From: Lutz Jaenicke (no email)
Date: Wed Sep 01 2004 - 03:24:45 EDT
On Tue, Aug 31, 2004 at 08:27:14PM -0700, David F. Severski wrote:
> I'm having a hard a time tracking down a failure with a test Exchange 2003
> SP1 (W2K3 VM - waits.deadheaven.com) to relay mail to a Postfix TLS
> enabled server (FreeBSD 4.10 - geoff.deadheaven.com). The Exchange box is
> set to send all mail via TLS w/basic authentication to my Postfix server.
> When my smtpd_tls_cipherlist is set to DEFAULT, everything works fine. When
> that parameter is set to HIGH, postfix reports that the connection is lost
> after the TLS secured EHLO from the Exchange box.
>
> The logs from debug_peer show only that the connection is lost after the
> aforementioned second EHLO. Cranking the smtpd_tls_loglevel all the way
> up to 4 shows the line 'Aug 29 15:18:59 geoff postfix/smtpd[429]: SSL3
> alert write:fatal:protocol version'. A packet capture of the traffic
> (available at http://www.deadheaven.com/tls_high_auth.pcap), correlated
> with the debug_peer output (included, along with postfinger output, below)
> seems to show, in the TLS portion, the EHLO, Postfix's 250 response, and
> then what looks to be the Exchange box trying to send an AUTH request, only
> to be dropped by Postfix.
>
> Both the Postfix server and the Exchange instance have local CAs that
> have issued certificates to the local systems. The Exchange box has a
> copy of the Postfix's server certificate installed as well as the
> postfix's issue CA installed. All other TLS communications, include TLS
> protected SASL logins from Outlook clients, are working fine.
>
> I'd be inclined to blame my limited Exchange knowledge, but having traffic
> flow fine as soon as I allow a different cipher, such as RC4-MD5, has me
> stumped. With both TLS patches and SASL being involved, this strays
> pretty far from 'supported' installations, but I'm hoping wiser heads
> than myself may know where to look further in troubleshooting. Any help in
> tracking this down would be most appreciated.
Hmm. I am somewhat out of ideas on this one. Please see below the
"ssldump" output of the session. ssldump indicates a protocol violation
On the postfix side this is indicated by the "SSL3 alert write:fatal:protocol
version".
I must admit that I do not yet have an idea on what is going on...
Regards,
Lutz
-snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip-
New TCP connection #1: 192.168.0.9(2317) <-> 192.168.0.1(25)
0.0038 (0.0038) S>C
---------------------------------------------------------------
220 geoff.deadheaven.com ESMTP Postfix
---------------------------------------------------------------
0.0288 (0.0250) C>S
---------------------------------------------------------------
EHLO waits.example.tld
---------------------------------------------------------------
0.0304 (0.0016) S>C
---------------------------------------------------------------
250-geoff.deadheaven.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME
---------------------------------------------------------------
0.0679 (0.0374) C>S
---------------------------------------------------------------
STARTTLS
---------------------------------------------------------------
0.0684 (0.0005) S>C
---------------------------------------------------------------
220 Ready to start TLS
---------------------------------------------------------------
1 1 0.0692 (0.0007) C>S Handshake
ClientHello
Version 3.1
resume [32]=
04 c0 b3 4a 94 e7 d3 01 f6 b8 ec 20 a9 d6 69 7c
e7 7e d3 37 0f 1a 95 46 8a 7b e6 4b 18 0e 81 7e
cipher suites
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA
compression methods
NULL
1 2 0.0707 (0.0014) S>C Handshake
ServerHello
Version 3.1
session_id[32]=
cc bb 53 d6 9f 85 a3 c1 37 4a 3b d6 bd be 21 dd
dd 19 45 94 ca 92 40 6f 4f c9 f9 a4 f1 1a d7 fb
cipherSuite TLS_RSA_WITH_3DES_EDE_CBC_SHA
compressionMethod NULL
1 3 0.0707 (0.0000) S>C Handshake
Certificate
1 4 0.0707 (0.0000) S>C Handshake
CertificateRequest
certificate_types rsa_sign
certificate_types dss_sign
certificate_authority
30 72 31 0b 30 09 06 03 55 04 06 13 02 55 53 31
13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e
67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 53
65 61 74 74 6c 65 31 14 30 12 06 03 55 04 0a 13
0b 44 65 61 64 20 48 65 61 76 65 6e 31 26 30 24
06 09 2a 86 48 86 f7 0d 01 09 01 16 17 64 61 76
69 64 73 6b 69 40 64 65 61 64 68 65 61 76 65 6e
2e 63 6f 6d
ServerHelloDone
1 5 0.0765 (0.0058) C>S Handshake
Certificate
ClientKeyExchange
1 6 0.0765 (0.0000) C>S ChangeCipherSpec
1 7 0.0765 (0.0000) C>S Handshake
1 8 0.1007 (0.0242) S>C ChangeCipherSpec
1 9 0.1007 (0.0000) S>C Handshake
1 10 0.1018 (0.0010) C>S application_data
1 11 0.1036 (0.0018) S>C application_data
Unknown SSL content type 2
1 0.1057 (0.0020) S>C TCP FIN
1 12 0.1058 (0.0001) C>SShort record
1 0.1060 (0.0001) C>S TCP FIN
-snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip--snip-
ssldump also cannot understand
>
> Thanks!
