Langsamer Versand, wo kommt SSL3 her?

Sandy Drobic postfixbuch-users at drobic.de
Mi Apr 6 16:29:15 CEST 2022



Lasse Dich nicht von dem SSLv3 irritieren im Log, es wird ganz korrekt eine 
TLS 1.3 Verbindung ausgehandelt.
Das ist nur eine interne Bezeichnung von Postfix, die leider oft zu 
Irritationen führt.

Der Vorgang scheint auch nur eine Sekunde zu dauern anfgefangen von "connect 
from" bis "status=sent"
Wo ist die große Verzögerung, die Du beklagst?

Gruß
Sandy


Am 06.04.2022 um 10:44 schrieb Stefan G. Weichinger via Postfixbuch-users:
> Am 05.04.22 um 10:43 schrieb Stefan G. Weichinger via Postfixbuch-users:
>
>> Ich dachte, ich hätte SSLv3 längst deaktiviert, aber irgendwo scheint das 
>> noch verwendet zu werden, bzw. es wird versucht, es zu verwenden?
>
> Ich habe gestern noch das Setup in Richtung postfixadmin geprüft und 
> aktualisiert (mysql-queries) und die TLS-Parameter mit einem 
> funktionierenden Kundenserver verglichen, bzw. mit den Empfehlungen des 
> Mozilla-Generators.
>
> Nach wie vor diese Verzögerung, ich komme nicht weiter.
>
> Hier ein aktueller Vorgang in den Logs:
>
> Apr 06 10:39:45 oc.oops.co.at postfix/submission/smtpd[483602]: initializing 
> the server-side TLS engine
> Apr 06 10:39:45 oc.oops.co.at postfix/tlsmgr[483603]: open smtp TLS cache 
> btree:/var/lib/postfix/smtp_scache
> Apr 06 10:39:45 oc.oops.co.at postfix/tlsmgr[483603]: 
> tlsmgr_cache_run_event: start TLS smtp session cache cleanup
> Apr 06 10:41:45 oc.oops.co.at postfix/submission/smtpd[483602]: connect from 
> unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: setting up 
> TLS connection from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: TLS cipher list 
> "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:before SSL initialization
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:before SSL initialization
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:SSLv3/TLS read client hello
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:SSLv3/TLS write server hello
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:SSLv3/TLS write change cipher spec
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:TLSv1.3 write encrypted extensions
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:SSLv3/TLS write certificate
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:TLSv1.3 write server certificate verify
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:SSLv3/TLS write finished
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:TLSv1.3 early data
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:TLSv1.3 early data
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:SSLv3/TLS read finished
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: Issuing session ticket, key 
> expiration: 1649236305
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 
> SSL_accept:SSLv3/TLS write session ticket
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: Anonymous 
> TLS connection established from 
> unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: TLSv1.3 with cipher 
> TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature 
> RSA-PSS (2048 bits) server-digest SHA256
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: 7678889242: 
> client=unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b], sasl_method=PLAIN, 
> sasl_username=oc at oc.oops.co.at
> Apr 06 10:41:46 oc.oops.co.at postfix/cleanup[483697]: 7678889242: 
> message-id=<a2d2bcb5-0964-d46f-40a6-6ff5f9d8b52d at oops.co.at>
> Apr 06 10:41:46 oc.oops.co.at postfix/qmgr[483576]: 7678889242: 
> from=<office at oops.co.at>, size=688, nrcpt=1 (queue active)
> Apr 06 10:41:46 oc.oops.co.at postfix/lmtp[483698]: 7678889242: 
> to=<dmarc at oops.co.at>, relay=oc.oops.co.at[private/dovecot-lmtp], 
> delay=0.19, delays=0.16/0.02/0.01/0.01, dsn=2.0.0, status=sent (250 2.0.0 
> <dmarc at oops.co.at> tGAcJEpSTWJzYQcAzb/H+g Saved)
> Apr 06 10:41:46 oc.oops.co.at postfix/qmgr[483576]: 7678889242: removed
> Apr 06 10:41:46 oc.oops.co.at postfix/submission/smtpd[483602]: disconnect 
> from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b] ehlo=2 starttls=1 auth=1 
> mail=1 rcpt=1 data=1 quit=1 commands=8
>
>
> (mein TB liefert von der IP [2001:470:51e4:0:c577:c9ad:a9e5:216b] ein)
>
> -
>
> config aktuell:
>
>  postconf -n
> address_verify_map = btree:/var/lib/postfix/verify_cache
> broken_sasl_auth_clients = yes
> command_directory = /usr/sbin
> compatibility_level = 3.6
> daemon_directory = /usr/libexec/postfix
> data_directory = /var/lib/postfix
> debug_peer_level = 2
> debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
