Langsamer Versand, wo kommt SSL3 her?
Stefan G. Weichinger
lists at xunil.at
Di Apr 5 10:43:55 CEST 2022
Mein postfix/dovecot-Setup ist eigentlich seit Jahren recht robust am
Laufen.
Ich hab mich auch nicht mehr allzu aktiv damit befasst, weil es eben
sehr ok zu funktionieren schien.
Letztens beobachte ich Verzögerungen beim Versenden von Mails und muss
mich nun wieder etwas näher einarbeiten.
-
Ich versende aus Thunderbird 91.7.0 unter Fedora 35, per STARTTLS, auf
Port 587.
Und in letzter Zeit braucht das immer einige Zeit, bis das Mail dann
endlich raus geht.
So ein Vorgang sieht in etwa so aus:
journalctl --since 10:00 -u postfix | grep 38541
Apr 05 10:33:03 oc.oops.co.at postfix/submission/smtpd[38541]:
initializing the server-side TLS engine
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: connect
from localhost[127.0.0.1]
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: setting
up TLS connection from localhost[127.0.0.1]
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]:
localhost[127.0.0.1]: TLS cipher list
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:before SSL initialization
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:before SSL initialization
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: SSL3
alert write:fatal:protocol version
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:error in error
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept error from localhost[127.0.0.1]: -1
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: warning:
TLS library problem: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported
protocol:ssl/statem/statem_srvr.c:1685:
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: lost
connection after STARTTLS from localhost[127.0.0.1]
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]:
disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: connect
from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: setting
up TLS connection from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]:
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: TLS cipher list
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:before SSL initialization
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:before SSL initialization
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]:
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: Decrypting session ticket,
key expiration: 1649146784
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:SSLv3/TLS read client hello
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:SSLv3/TLS write server hello
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:SSLv3/TLS write change cipher spec
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:TLSv1.3 write encrypted extensions
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:SSLv3/TLS write finished
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:TLSv1.3 early data
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:TLSv1.3 early data
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:SSLv3/TLS read finished
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]:
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: Reusing old session (RFC
5077 session ticket)
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]: Anonymous
TLS connection established from
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits)
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]:
2F88988924: client=unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b],
sasl_method=PLAIN, sasl_username=oc at oc.oops.co.at
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]:
disconnect from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b] ehlo=2
starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: connect
from localhost[127.0.0.1]
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: setting
up TLS connection from localhost[127.0.0.1]
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]:
localhost[127.0.0.1]: TLS cipher list
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:before SSL initialization
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:before SSL initialization
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: SSL3
alert write:fatal:protocol version
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept:error in error
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]:
SSL_accept error from localhost[127.0.0.1]: -1
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: warning:
TLS library problem: error:14209102:SSL
routines:tls_early_post_process_client_hello:unsupported
protocol:ssl/statem/statem_srvr.c:1685:
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: lost
connection after STARTTLS from localhost[127.0.0.1]
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]:
disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2
-
# postconf -n
address_verify_map = btree:/var/lib/postfix/verify_cache
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 3.6
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
home_mailbox = .maildir/
html_directory = no
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
meta_directory = /etc/postfix
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mydestination = localhost.$mydomain, localhost
myhostname = oc.oops.co.at
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:localhost:11332
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3
bl.spameatingmonkey.net bl.spamcop.net spamtrap.trblspam.com
b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7
bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4
dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6
dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2
dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2
zen.spamhaus.org*2 zen.spamhaus.org=127.0.0.[10;11]*8
zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4
zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.4*1
hostkarma.junkemailfilter.com=127.0.1.2*1
wl.mailspike.net=127.0.0.[18;19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-2 ix.dnsbl.manitu.net
mail.bl.blocklist.de iadb.isipp.com=127.0.[0..255].[0..255]*-2
iadb.isipp.com=127.3.100.[6..200]*-2
postscreen_dnsbl_threshold = 3
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 30d
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_enable = no
postscreen_use_tls = $smtpd_use_tls
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = hash:/etc/postfix/relay_domains
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix/${mail_version}
smtp_bind_address6 = 2a01:7e01:e001:29e::4711
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unknown_recipient_domain, reject_unverified_recipient,
check_recipient_access hash:/etc/postfix/verify_domains,
check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
check_client_access cidr:/etc/postfix/client_checks,
check_policy_service inet:127.0.0.1:12340, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/oc.oops.co.at/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_key_file = /etc/letsencrypt/live/oc.oops.co.at/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
tls_medium_cipherlist =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf,
hash:/etc/postfix/virtual_alias_maps
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
virtual_mailbox_limit = 512000000
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
# master.cf
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_tls_security_options=noanonymous
#-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_tls_security_level=none
-o smtpd_delay_reject=no
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
smtp-ipv4-only unix - - n - - smtp
-o inet_protocols=ipv4
smtp-ipv6-only unix - - n - - smtp
-o inet_protocols=ipv6
-o smtp_bind_address6=2a01:7e01:e001:29e::4711
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
---
Ich dachte, ich hätte SSLv3 längst deaktiviert, aber irgendwo scheint
das noch verwendet zu werden, bzw. es wird versucht, es zu verwenden?
Der Postfix ist Version 3.6.5-r2 unter Gentoo.
Für sachdienliche Hinweise wäre ich sehr dankbar ;-)
Mehr Informationen über die Mailingliste Postfixbuch-users