Page 1 of 1
TLS 1.0 1.1 not working on postfix
Posted: 19 Jan 2021 17:25
by nicola.piazzi
Latest EFA
I have problem in comminications with servers that have TLS 1.1, seems that now postfix dont allow it and lots on mailserver gives some this
warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c
This is EFA v4
[root@EFA42 log]# grep TLSv1.0 maillog | wc -l
0
[root@EFA42 log]# grep TLSv1.1 maillog | wc -l
0
[root@EFA42 log]# grep TLSv1.2 maillog | wc -l
23918
[root@EFA42 log]# grep TLSv1.3 maillog | wc -l
5810
THis is Efa v3
[root@EFA41 log]# grep TLSv1.0 maillog-20201227 | wc -l
0
[root@EFA41 log]# grep TLSv1.1 maillog-20201227 | wc -l
260
[root@EFA41 log]# grep TLSv1.2 maillog-20201227 | wc -l
201317
[root@EFA41 log]# grep TLSv1.3 maillog-20201227 | wc -l
0
Re: TLS 1.0 1.1 not wirking
Posted: 19 Jan 2021 20:10
by smyers119
Should be configurable in main.cf. I just checked my config, it is not blocked in my config but I have no TLS 1.1 connections either.
Re: TLS 1.0 1.1 not wirking
Posted: 19 Jan 2021 20:23
by smyers119
Code: Select all
[uname@mx01 log]$ sudo grep "TLS connection established" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn
2773 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
254 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
117 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
13 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256
8 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
8 TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)
8 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
3 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
Code: Select all
[smyers@mx01 log]$ sudo grep "TLS library problem" maillog | sed 's/.*: //g' | sort | uniq -c | sort -rn
28 error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c:1661:
Re: TLS 1.0 1.1 not wirking
Posted: 20 Jan 2021 07:33
by nicola.piazzi
Older Efa with centos 6
9586 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
7284 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
175 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
88 TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
74 TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
64 TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
41 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
20 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
2 TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
1 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Newer Efa With Centos 8
15431 TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
7717 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
5382 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
511 TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)
289 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256
263 TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)
142 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
101 TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
68 TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)
44 TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
39 TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)
6 TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)
4 TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
1 TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)
Re: TLS 1.0 1.1 not wirking
Posted: 20 Jan 2021 09:20
by nicola.piazzi
I installed testssl script
git clone --depth 1
https://github.com/drwetter/testssl.sh.git
I execute on mailserver :
cd /etc/testssl/testssl.sh
./testssl.sh -t smtp efa42.gruppocomet.it:25
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
The strange thing is that i am not able to instruct postfix to accept TLS 1,
Also apache doesnt acccept TLS 1 by default but modifiing ssl.conf i was able to make accept it !
I dont know why postfix make a starttls and then reject TLS when is version 1
It can also be an option to not accept start tls when is not at least 1.2 but i dont know how
Re: TLS 1.0 1.1 not wirking
Posted: 21 Jan 2021 09:37
by nicola.piazzi
In the same machine, Centos8 i tried to re enable TLS 1.1 in apache and it work, but unable in postfix !!!