> $daemon_directory/$process_name $process_id & sleep 5
> home_mailbox = .maildir/
> html_directory = no
> inet_protocols = all
> local_recipient_maps = $virtual_mailbox_maps
> local_transport = virtual
> mail_owner = postfix
> mailq_path = /usr/bin/mailq
> manpage_directory = /usr/share/man
> message_size_limit = 20480000
> meta_directory = /etc/postfix
> milter_default_action = accept
> milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
> milter_protocol = 6
> mydestination = localhost.$mydomain, localhost
> myhostname = oc.oops.co.at
> newaliases_path = /usr/bin/newaliases
> non_smtpd_milters = inet:localhost:11332
> postscreen_access_list = permit_mynetworks, 
> cidr:/etc/postfix/postscreen_spf_whitelist.cidr, 
> cidr:/etc/postfix/postscreen_access.cidr
> postscreen_bare_newline_enable = no
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[4..7]*6 
> zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 
> bl.spameatingmonkey.net bl.spamcop.net spamtrap.trblspam.com 
> b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 
> bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 
> dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 
> dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 
> dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org*2 
> zen.spamhaus.org=127.0.0.[10;11]*8 zen.spamhaus.org=127.0.0.[4..7]*6 
> zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 
> hostkarma.junkemailfilter.com=127.0.0.2*3 
> hostkarma.junkemailfilter.com=127.0.0.4*1 
> hostkarma.junkemailfilter.com=127.0.1.2*1 
> wl.mailspike.net=127.0.0.[18;19;20]*-2 
> hostkarma.junkemailfilter.com=127.0.0.1*-2 ix.dnsbl.manitu.net 
> mail.bl.blocklist.de iadb.isipp.com=127.0.[0..255].[0..255]*-2 
> iadb.isipp.com=127.3.100.[6..200]*-2
> postscreen_dnsbl_threshold = 3
> postscreen_greet_action = enforce
> postscreen_greet_banner = $smtpd_banner
> postscreen_greet_ttl = 30d
> postscreen_non_smtp_command_action = drop
> postscreen_non_smtp_command_enable = no
> postscreen_non_smtp_command_ttl = 30d
> postscreen_pipelining_enable = no
> queue_directory = /var/spool/postfix
> readme_directory = no
> relay_domains = proxy:mysql:/etc/postfix/sql/mysql_relay_domains.cf
> relocated_maps = hash:/etc/postfix/relocated
> sample_directory = /etc/postfix
> sendmail_path = /usr/sbin/sendmail
> setgid_group = postdrop
> shlib_directory = /usr/lib64/postfix/${mail_version}
> smtp_bind_address6 = 2a01:7e01:e001:29e::4711
> smtp_tls_loglevel = 2
> smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
> smtpd_milters = inet:localhost:11332
> smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, 
> reject_unauth_destination, reject_unknown_recipient_domain, 
> reject_unverified_recipient, check_recipient_access 
> hash:/etc/postfix/verify_domains, check_recipient_access 
> hash:/etc/postfix/roleaccount_exceptions, check_client_access 
> cidr:/etc/postfix/client_checks, check_policy_service inet:127.0.0.1:12340, 
> permit
> smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
> reject_unauth_destination
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_local_domain = $mydomain
> smtpd_sasl_path = /var/run/dovecot/auth-client
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
> smtpd_sasl_type = dovecot
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/letsencrypt/live/oc.oops.co.at/fullchain.pem
> smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
> smtpd_tls_key_file = /etc/letsencrypt/live/oc.oops.co.at/privkey.pem
> smtpd_tls_loglevel = 2
> smtpd_tls_mandatory_ciphers = medium
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_security_level = may
> smtpd_tls_session_cache_timeout = 3600s
> tls_medium_cipherlist = 
> ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
> tls_preempt_cipherlist = yes
> tls_random_source = dev:/dev/urandom
> tls_ssl_options = NO_RENEGOTIATION
> transport_maps = proxy:mysql:/etc/postfix/sql/mysql_transport_maps.cf, 
> hash:/etc/postfix/transport
> unknown_local_recipient_reject_code = 550
> virtual_alias_maps = 
> proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, 
> proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, 
> proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
> virtual_gid_maps = static:5000
> virtual_mailbox_base = /home/vmail
> virtual_mailbox_domains = 
> proxy:mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
> virtual_mailbox_limit = 512000000
> virtual_mailbox_maps = 
> proxy:mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, 
> proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
> virtual_minimum_uid = 5000
> virtual_transport = lmtp:unix:private/dovecot-lmtp
