Questions concerning TLS

From: Darrell A. Sullivan, II (no email)
Date: Fri Aug 22 2008 - 09:54:07 EDT

  • Next message: Wietse Venema: "Re: tmda and postfix"

    I am trying to implement TLS on our server for a client requirement. I
    believe I have the TLS settings correct, but I am not certain about what I
    am seeing in the logs and I am uncertain as to how to know if a message was
    delivered using TLS.

    Is there anything in the message headers that would indicate that it was
    delivered using TLS?

    I have the below log entries on some outgoing messages. I am certain that
    the first one is a failure since the group's server is setup with the entry
    "somecomp.com MUST_NOPEERMATCH" is specified in tls_per_site and
    consequently the message is not delivered when TLS fails. Is this because
    they have a self signed certificate and we do not have the CA certificate
    for their root?

    In the second set of log entries, I am not certain if the message is
    delivered over the TLS connection or not. Is there some entry I can search
    my logs for to find out if any messages are being successfully transmitted
    over TLS?

    ----------------------
    Known Failure
    ----------------------
    Aug 22 13:11:43 mail postfix/smtp[7593]: starting TLS engine
    Aug 22 13:11:44 mail postfix/smtp[7593]: setting up TLS connection to
    mail.somecomp.com
    Aug 22 13:11:44 mail postfix/smtp[7593]: SSL_connect:before/connect
    initialization
    Aug 22 13:11:44 mail postfix/smtp[7593]: SSL_connect:SSLv2/v3 write client
    hello A
    Aug 22 13:11:44 mail postfix/smtp[7593]: SSL_connect:error in SSLv2/v3 read
    server hello A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
    server hello A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
    server hello A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server hello
    A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
    server certificate A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
    server certificate A
    Aug 22 13:11:45 mail postfix/smtp[7593]: Peer cert verify depth=0
    /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
    N=thistle.somecomp.com/emailAddress=
    Aug 22 13:11:45 mail postfix/smtp[7593]: verify error:num=18:self signed
    certificate
    Aug 22 13:11:45 mail postfix/smtp[7593]: verify return:0
    Aug 22 13:11:45 mail postfix/smtp[7593]: Peer cert verify depth=0
    /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/C
    N=thistle.somecomp.com/emailAddress=
    Aug 22 13:11:45 mail postfix/smtp[7593]: Peer verification: CommonName in
    certificate does not match: thistle.somecomp.com != mail.somecomp.com
    Aug 22 13:11:45 mail postfix/smtp[7593]: verify return:1
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server
    certificate A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
    server key exchange A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
    server key exchange A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server key
    exchange A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
    server certificate request A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
    server certificate request A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read server done
    A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 write client key
    exchange A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 write change
    cipher spec A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 write finished A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 flush data
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:error in SSLv3 read
    finished A
    Aug 22 13:11:45 mail postfix/smtp[7593]: SSL_connect:SSLv3 read finished A
    Aug 22 13:11:45 mail postfix/smtp[7593]: Unverified:
    subject_CN=thistle.somecomp.com, issuer=thistle.somecomp.com
    Aug 22 13:11:45 mail postfix/smtp[7593]: TLS connection established to
    mail.somecomp.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Aug 22 13:11:45 mail postfix/smtp[7593]: Peer certficate could not be
    verified
    Aug 22 13:11:45 mail postfix/smtp[7593]: 85F4F504254:
    to=<>, relay=mail.somecomp.com[xxx.yyy.zzz.aaa],
    delay=2, status=deferred (TLS-failure: Could not verify certificate)

    ----------------------
    Did this work or not?
    ----------------------
    Aug 21 22:16:22 mail postfix/smtp[28731]: starting TLS engine
    Aug 21 22:16:28 mail postfix/smtp[28731]: setting up TLS connection to
    mail.somecomp2.com
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:before/connect
    initialization
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv2/v3 write client
    hello A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv2/v3 read
    server hello A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
    server hello A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
    server hello A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server
    hello A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
    server certificate A
    Aug 21 22:16:28 mail postfix/smtp[28731]: Peer cert verify depth=1
    /C=US/ST=SC/L=NCHARLESTON/O=somecomp2/CN=Certificate Manager
    Aug 21 22:16:28 mail postfix/smtp[28731]: verify error:num=19:self signed
    certificate in certificate chain
    Aug 21 22:16:28 mail postfix/smtp[28731]: verify return:0
    Aug 21 22:16:28 mail postfix/smtp[28731]: Peer cert verify depth=1
    /C=US/ST=SC/L=NCHARLESTON/O=somecomp2/CN=Certificate Manager
    Aug 21 22:16:28 mail postfix/smtp[28731]: verify return:1
    Aug 21 22:16:28 mail postfix/smtp[28731]: Peer cert verify depth=0
    /C=US/ST=South Carolina/L=Charleston/O=somecomp2 Communications,
    Inc./CN=mail.somecomp2.com/emailAddress=
    Aug 21 22:16:28 mail postfix/smtp[28731]: verify return:1
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server
    certificate A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
    server key exchange A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
    server key exchange A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server key
    exchange A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
    server certificate request A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
    server certificate request A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server
    certificate request A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read server done
    A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write client
    certificate A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write client key
    exchange A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write
    certificate verify A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write change
    cipher spec A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 write finished A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 flush data
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:error in SSLv3 read
    finished A
    Aug 21 22:16:28 mail postfix/smtp[28731]: SSL_connect:SSLv3 read finished A
    Aug 21 22:16:28 mail postfix/smtp[28731]: Unverified:
    subject_CN=mail.somecomp2.com, issuer=Certificate Manager
    Aug 21 22:16:28 mail postfix/smtp[28731]: TLS connection established to
    mail.somecomp2.com: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Aug 21 22:16:28 mail postfix/smtp[28731]: Peer certficate could not be
    verified
    Aug 21 22:18:10 mail postfix/smtp[28731]: 8D05D501C3C:
    to=<>, relay=mail.somecomp2.com[xxx.yyy.zzz.aaa],
    delay=8898, status=sent (250 2.0.0 m7LMVud8002947 Message accepted for
    delivery)


  • Next message: Wietse Venema: "Re: tmda and postfix"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD