Langsamer Versand, wo kommt SSL3 her?
Stefan G. Weichinger
lists at xunil.at
Mi Apr 6 10:44:52 CEST 2022
Am 05.04.22 um 10:43 schrieb Stefan G. Weichinger via Postfixbuch-users:
> Ich dachte, ich hätte SSLv3 längst deaktiviert, aber irgendwo scheint
> das noch verwendet zu werden, bzw. es wird versucht, es zu verwenden?
Ich habe gestern noch das Setup in Richtung postfixadmin geprüft und
aktualisiert (mysql-queries) und die TLS-Parameter mit einem
funktionierenden Kundenserver verglichen, bzw. mit den Empfehlungen des
Mozilla-Generators.
Nach wie vor diese Verzögerung, ich komme nicht weiter.
Hier ein aktueller Vorgang in den Logs:
Apr 06 10:39:45 oc.oops.co.at postfix/submission/smtpd[483602]:
initializing the server-side TLS engine
Apr 06 10:39:45 oc.oops.co.at postfix/tlsmgr[483603]: open smtp TLS
cache btree:/var/lib/postfix/smtp_scache
Apr 06 10:39:45 oc.oops.co.at postfix/tlsmgr[483603]:
tlsmgr_cache_run_event: start TLS smtp session cache cleanup
Apr 06 10:41:45 oc.oops.co.at postfix/submission/smtpd[483602]: connect
from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: setting
up TLS connection from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: TLS cipher list
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:before SSL initialization
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:before SSL initialization
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:SSLv3/TLS read client hello
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:SSLv3/TLS write server hello
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:SSLv3/TLS write change cipher spec
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:TLSv1.3 write encrypted extensions
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:SSLv3/TLS write certificate
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:TLSv1.3 write server certificate verify
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:SSLv3/TLS write finished
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:TLSv1.3 early data
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:TLSv1.3 early data
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:SSLv3/TLS read finished
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: Issuing session ticket,
key expiration: 1649236305
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
SSL_accept:SSLv3/TLS write session ticket
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
Anonymous TLS connection established from
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature RSA-PSS (2048 bits) server-digest SHA256
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
7678889242: client=unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b],
sasl_method=PLAIN, sasl_username=oc at oc.oops.co.at
Apr 06 10:41:46 oc.oops.co.at postfix/cleanup[483697]: 7678889242:
message-id=<a2d2bcb5-0964-d46f-40a6-6ff5f9d8b52d at oops.co.at>
Apr 06 10:41:46 oc.oops.co.at postfix/qmgr[483576]: 7678889242:
from=<office at oops.co.at>, size=688, nrcpt=1 (queue active)
Apr 06 10:41:46 oc.oops.co.at postfix/lmtp[483698]: 7678889242:
to=<dmarc at oops.co.at>, relay=oc.oops.co.at[private/dovecot-lmtp],
delay=0.19, delays=0.16/0.02/0.01/0.01, dsn=2.0.0, status=sent (250
2.0.0 <dmarc at oops.co.at> tGAcJEpSTWJzYQcAzb/H+g Saved)
Apr 06 10:41:46 oc.oops.co.at postfix/qmgr[483576]: 7678889242: removed
Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]:
disconnect from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b] ehlo=2
starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
(mein TB liefert von der IP [2001:470:51e4:0:c577:c9ad:a9e5:216b] ein)
-
config aktuell:
postconf -n
address_verify_map = btree:/var/lib/postfix/verify_cache
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 3.6
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
home_mailbox = .maildir/
html_directory = no
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
meta_directory = /etc/postfix
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mydestination = localhost.$mydomain, localhost
myhostname = oc.oops.co.at
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:localhost:11332
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_spf_whitelist.cidr,
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3
bl.spameatingmonkey.net bl.spamcop.net spamtrap.trblspam.com
b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7
bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4
dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6
dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2
dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2
zen.spamhaus.org*2 zen.spamhaus.org=127.0.0.[10;11]*8
zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4
zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.4*1
hostkarma.junkemailfilter.com=127.0.1.2*1
wl.mailspike.net=127.0.0.[18;19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-2 ix.dnsbl.manitu.net
mail.bl.blocklist.de iadb.isipp.com=127.0.[0..255].[0..255]*-2
iadb.isipp.com=127.3.100.[6..200]*-2
postscreen_dnsbl_threshold = 3
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 30d
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_enable = no
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = proxy:mysql:/etc/postfix/sql/mysql_relay_domains.cf
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix/${mail_version}
smtp_bind_address6 = 2a01:7e01:e001:29e::4711
smtp_tls_loglevel = 2
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
reject_unknown_recipient_domain, reject_unverified_recipient,
check_recipient_access hash:/etc/postfix/verify_domains,
check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
check_client_access cidr:/etc/postfix/client_checks,
check_policy_service inet:127.0.0.1:12340, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/oc.oops.co.at/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_key_file = /etc/letsencrypt/live/oc.oops.co.at/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_medium_cipherlist =
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_RENEGOTIATION
transport_maps = proxy:mysql:/etc/postfix/sql/mysql_transport_maps.cf,
hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains =
proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 512000000
virtual_mailbox_maps =
proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
# master.cf
smtp inet n - n - 1 postscreen
smtpd pass - - n - - smtpd
dnsblog unix - - n - 0 dnsblog
tlsproxy unix - - n - 0 tlsproxy
#
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
#-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$myhostname
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
#-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_tls_security_options=noanonymous
#-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
amavisfeed unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
-o disable_dns_lookups=yes
127.0.0.1:10025 inet n - n - - smtpd
-o content_filter=
-o local_recipient_maps=
-o relay_recipient_maps=
-o smtpd_tls_security_level=none
-o smtpd_delay_reject=no
-o smtpd_restriction_classes=
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
smtp-ipv4-only unix - - n - - smtp
-o inet_protocols=ipv4
smtp-ipv6-only unix - - n - - smtp
-o inet_protocols=ipv6
-o smtp_bind_address6=2a01:7e01:e001:29e::4711
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
#qmgr unix n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
Mehr Informationen über die Mailingliste Postfixbuch-users