> virtual_uid_maps = static:5000
>
>
> # master.cf
>
> smtp      inet  n       -       n       -       1       postscreen
> smtpd     pass  -       -       n       -       -       smtpd
> dnsblog   unix  -       -       n       -       0       dnsblog
> tlsproxy  unix  -       -       n       -       0       tlsproxy
> #
>
> submission inet n       -       n       -       -       smtpd
>         -o syslog_name=postfix/submission
>         #-o smtpd_tls_security_level=may
>         -o smtpd_sasl_auth_enable=yes
>         -o smtpd_sasl_security_options=noanonymous
>         -o smtpd_sasl_local_domain=$myhostname
>         -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>         #-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
>         -o smtpd_sasl_security_options=noanonymous
>         -o smtpd_sasl_tls_security_options=noanonymous
>         #-o smtpd_sender_restrictions=reject_sender_login_mismatch
>         -o 
> smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject
>
>
> amavisfeed unix  -       -       n       -       2       lmtp
>         -o lmtp_data_done_timeout=1200
>         -o lmtp_send_xforward_command=yes
>         -o disable_dns_lookups=yes
>
> 127.0.0.1:10025 inet n  -       n       -       -       smtpd
>         -o content_filter=
>         -o local_recipient_maps=
>         -o relay_recipient_maps=
>         -o smtpd_tls_security_level=none
>         -o smtpd_delay_reject=no
>         -o smtpd_restriction_classes=
>         -o smtpd_client_restrictions=
>         -o smtpd_helo_restrictions=
>         -o smtpd_sender_restrictions=
>         -o smtpd_recipient_restrictions=permit_mynetworks,reject
>         -o smtpd_data_restrictions=reject_unauth_pipelining
>         -o smtpd_end_of_data_restrictions=
>         -o mynetworks=127.0.0.0/8
>         -o smtpd_error_sleep_time=0
>         -o smtpd_soft_error_limit=1001
>         -o smtpd_hard_error_limit=1000
>         -o smtpd_client_connection_count_limit=0
>         -o smtpd_client_connection_rate_limit=0
>         -o 
> receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
>
> smtp-ipv4-only unix  -       -       n        -       -       smtp
>         -o inet_protocols=ipv4
> smtp-ipv6-only unix  -       -       n        -       -       smtp
>         -o inet_protocols=ipv6
>     -o smtp_bind_address6=2a01:7e01:e001:29e::4711
>
> #smtps     inet  n       -       n       -       -       smtpd
> #  -o syslog_name=postfix/smtps
> #  -o smtpd_tls_wrappermode=yes
> #  -o smtpd_sasl_auth_enable=yes
> #  -o smtpd_reject_unlisted_recipient=no
> #  -o smtpd_client_restrictions=$mua_client_restrictions
> #  -o smtpd_helo_restrictions=$mua_helo_restrictions
> #  -o smtpd_sender_restrictions=$mua_sender_restrictions
> #  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
> #  -o milter_macro_daemon_name=ORIGINATING
> #628       inet  n       -       n       -       -       qmqpd
> pickup    unix  n       -       n       60      1       pickup
> cleanup   unix  n       -       n       -       0       cleanup
> qmgr      unix  n       -       n       300     1       qmgr
> #qmgr     unix  n       -       n       300     1       oqmgr
> tlsmgr    unix  -       -       n       1000?   1       tlsmgr
> rewrite   unix  -       -       n       -       - trivial-rewrite
> bounce    unix  -       -       n       -       0       bounce
> defer     unix  -       -       n       -       0       bounce
> trace     unix  -       -       n       -       0       bounce
> verify    unix  -       -       n       -       1       verify
> flush     unix  n       -       n       1000?   0       flush
> proxymap  unix  -       -       n       -       -       proxymap
> proxywrite unix -       -       n       -       1       proxymap
> smtp      unix  -       -       n       -       -       smtp
> relay     unix  -       -       n       -       -       smtp
> #       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
> showq     unix  n       -       n       -       -       showq
> error     unix  -       -       n       -       -       error
> retry     unix  -       -       n       -       -       error
> discard   unix  -       -       n       -       -       discard
> local     unix  -       n       n       -       -       local
> virtual   unix  -       n       n       -       -       virtual
> lmtp      unix  -       -       n       -       -       lmtp
> anvil     unix  -       -       n       -       1       anvil
> scache    unix  -       -       n       -       1       scache
>



Mehr Informationen über die Mailingliste Postfixbuch-users