TLS 1.0 1.1 not working on postfix
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
TLS 1.0 1.1 not working on postfix
Latest EFA
I have problem in comminications with servers that have TLS 1.1, seems that now postfix dont allow it and lots on mailserver gives some this
warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c
This is EFA v4
[root@EFA42 log]# grep TLSv1.0 maillog | wc -l
0
[root@EFA42 log]# grep TLSv1.1 maillog | wc -l
0
[root@EFA42 log]# grep TLSv1.2 maillog | wc -l
23918
[root@EFA42 log]# grep TLSv1.3 maillog | wc -l
5810
THis is Efa v3
[root@EFA41 log]# grep TLSv1.0 maillog-20201227 | wc -l
0
[root@EFA41 log]# grep TLSv1.1 maillog-20201227 | wc -l
260
[root@EFA41 log]# grep TLSv1.2 maillog-20201227 | wc -l
201317
[root@EFA41 log]# grep TLSv1.3 maillog-20201227 | wc -l
0
I have problem in comminications with servers that have TLS 1.1, seems that now postfix dont allow it and lots on mailserver gives some this
warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c
This is EFA v4
[root@EFA42 log]# grep TLSv1.0 maillog | wc -l
0
[root@EFA42 log]# grep TLSv1.1 maillog | wc -l
0
[root@EFA42 log]# grep TLSv1.2 maillog | wc -l
23918
[root@EFA42 log]# grep TLSv1.3 maillog | wc -l
5810
THis is Efa v3
[root@EFA41 log]# grep TLSv1.0 maillog-20201227 | wc -l
0
[root@EFA41 log]# grep TLSv1.1 maillog-20201227 | wc -l
260
[root@EFA41 log]# grep TLSv1.2 maillog-20201227 | wc -l
201317
[root@EFA41 log]# grep TLSv1.3 maillog-20201227 | wc -l
0
Last edited by nicola.piazzi on 21 Jan 2021 10:46, edited 1 time in total.
Re: TLS 1.0 1.1 not wirking
Should be configurable in main.cf. I just checked my config, it is not blocked in my config but I have no TLS 1.1 connections either.
Last edited by smyers119 on 19 Jan 2021 20:25, edited 1 time in total.
Re: TLS 1.0 1.1 not wirking
Code: Select all
[uname@mx01 log]$ sudo grep "TLS connection established" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn
2773 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
254 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
117 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
13 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256
8 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
8 TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)
8 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
3 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
Code: Select all
[smyers@mx01 log]$ sudo grep "TLS library problem" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn
28 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1661:
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not wirking
Older Efa with centos 6
9586 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
7284 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
175 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
88 TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
74 TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
64 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
41 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
20 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
2 TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
1 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Newer Efa With Centos 8
15431 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
7717 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
5382 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
511 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
289 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256
263 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
142 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
101 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
68 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)
44 TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
39 TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
6 TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)
4 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
9586 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
7284 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
175 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
88 TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
74 TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
64 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
41 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
20 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
2 TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
1 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Newer Efa With Centos 8
15431 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
7717 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
5382 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
511 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
289 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256
263 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
142 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
101 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
68 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)
44 TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
39 TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
6 TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)
4 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not wirking
I installed testssl script
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
I execute on mailserver :
cd /etc/testssl/testssl.sh
./testssl.sh -t smtp efa42.gruppocomet.it:25
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
The strange thing is that i am not able to instruct postfix to accept TLS 1,
Also apache doesnt acccept TLS 1 by default but modifiing ssl.conf i was able to make accept it !
I dont know why postfix make a starttls and then reject TLS when is version 1
It can also be an option to not accept start tls when is not at least 1.2 but i dont know how
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
I execute on mailserver :
cd /etc/testssl/testssl.sh
./testssl.sh -t smtp efa42.gruppocomet.it:25
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
The strange thing is that i am not able to instruct postfix to accept TLS 1,
Also apache doesnt acccept TLS 1 by default but modifiing ssl.conf i was able to make accept it !
I dont know why postfix make a starttls and then reject TLS when is version 1
It can also be an option to not accept start tls when is not at least 1.2 but i dont know how
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not wirking
In the same machine, Centos8 i tried to re enable TLS 1.1 in apache and it work, but unable in postfix !!!
