STARTTLS SSLv3

[fk+postfix at celebrate.de]

Am 24.09.2024 um 14:24 schrieb Frank Kirschner via Postfixbuch-users:

> Am 24.09.2024 um 13:35 schrieb Markus Heinze via Postfixbuch-users:
>
>>> dehydrated hat die Zertifikate und Schlüssel mit KEY_ALGO=secp384r1 
>>> erstellt, habe das auf KEY_ALGO=rsa geändert und mittels --force 
>>> neues Zertifikat und Schlüssel erstellt, danach Postfix neu geladen.
>>> Leider wird immer noch nicht der Cipher DHE-RSA-AES256-GCM-SHA384 
>>> zur Verfügung gestellt. Postfix läuft in Version 2.10.1 und openssl 
>>> mit 1.0.2
>>
>>
>> openssl 1.0.2x unterstützt diesen Cipher nicht, pass openssl und 
>> abhängige Komponenten entsprechen an, dann geht das auch.
> Danke, habe eben openssl 1.1.1k installiert, den Server neu gestartet:
>
> # openssl version
> OpenSSL 1.1.1k  25 Mar 2021
>
> Leider immer noch das Problem:
>
> # openssl s_client -connect 192.168.130.191:25 -starttls smtp -cipher 
> DHE-RSA-AES256-GCM-SHA384
> CONNECTED(00000003)
> 140716227073856:error:14094410:SSL routines:ssl3_read_bytes:sslv3 
> alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert 
> number 40
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 190 bytes and written 274 bytes
> Verification: OK
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
>
> ---
>
> Muss ich Postfix noch irgendwie beibringen, dass eine neue 
> Openssl-Version installiert wurde?
>
aktuelle Konfiguration:

postconf -n
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = amavisfeed:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
html_directory = no
inet_interfaces = all
inet_protocols = ipv4
mail_name = Mailserver
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 15000000
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = ******
myhostname = farm11.cbr1.de
mynetworks = 127.0.0.0/8, 192.168.130.0/24, 192.168.178.0/24, 
192.168.140.0/24
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = inet:localhost:8891
policy-spf_time_limit = 3600s
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
recipient_bcc_maps = hash:/etc/postfix/bcc_maps
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sender_bcc_maps = hash:/etc/postfix/bcc_maps
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_tls_exclude_ciphers = aNULL
smtp_tls_mandatory_exclude_ciphers = RC4, aNULL, MD5
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtpd_banner = $myhostname ESMTP
smtpd_client_restrictions = permit_mynetworks, reject_unauth_pipelining, 
reject_unknown_client, reject_unknown_client_hostname, 
reject_unknown_reverse_client_hostname, permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_discard_ehlo_keywords = chunking, silent-discard
smtpd_error_sleep_time = 30s
smtpd_hard_error_limit = 2
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, 
check_helo_access cidr:/etc/postfix/whitelist/postfix-dnswl-permit, 
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, 
reject_unknown_helo_hostname
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_client, 
permit_sasl_authenticated, reject_unauth_pipelining, 
reject_non_fqdn_sender, reject_unknown_sender_domain, 
reject_unknown_recipient_domain, reject_unauth_destination, 
check_helo_access pcre:/etc/postfix/helo_checks.pcre, 
check_client_access cidr:/etc/postfix/whitelist/postfix-dnswl-permit, 
check_client_access cidr:/etc/postfix/my_blacklist, check_policy_service 
inet:127.0.0.1:10023, check_policy_service unix:private/policy-spf, 
reject_rbl_client ix.dnsbl.manitu.net, reject_rbl_client 
dyna.spamrats.com, permit
smtpd_reject_unlisted_recipient = yes
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated 
defer_unauth_destination reject_unauth_destination
smtpd_sasl_auth_enable = no
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unknown_reverse_client_hostname, 
reject_unknown_client_hostname, reject_unknown_sender_domain
smtpd_soft_error_limit = 1
smtpd_tls_CAfile = /opt/dehydrated-master/certs/farm11.cbr1.de/chain.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = 
/opt/dehydrated-master/certs/farm11.cbr1.de/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dhparam
smtpd_tls_eecdh_grade = ultra
smtpd_tls_key_file = /opt/dehydrated-master/certs/farm11.cbr1.de/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_medium_cipherlist = 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
unknown_address_reject_code = 554
unknown_client_reject_code = 554
unknown_hostname_reject_code = 554
virtual_alias_maps = hash:/etc/postfix/virtual
virtual_mailbox_domains = ***********
virtual_transport = dovecot