**** By default apache doesnt offer TLS v1 & v1.1
./testssl.sh localhost:443
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
**** If I uncomment SSLProtocol line i negate only blow SSLv3
vi /etc/httpd/conf.d/ssl.conf
UNCOMMENT THIS LINE > SSLProtocol all -SSLv3
systemctl restart httpd
**** And Now we have TLS v1 & v1.1 !
./testssl.sh localhost:443
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
**** It seems impossible to do this with postfix
./testssl.sh -t smtp localhost:25
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
**** Changed in main.cf but same results
vi /etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols =
smtp_tls_mandatory_protocols =
smtpd_tls_protocols = TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
smtp_tls_protocols = TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
./testssl.sh -t smtp localhost:25
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
Re: TLS 1.0 1.1 not working on postfix
Posted: 21 Jan 2021 17:01
by nicola.piazzi
There is a workaround, when we get this problem in log :
warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c
Jan 21 17:58:59 EFA42 postfix/smtpd[165708]: lost connection after STARTTLS from srv.marecoluce.it[62.94.229.117]
We can do this in main.cf :
smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtpd_tls_policy_maps = hash:/etc/postfix/tls_policy
So we look into tls_policy file, and we add etrrors time by time instructing older tls servers to not use tls :
echo "marecoluce.it none" >> tls_policy;sleep 2;postmap /etc/postfix/tls_policy;sleep 1;systemctl restart postfix
but obviously i dont like it
Re: TLS 1.0 1.1 not working on postfix
Posted: 23 Jan 2021 12:23
by shawniverson
Looks like this setting:
Try changing this to:
Re: TLS 1.0 1.1 not working on postfix
Posted: 25 Jan 2021 07:37
by nicola.piazzi
same thng with low, tls less than 1.2 not offered
so a lot of servers about 10% of our coveration, start tls and offer 1.1, and fails
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
Re: TLS 1.0 1.1 not working on postfix
Posted: 25 Jan 2021 10:45
by nicola.piazzi
Usually servers retry after TLS problem, but not all
Jan 25 11:12:25 EFA42 postfix/smtpd[104208]: connect from smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: SSL_accept error from smtpauthbis.interhost.it[89.31.73.185]: -1
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: warning: TLS library problem: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol:ssl/statem/statem_srvr.c
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: lost connection after STARTTLS from smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:26 EFA42 postfix/smtpd[104208]: disconnect from smtpauthbis.interhost.it[89.31.73.185] ehlo=1 starttls=0/1 commands=1/2
J
an 25 11:12:26 EFA42 postfix/smtpd[107115]: connect from smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:26 EFA42 postfix/smtpd[107115]: 4DPQf22jVfz1LQS0f: client=smtpauthbis.interhost.it[89.31.73.185]
Jan 25 11:12:27 EFA42 postfix/cleanup[107851]: 4DPQf22jVfz1LQS0f: milter-discard: END-OF-MESSAGE from smtpauthbis.interhost.it[89.31.73.185]: milter triggers DISCARD action; from=<HIDDEN> to=<HIDDEN> proto=ESMTP helo=<smtpauthbis.interhost.it>
Jan 25 11:12:27 EFA42 postfix/smtpd[107115]: disconnect from smtpauthbis.interhost.it[89.31.73.185] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Re: TLS 1.0 1.1 not working on postfix
Posted: 25 Jan 2021 11:06
by shawniverson
Try commenting out all these lines to let postfix back to default and report back:
Code: Select all
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
tls_preempt_cipherlist = yes
tls_medium_cipherlist = ECDSA+AESGCM:ECDH+AESGCM:DH+AESGCM:ECDSA+AES:ECDH+AES:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
smtpd_tls_ciphers = medium
Re: TLS 1.0 1.1 not working on postfix
Posted: 25 Jan 2021 16:31
by nicola.piazzi
Same thing shawn, it seems to be a postfix related problem
consider that i can restore tls1.1 in apache but not in postfix, same machine
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
workaround Re: TLS 1.0 1.1 not working on postfix
Posted: 26 Jan 2021 09:19
by nicola.piazzi
Solved (workaround solved)
Seems that postfix version used in Efa and other recent postfix doesnt offers use TLS less than 1.2
Now efa offer only 1.2 and newest 1.3
You can see tls version offered bysa server installing this simple and useful software under your /etc :
cd /etc
git clone --depth 1 https://github.com/drwetter/testssl.sh.git
Now you can test this server wth this command (but you can use it to test other servers in the internet) :