**** By default apache doesnt offer TLS v1 & v1.1
./testssl.sh localhost:443
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
**** If I uncomment SSLProtocol line i negate only blow SSLv3
vi /etc/httpd/conf.d/ssl.conf
UNCOMMENT THIS LINE > SSLProtocol all -SSLv3
systemctl restart httpd
**** And Now we have TLS v1 & v1.1 !
./testssl.sh localhost:443
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
**** It seems impossible to do this with postfix
./testssl.sh -t smtp localhost:25
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
**** Changed in main.cf but same results
vi /etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols =
smtp_tls_mandatory_protocols =
smtpd_tls_protocols = TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
smtp_tls_protocols = TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
./testssl.sh -t smtp localhost:25
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
**** By default apache doesnt offer TLS v1 & v1.1
./testssl.sh localhost:443
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
**** If I uncomment SSLProtocol line i negate only blow SSLv3
vi /etc/httpd/conf.d/ssl.conf
UNCOMMENT THIS LINE > SSLProtocol all -SSLv3
systemctl restart httpd
**** And Now we have TLS v1 & v1.1 !
./testssl.sh localhost:443
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
**** It seems impossible to do this with postfix
./testssl.sh -t smtp localhost:25
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
**** Changed in main.cf but same results
vi /etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols =
smtp_tls_mandatory_protocols =
smtpd_tls_protocols = TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
smtp_tls_protocols = TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
./testssl.sh -t smtp localhost:25
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
There is a workaround, when we get this problem in log :
warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c
Jan 21 17:58:59 EFA42 postfix/smtpd[165708]: lost connection after STARTTLS from srv.marecoluce.it[62.94.229.117]
We can do this in main.cf :
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_tls_policy_maps = hash:/etc/postfix/tls_policy
So we look into tls_policy file, and we add etrrors time by time instructing older tls servers to not use tls :
echo "marecoluce.it none" >> tls_policy;sleep 2;postmap /etc/postfix/tls_policy;sleep 1;systemctl restart postfix
but obviously i dont like it
warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c
Jan 21 17:58:59 EFA42 postfix/smtpd[165708]: lost connection after STARTTLS from srv.marecoluce.it[62.94.229.117]
We can do this in main.cf :
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_tls_policy_maps = hash:/etc/postfix/tls_policy
So we look into tls_policy file, and we add etrrors time by time instructing older tls servers to not use tls :
echo "marecoluce.it none" >> tls_policy;sleep 2;postmap /etc/postfix/tls_policy;sleep 1;systemctl restart postfix
but obviously i dont like it
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: TLS 1.0 1.1 not working on postfix
Looks like this setting:
Try changing this to:
Code: Select all
smtpd_tls_ciphers = medium
Code: Select all
smtpd_tls_ciphers = low
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
same thng with low, tls less than 1.2 not offered
so a lot of servers about 10% of our coveration, start tls and offer 1.1, and fails
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
so a lot of servers about 10% of our coveration, start tls and offer 1.1, and fails
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
Usually servers retry after TLS problem, but not all
Jan 25 11:12:25 EFA42 postfix/smtpd[104208]: connect from smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: SSL_accept error from smtpauthbis.interhost.it[89.31.73.185]: -1
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: lost connection after STARTTLS from smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: disconnect from smtpauthbis.interhost.it[89.31.73.185] ehlo=1 starttls=0/1 commands=1/2
Jan 25 11:12:26 EFA42 postfix/smtpd[107115]: connect from smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:26 EFA42 postfix/smtpd[107115]: 4DPQf22jVfz1LQS0f: client=smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:27 EFA42 postfix/cleanup[107851]: 4DPQf22jVfz1LQS0f: milter-discard: END-OF-MESSAGE from smtpauthbis.interhost.it[89.31.73.185]: milter triggers DISCARD action; from=<HIDDEN> to=<HIDDEN> proto=ESMTP helo=<smtpauthbis.interhost.it>
Jan 25 11:12:27 EFA42 postfix/smtpd[107115]: disconnect from smtpauthbis.interhost.it[89.31.73.185] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan 25 11:12:25 EFA42 postfix/smtpd[104208]: connect from smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: SSL_accept error from smtpauthbis.interhost.it[89.31.73.185]: -1