>
> David
>
> - -begin maillog section-
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: connect from waits.deadheaven.com[192.168.0.9]
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 220 geoff.deadheaven.com ESMTP Postfix
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: watchdog_pat: 0x80ac208
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: < waits.deadheaven.com[192.168.0.9]: EHLO waits.example.tld
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-geoff.deadheaven.com
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-PIPELINING
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-SIZE 10240000
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-VRFY
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-ETRN
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-STARTTLS
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: match_list_match: waits.deadheaven.com: no match
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: match_list_match: 192.168.0.9: no match
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250 8BITMIME
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: watchdog_pat: 0x80ac208
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: < waits.deadheaven.com[192.168.0.9]: STARTTLS
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 220 Ready to start TLS
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: setting up TLS connection from waits.deadheaven.com[192.168.0.9]
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: TLS connection established from waits.deadheaven.com[192.168.0.9]: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: name_mask: noanonymous
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: watchdog_pat: 0x80ac208
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: < waits.deadheaven.com[192.168.0.9]: EHLO waits.example.tld
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-geoff.deadheaven.com
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-PIPELINING
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-SIZE 10240000
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-VRFY
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-ETRN
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250-AUTH LOGIN PLAIN
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: match_list_match: waits.deadheaven.com: no match
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: match_list_match: 192.168.0.9: no match
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: > waits.deadheaven.com[192.168.0.9]: 250 8BITMIME
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: watchdog_pat: 0x80ac208
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: smtp_get: EOF
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: lost connection after EHLO from waits.deadheaven.com[192.168.0.9]
> Aug 29 10:26:05 geoff postfix/smtpd[68347]: disconnect from waits.deadheaven.com[192.168.0.9]
> - -end maillog section-
>
> postfinger - postfix configuration on Sun Aug 29 16:04:16 PDT 2004
> version: 1.29
>
> - --System Parameters--
> mail_version = 2.1.4
> hostname = geoff.deadheaven.com
> uname = FreeBSD geoff.deadheaven.com 4.10-STABLE FreeBSD 4.10-STABLE #26: Fri Aug 20 06:37:32 PDT 2004
>
> - --Packaging information--
> looks like this postfix comes from BSD package: postfix-2.1.4,1
>
> - --main.cf non-default parameters--
> alias_database = hash:/etc/mail/aliases
> alias_maps = hash:/etc/mail/aliases, hash:/usr/local/mailman/data/aliases
> command_directory = /usr/local/sbin
> daemon_directory = /usr/local/libexec/postfix
> debug_peer_list = waits.deadheaven.com
> home_mailbox = Maildir/
> lmtp_send_xforward_command = yes
> mailq_path = /usr/local/bin/mailq
> mydestination = $myhostname, localhost.$mydomain, lists.$mydomain
> mynetworks = 127.0.0.1/32
> myorigin = $mydomain
> newaliases_path = /usr/local/bin/newaliases
> notify_classes = 2bounce,resource,software
