Vieri
l33t
Joined: 18 Dec 2005
Posts: 901
|
 Posted: Mon Jan 20, 2020 12:55 pm Post subject: Postfix: TLS, older ciphers and recipient verification |
 |
|
Hi,
I think I have two different and unrelated (maybe) issues on my Postfix server.
Issue 1:
My postfix server cannot establish a TLS connection with an old MS Exchange server (unfortunately, I can get rid of it just yet).
With previous versions of postfix and openssl, I had no issues when I used this config:
| Code: | # cat /etc/postfix/tls_policy
[myexchangeserver.mydomain.org] encrypt protocols=!SSLv2:!TLSv1.2 ciphers=medium
|
| Code: | # grep tls_policy /etc/postfix/main.cf
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
|
With an updated Postfix/openssl system I am now getting this error in the log:
| Code: | postfix/smtp[23964]: setting up TLS connection to myexchangeserver.mydomain.org[10.0.1.100]:25
postfix/smtp[23964]: myexchangeserver.mydomain.org[10.0.1.100]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!eNULL"
postfix/smtp[23964]: SSL_connect:before SSL initialization
postfix/smtp[23964]: SSL_connect:SSLv3/TLS write client hello
postfix/smtp[23964]: SSL_connect:error in SSLv3/TLS write client hello
postfix/smtp[23964]: SSL_connect error to myexchangeserver.mydomain.org[10.0.1.100]:25: lost connection
postfix/smtp[23964]: 1500A829CC0: to=<myuser@mydomain.org>, relay=myexchangeserver.mydomain.org[10.0.1.100]:25, delay=0.03, delays=0.03/0/0/0, dsn=4.7.5, status=undeliverable (Cannot start TLS: handshake failure)
postfix/qmgr[23819]: 1500A829CC0: removed |
Changing "encrypt" to "may" in /etc/postfix/tls_policy does not solve the issue.
The following /etc/postfix/tls_policy setting allows delivery to my Exchange server, but it is not encrypted:
| Code: | [myexchangeserver.mydomain.org] none
|
Any ideas?
Issue 2 (could be related to issue 1):
On my older postfix servers I used to verify the recipient with "reject_unverified_recipient" in "smtpd_recipient_restrictions".
This is the full config setting:
| Code: | smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/to_access, permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain, check_policy_service unix:private/policyd-spf, reject_unverified_recipient
|
Now, on my new postfix system I'm getting this error in the log:
| Code: | postfix/smtpd[27577]: NOQUEUE: reject: RCPT from sonic309-20.consmr.mail.gq1.yahoo.com[98.137.65.146]: 450 4.1.1 <myuser@mydomain.org>: Recipient address rejected: unverified address: Cannot start TLS: handshake failure; from=<otheruser@yahoo.com> to=<myuser@mydomain.org> proto=ESMTP helo=<sonic309-20.consmr.mail.gq1.yahoo.com>
|
Removing "reject_unverified_recipient" solves this issue.
| Code: | # cat /etc/postfix/transport
mydomain.org smtp:[myexchangeserver.mydomain.org]
|
Manually connecting to my exchange server on port 25 and issuing the following commands shows that verification is on:
| Code: | RCPT TO:<madeupuser@mydomain.org>
550 5.1.1 User unknown
|
The message "Cannot start TLS: handshake failure" makes me think that it's related to issue 1.
However, why is it showing up if I set "[myexchangeserver.mydomain.org] none" in /etc/postfix/tls_policy (ran postmap on that and restarted postfix)?
Vieri |
|
Other Things Gentoo