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: lost connection after STARTTLS from smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: disconnect from smtpauthbis.interhost.it[89.31.73.185] ehlo=1 starttls=0/1 commands=1/2
Jan 25 11:12:26 EFA42 postfix/smtpd[107115]: connect from smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:26 EFA42 postfix/smtpd[107115]: 4DPQf22jVfz1LQS0f: client=smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:27 EFA42 postfix/cleanup[107851]: 4DPQf22jVfz1LQS0f: milter-discard: END-OF-MESSAGE from smtpauthbis.interhost.it[89.31.73.185]: milter triggers DISCARD action; from=<HIDDEN> to=<HIDDEN> proto=ESMTP helo=<smtpauthbis.interhost.it>
Jan 25 11:12:27 EFA42 postfix/smtpd[107115]: disconnect from smtpauthbis.interhost.it[89.31.73.185] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: TLS 1.0 1.1 not working on postfix
Try commenting out all these lines to let postfix back to default and report back:
Code: Select all
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
tls_preempt_cipherlist = yes
tls_medium_cipherlist = ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
smtpd_tls_ciphers = medium
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
Same thing shawn, it seems to be a postfix related problem
consider that i can restore tls1.1 in apache but not in postfix, same machine
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
consider that i can restore tls1.1 in apache but not in postfix, same machine
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
workaround Re: TLS 1.0 1.1 not working on postfix
Solved (workaround solved)
Seems that postfix version used in Efa and other recent postfix doesnt offers use TLS less than 1.2
Now efa offer only 1.2 and newest 1.3
You can see tls version offered bysa server installing this simple and useful software under your /etc :
cd /etc
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
Now you can test this server wth this command (but you can use it to test other servers in the internet) :
/etc/testssl.sh/testssl.sh -t smtp localhost:25
or
/etc/testssl.sh/testssl.sh -t smtp <yourfqdn>:25
With Postfix version installed in EFA4 you can see this :
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
As you can see tls 1 & 1.1 is unsupported, Postfix can retry in clear after tls failure becouse it use this directive in main.cf
smtp_tls_security_level = may
but sometimes some other servers that fails tls because they dont have 1.2 or 1.3 installed have problems in retrying and results in traffick blocked
The goal is to exclude from TLS and use clear for problematic servers
This script can be put in cron every 15 minutes, it scans your maillog (very fast) and adds to a postfix exclusion file problematic remote mailservers domains, mainteining for some days, so next retry wiull be in clear text and have no problem
Into the script there are instructions to put in cron and the directive to add in main.cf
(only a note, postfix tls exclusion can be done basing only from domain names, so is possible that an error received from a server that spoof a domain cause an insert for that domain into tls exclusion table, but it must not be a big problem)
Seems that postfix version used in Efa and other recent postfix doesnt offers use TLS less than 1.2
Now efa offer only 1.2 and newest 1.3
You can see tls version offered bysa server installing this simple and useful software under your /etc :
cd /etc
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
Now you can test this server wth this command (but you can use it to test other servers in the internet) :
/etc/testssl.sh/testssl.sh -t smtp localhost:25
or
/etc/testssl.sh/testssl.sh -t smtp <yourfqdn>:25
With Postfix version installed in EFA4 you can see this :
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
As you can see tls 1 & 1.1 is unsupported, Postfix can retry in clear after tls failure becouse it use this directive in main.cf
smtp_tls_security_level = may
but sometimes some other servers that fails tls because they dont have 1.2 or 1.3 installed have problems in retrying and results in traffick blocked
The goal is to exclude from TLS and use clear for problematic servers
This script can be put in cron every 15 minutes, it scans your maillog (very fast) and adds to a postfix exclusion file problematic remote mailservers domains, mainteining for some days, so next retry wiull be in clear text and have no problem
Into the script there are instructions to put in cron and the directive to add in main.cf
(only a note, postfix tls exclusion can be done basing only from domain names, so is possible that an error received from a server that spoof a domain cause an insert for that domain into tls exclusion table, but it must not be a big problem)
- Attachments
-
- tls.may.sh.rar
- (1.27 KiB) Downloaded 142 times
Last edited by nicola.piazzi on 26 Jan 2021 13:19, edited 1 time in total.