> recipient_delimiter = -
> sendmail_path = /usr/local/sbin/sendmail
> smtp_tls_cert_file = /etc/ssl/deadheavenCA/cacert.pem
> smtp_tls_cipherlist = HIGH
> smtp_tls_key_file = /etc/ssl/deadheavenCA/private/cakey.pem
> smtp_tls_loglevel = 3
> smtp_tls_note_starttls_offer = yes
> smtp_use_tls = yes
> smtpd_hard_error_limit = 5
> smtpd_helo_required = yes
> smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, check_recipient_access hash:/usr/local/etc/postfix/recipient_filter, reject_unauth_destination, check_client_access hash:/usr/local/etc/postfix/client_blacklist, check_helo_access regexp:/usr/local/etc/postfix/helo_blacklist, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_rbl_client dnsbl.njabl.org, reject_rbl_client korea.services.net, reject_rbl_client list.dsbl.org, reject_rbl_client relays.ordb.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client opm.blitzed.org, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rbl_client dul.dnsbl.sorbs.net, check_client_access hash:/usr/local/etc/postfix/bypass_rdns_checks, reject_unknown_client
> smtpd_sasl_auth_enable = yes
> smtpd_sender_login_maps = hash:/usr/local/etc/postfix/sender_login
> smtpd_tls_CAfile = /etc/ssl/deadheavenCA/cacert.pem
> smtpd_tls_ask_ccert = yes
> smtpd_tls_auth_only = yes
> smtpd_tls_cert_file = /etc/ssl/newcert.pem
> smtpd_tls_cipherlist = HIGH
> smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/dh_1024.pem
> smtpd_tls_dh512_param_file = /usr/local/etc/postfix/dh_512.pem
> smtpd_tls_key_file = /etc/ssl/nopass.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_use_tls = yes
> tls_daemon_random_source = dev:/dev/urandom
> tls_random_source = dev:/dev/urandom
> unknown_local_recipient_reject_code = 450
> virtual_gid_maps = static:1008
> virtual_mailbox_base = /
> virtual_mailbox_domains = piranesia.net, deadheaven.com, fuzzypoodles.com
> virtual_mailbox_maps = ldap:ldapvirtual
> virtual_transport = maildrop
> virtual_uid_maps = static:1008
>
> - --master.cf--
> smtp-amavis unix - - n - 2 lmtp
> -o lmtp_data_done_timeout=1200
> -o max_use=10
> 127.0.0.1:10025 inet n - n - - smtpd
> -o content_filter=
> -o local_recipient_maps=
> -o relay_recipient_maps=
> -o smtpd_restriction_classes=
> -o smtpd_client_restrictions=
> -o smtpd_helo_restrictions=
> -o smtpd_sender_restrictions=
> -o smtpd_recipient_restrictions=permit_mynetworks,reject
> -o mynetworks=127.0.0.0/8
> -o strict_rfc821_envelopes=yes
> smtp inet n - n - - smtpd
> pickup fifo n - n 60 1 pickup
> pre-cleanup unix n - n - 0 cleanup
> -o virtual_alias_maps=
> -o canonical_maps=
> -o sender_canonical_maps=
> -o recipient_canonical_maps=
> -o masquerade_domains=
> cleanup unix n - n - 0 cleanup
> -o mime_header_checks=
> -o nested_header_checks=
> -o body_checks=
> -o header_checks=
> qmgr fifo n - n 300 1 qmgr
> tlsmgr fifo - - n 300 1 tlsmgr
> rewrite unix - - n - - trivial-rewrite
> bounce unix - - n - 0 bounce
> defer unix - - n - 0 bounce
> flush unix n - n 1000? 0 flush
> smtp unix - - n - - smtp
> showq unix n - n - - showq
> error unix - - n - - error
> local unix - n n - - local
> virtual unix - n n - - virtual
> lmtp unix - - n - - lmtp
> cyrus unix - n n - - pipe
> flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
> uucp unix - n n - - pipe
> flags=F user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
> ifmail unix - n n - - pipe
> flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
> bsmtp unix - n n - - pipe
> flags=F. user=foo argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
> relay unix - - n - - smtp
> proxymap unix - - n - - proxymap
> maildrop unix - n n - - pipe
> flags=DRhu user=vmail argv=/usr/local/bin/maildrop
> -d ${user}@${nexthop} ${extension} ${recipient} ${user} ${nexthop}
> trace unix - - n - 0 bounce
> verify unix - - n - 1 verify
>
> - -- end of postfinger output --
-- Lutz Jaenicke http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus
|
|
|