Langsamer Versand, wo kommt SSL3 her?

Stefan G. Weichinger lists at xunil.at
Mi Apr 6 10:44:52 CEST 2022


Am 05.04.22 um 10:43 schrieb Stefan G. Weichinger via Postfixbuch-users:

> Ich dachte, ich hätte SSLv3 längst deaktiviert, aber irgendwo scheint 
> das noch verwendet zu werden, bzw. es wird versucht, es zu verwenden?

Ich habe gestern noch das Setup in Richtung postfixadmin geprüft und 
aktualisiert (mysql-queries) und die TLS-Parameter mit einem 
funktionierenden Kundenserver verglichen, bzw. mit den Empfehlungen des 
Mozilla-Generators.

Nach wie vor diese Verzögerung, ich komme nicht weiter.

Hier ein aktueller Vorgang in den Logs:

Apr 06 10:39:45 oc.oops.co.at postfix/submission/smtpd[483602]: 
initializing the server-side TLS engine
Apr 06 10:39:45 oc.oops.co.at postfix/tlsmgr[483603]: open smtp TLS 
cache btree:/var/lib/postfix/smtp_scache
Apr 06 10:39:45 oc.oops.co.at postfix/tlsmgr[483603]: 
tlsmgr_cache_run_event: start TLS smtp session cache cleanup
Apr 06 10:41:45 oc.oops.co.at postfix/submission/smtpd[483602]: connect 
from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: setting 
up TLS connection from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: TLS cipher list 
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:before SSL initialization
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:before SSL initialization
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:SSLv3/TLS read client hello
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:SSLv3/TLS write server hello
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:SSLv3/TLS write change cipher spec
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:TLSv1.3 write encrypted extensions
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:SSLv3/TLS write certificate
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:TLSv1.3 write server certificate verify
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:SSLv3/TLS write finished
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:TLSv1.3 early data
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:TLSv1.3 early data
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:SSLv3/TLS read finished
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: Issuing session ticket, 
key expiration: 1649236305
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
SSL_accept:SSLv3/TLS write session ticket
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
Anonymous TLS connection established from 
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 
server-signature RSA-PSS (2048 bits) server-digest SHA256
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
7678889242: client=unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b], 
sasl_method=PLAIN, sasl_username=oc at oc.oops.co.at
Apr 06 10:41:46 oc.oops.co.at postfix/cleanup[483697]: 7678889242: 
message-id=<a2d2bcb5-0964-d46f-40a6-6ff5f9d8b52d at oops.co.at>
Apr 06 10:41:46 oc.oops.co.at postfix/qmgr[483576]: 7678889242: 
from=<office at oops.co.at>, size=688, nrcpt=1 (queue active)
Apr 06 10:41:46 oc.oops.co.at postfix/lmtp[483698]: 7678889242: 
to=<dmarc at oops.co.at>, relay=oc.oops.co.at[private/dovecot-lmtp], 
delay=0.19, delays=0.16/0.02/0.01/0.01, dsn=2.0.0, status=sent (250 
2.0.0 <dmarc at oops.co.at> tGAcJEpSTWJzYQcAzb/H+g Saved)
Apr 06 10:41:46 oc.oops.co.at postfix/qmgr[483576]: 7678889242: removed
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
disconnect from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b] ehlo=2 
starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8


(mein TB liefert von der IP [2001:470:51e4:0:c577:c9ad:a9e5:216b] ein)

-

config aktuell:

  postconf -n
address_verify_map = btree:/var/lib/postfix/verify_cache
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 3.6
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
home_mailbox = .maildir/
html_directory = no
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
meta_directory = /etc/postfix
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mydestination = localhost.$mydomain, localhost
myhostname = oc.oops.co.at
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:localhost:11332
postscreen_access_list = permit_mynetworks, 
cidr:/etc/postfix/postscreen_spf_whitelist.cidr, 
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[4..7]*6 
zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 
bl.spameatingmonkey.net bl.spamcop.net spamtrap.trblspam.com 
b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 
bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 
dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 
dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 
dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 
zen.spamhaus.org*2 zen.spamhaus.org=127.0.0.[10;11]*8 
zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 
zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 
hostkarma.junkemailfilter.com=127.0.0.4*1 
hostkarma.junkemailfilter.com=127.0.1.2*1 
wl.mailspike.net=127.0.0.[18;19;20]*-2 
hostkarma.junkemailfilter.com=127.0.0.1*-2 ix.dnsbl.manitu.net 
mail.bl.blocklist.de iadb.isipp.com=127.0.[0..255].[0..255]*-2 
iadb.isipp.com=127.3.100.[6..200]*-2
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 30d
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_enable = no
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = proxy:mysql:/etc/postfix/sql/mysql_relay_domains.cf
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix/${mail_version}
smtp_bind_address6 = 2a01:7e01:e001:29e::4711
smtp_tls_loglevel = 2
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination, 
reject_unknown_recipient_domain, reject_unverified_recipient, 
check_recipient_access hash:/etc/postfix/verify_domains, 
check_recipient_access hash:/etc/postfix/roleaccount_exceptions, 
check_client_access cidr:/etc/postfix/client_checks, 
check_policy_service inet:127.0.0.1:12340, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/oc.oops.co.at/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_key_file = /etc/letsencrypt/live/oc.oops.co.at/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_medium_cipherlist = 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_RENEGOTIATION
transport_maps = proxy:mysql:/etc/postfix/sql/mysql_transport_maps.cf, 
hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 512000000
virtual_mailbox_maps = 
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, 
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000


# master.cf

smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
#

submission inet n       -       n       -       -       smtpd
         -o syslog_name=postfix/submission
         #-o smtpd_tls_security_level=may
         -o smtpd_sasl_auth_enable=yes
         -o smtpd_sasl_security_options=noanonymous
         -o smtpd_sasl_local_domain=$myhostname
         -o smtpd_client_restrictions=permit_sasl_authenticated,reject
         #-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
         -o smtpd_sasl_security_options=noanonymous
         -o smtpd_sasl_tls_security_options=noanonymous
         #-o smtpd_sender_restrictions=reject_sender_login_mismatch
         -o 
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject


amavisfeed unix  -       -       n       -       2       lmtp
         -o lmtp_data_done_timeout=1200
         -o lmtp_send_xforward_command=yes
         -o disable_dns_lookups=yes

127.0.0.1:10025 inet n  -       n       -       -       smtpd
         -o content_filter=
         -o local_recipient_maps=
         -o relay_recipient_maps=
         -o smtpd_tls_security_level=none
         -o smtpd_delay_reject=no
         -o smtpd_restriction_classes=
         -o smtpd_client_restrictions=
         -o smtpd_helo_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o smtpd_data_restrictions=reject_unauth_pipelining
         -o smtpd_end_of_data_restrictions=
         -o mynetworks=127.0.0.0/8
         -o smtpd_error_sleep_time=0
         -o smtpd_soft_error_limit=1001
         -o smtpd_hard_error_limit=1000
         -o smtpd_client_connection_count_limit=0
         -o smtpd_client_connection_rate_limit=0
         -o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

smtp-ipv4-only unix  -       -       n        -       -       smtp
         -o inet_protocols=ipv4
smtp-ipv6-only unix  -       -       n        -       -       smtp
         -o inet_protocols=ipv6
     -o smtp_bind_address6=2a01:7e01:e001:29e::4711

#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache



Mehr Informationen über die Mailingliste Postfixbuch-users