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
TLS Tests can be done on
https://www.immuniweb.com/ssl/
You can specify server name:25
Efa 3 have postfix version = 3.1.3 and give these results
TLSv1.0 Non-compliant with PCI DSS requirements
TLSv1.1 Good configuration
TLSv1.2 Good configuration
Efa 4 have postfix version = 3.4.8 and give these results
TLSv1.2 Good configuration
TLSv1.3 Information
Obviously at now all mailservers supports TLSv1.2 so postfix 3.1.3 is alble to talk with all because have also TLSv1.0 and TLSv1.1 enabled that a lot of people have without having TLSv1.2
main.cf seems identical so i dont know why 3.4.8 disable older TLS if not specified explicitally
Same machine with 3.4.8 i was able to re enabkle older TLS for apache so it doenst seem machine openssl limit
it seems a postfix problem
https://www.immuniweb.com/ssl/
You can specify server name:25
Efa 3 have postfix version = 3.1.3 and give these results
TLSv1.0 Non-compliant with PCI DSS requirements
TLSv1.1 Good configuration
TLSv1.2 Good configuration
Efa 4 have postfix version = 3.4.8 and give these results
TLSv1.2 Good configuration
TLSv1.3 Information
Obviously at now all mailservers supports TLSv1.2 so postfix 3.1.3 is alble to talk with all because have also TLSv1.0 and TLSv1.1 enabled that a lot of people have without having TLSv1.2
main.cf seems identical so i dont know why 3.4.8 disable older TLS if not specified explicitally
Same machine with 3.4.8 i was able to re enabkle older TLS for apache so it doenst seem machine openssl limit
it seems a postfix problem
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: TLS 1.0 1.1 not working on postfix
Try this
http://www.postfix.org/postconf.5.html# ... _protocols
Code: Select all
smtpd_tls_mandatory_protocols = >=TLSv1.0, <=TLSv1.3
smtp_tls_mandatory_protocols = >=TLSv1.0, <=TLSv1.3
smtpd_tls_protocols = >=TLSv1.0, <=TLSv1.3
smtp_tls_protocols = >=TLSv1.0, <=TLSv1.3
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
it tells : Preferred syntax with Postfix ≥ 3.6: and we have an older one
but it is the same results
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
but it is the same results
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: TLS 1.0 1.1 not working on postfix
Would upgrading postfix to 3.6 solve this problem?
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
i dont know, are you able to produce a newer postfix version compiled to update my machine ?
so i can test it
so i can test it
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: TLS 1.0 1.1 not working on postfix
Yeah I can do that.
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
OK, I wait it to test
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
I installed a fresh centos 8 system with yum postfix
[root@EFA49 ~]# yum list installed | grep postfix
postfix.x86_64 2:3.3.1-12.el8 @baseos
there is no way to disable 1.3, system offers only 1.2 and 1.3 and you can only disable 1.2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
[root@EFA49 ~]# yum list installed | grep postfix
postfix.x86_64 2:3.3.1-12.el8 @baseos
there is no way to disable 1.3, system offers only 1.2 and 1.3 and you can only disable 1.2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
I Installed a fresh copy of centos8 (stream) that give by default postfix 3.5.8-1
and with default configuration it give all protocols enabled
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
in default config there is only
smtp_tls_security_level = may
smtpd_tls_security_level = may
with no others parameter configured and in this way it offer all TLS available
# TEST REMOVING 1.0 OK
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
# ALSO ABLE TO REMOVE MIDDLE PROTOCOLS
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 offered (deprecated)
TLS 1.2 not offered and downgraded to a weaker protocol
TLS 1.3 offered (OK): final
As a solution we request a 3.5 version for EFA
and with default configuration it give all protocols enabled
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
in default config there is only
smtp_tls_security_level = may
smtpd_tls_security_level = may
with no others parameter configured and in this way it offer all TLS available
# TEST REMOVING 1.0 OK
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
# ALSO ABLE TO REMOVE MIDDLE PROTOCOLS
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 offered (deprecated)
TLS 1.2 not offered and downgraded to a weaker protocol
TLS 1.3 offered (OK): final
As a solution we request a 3.5 version for EFA
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
- shawniverson
- Posts: 3649
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
-
- Posts: 389
- Joined: 23 Apr 2015 09:45
Re: TLS 1.0 1.1 not working on postfix
mail_version = 3.5.9
OK with same main.cf now we have all TLS versions
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
now i test it with producion some hours
OK with same main.cf now we have all TLS versions
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
now i test it with producion some hours