_enable = no
smtp_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtp_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_client_restrictions =
smtpd_enforce_tls = no
smtpd_helo_required = no
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access
hash:/etc/postfix/access_recipient_roleaccounts, check_sender_access
hash:/etc/postfix/access_sender_ok, check_sender_access
hash:/etc/postfix/access_sender_allow_exe, check_recipient_access
hash:/etc/postfix/access_recipient_ok, check_recipient_access
smtpd_helo_restrictions =
smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/access_recipient_roleaccounts, check_sender_access hash:/etc/postfix/access_sender_ok, check_sender_access hash:/etc/postfix/access_sender_allow_exe, check_recipient_access hash:/etc/postfix/access_recipient_ok, check_recipient_access hash:/etc/postfix/access_recipient_reject, reject_unknown_recipient_domain, permit_sasl_authenticated, permit_mynetworks, reject_rbl_client zen.spamhaus.org, reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client bl.spamcop.net, check_policy_service unix:public/postgrey reject_unauth_destination, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/certs/postfixcert.pem
smtpd_tls_key_file = /etc/postfix/ssl/certs/postfixkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
strict_8bitmime = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport,
proxy:ldap:/etc/postfix/relay_domains-dovecot.ldap
unknown_local_recipient_reject_code = 550
virtual_alias_domains = hash:/etc/postfix/virtual_domains,
hash:/etc/postfix/virtual_mailinglisten
virtual_alias_maps = hash:/etc/postfix/virtual,
hash:/etc/postfix/virtual_mailinglisten,
proxy:ldap:/etc/postfix/virtual.ldap,
proxy:ldap:/etc/postfix/virtual_mailverteiler.ldap
Mehr Informationen über die Mailingliste Postfixbuch-users