/etc/testssl.sh/testssl.sh -t smtp localhost:25
or
/etc/testssl.sh/testssl.sh -t smtp <yourfqdn>:25
With Postfix version installed in EFA4 you can see this :
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
As you can see tls 1 & 1.1 is unsupported, Postfix can retry in clear after tls failure becouse it use this directive in main.cf
smtp_tls_security_level = may
but sometimes some other servers that fails tls because they dont have 1.2 or 1.3 installed have problems in retrying and results in traffick blocked
The goal is to exclude from TLS and use clear for problematic servers
This script can be put in cron every 15 minutes, it scans your maillog (very fast) and adds to a postfix exclusion file problematic remote mailservers domains, mainteining for some days, so next retry wiull be in clear text and have no problem
Into the script there are instructions to put in cron and the directive to add in main.cf
(only a note, postfix tls exclusion can be done basing only from domain names, so is possible that an error received from a server that spoof a domain cause an insert for that domain into tls exclusion table, but it must not be a big problem)
Re: TLS 1.0 1.1 not working on postfix
Posted: 27 Jan 2021 09:30
by nicola.piazzi
TLS Tests can be done on
https://www.immuniweb.com/ssl/
You can specify server name:25
Efa 3 have postfix version = 3.1.3 and give these results
TLSv1.0 Non-compliant with PCI DSS requirements
TLSv1.1 Good configuration
TLSv1.2 Good configuration
Efa 4 have postfix version = 3.4.8 and give these results
TLSv1.2 Good configuration
TLSv1.3 Information
Obviously at now all mailservers supports TLSv1.2 so postfix 3.1.3 is alble to talk with all because have also TLSv1.0 and TLSv1.1 enabled that a lot of people have without having TLSv1.2
main.cf seems identical so i dont know why 3.4.8 disable older TLS if not specified explicitally
Same machine with 3.4.8 i was able to re enabkle older TLS for apache so it doenst seem machine openssl limit
it seems a postfix problem
Re: TLS 1.0 1.1 not working on postfix
Posted: 27 Jan 2021 10:21
by shawniverson
Try this
Code: Select all
smtpd_tls_mandatory_protocols = >=TLSv1.0, <=TLSv1.3
smtp_tls_mandatory_protocols = >=TLSv1.0, <=TLSv1.3
smtpd_tls_protocols = >=TLSv1.0, <=TLSv1.3
smtp_tls_protocols = >=TLSv1.0, <=TLSv1.3
Re: TLS 1.0 1.1 not working on postfix
Posted: 27 Jan 2021 10:38
by nicola.piazzi
it tells : Preferred syntax with Postfix ≥ 3.6: and we have an older one
but it is the same results
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
Re: TLS 1.0 1.1 not working on postfix
Posted: 27 Jan 2021 10:58
by shawniverson
Would upgrading postfix to 3.6 solve this problem?
Re: TLS 1.0 1.1 not working on postfix
Posted: 27 Jan 2021 11:05
by nicola.piazzi
i dont know, are you able to produce a newer postfix version compiled to update my machine ?
so i can test it
Re: TLS 1.0 1.1 not working on postfix
Posted: 27 Jan 2021 11:36
by shawniverson
Yeah I can do that.
Re: TLS 1.0 1.1 not working on postfix
Posted: 27 Jan 2021 13:25
by nicola.piazzi
OK, I wait it to test
Re: TLS 1.0 1.1 not working on postfix
Posted: 28 Jan 2021 15:56
by nicola.piazzi
I installed a fresh centos 8 system with yum postfix
[root@EFA49 ~]# yum list installed | grep postfix
postfix.x86_64 2:3.3.1-12.el8 @baseos
there is no way to disable 1.3, system offers only 1.2 and 1.3 and you can only disable 1.2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
Re: TLS 1.0 1.1 not working on postfix
Posted: 28 Jan 2021 17:19
by nicola.piazzi
I Installed a fresh copy of centos8 (stream) that give by default postfix 3.5.8-1
and with default configuration it give all protocols enabled
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
in default config there is only
smtp_tls_security_level = may
smtpd_tls_security_level = may
with no others parameter configured and in this way it offer all TLS available
# TEST REMOVING 1.0 OK
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
# ALSO ABLE TO REMOVE MIDDLE PROTOCOLS
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.2
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 offered (deprecated)
TLS 1.2 not offered and downgraded to a weaker protocol
TLS 1.3 offered (OK): final
As a solution we request a 3.5 version for EFA
Re: TLS 1.0 1.1 not working on postfix
Posted: 28 Jan 2021 17:26
by shawniverson
Re: TLS 1.0 1.1 not working on postfix
Posted: 31 Jan 2021 14:46
by shawniverson
Re: TLS 1.0 1.1 not working on postfix
Posted: 01 Feb 2021 08:18
by nicola.piazzi
mail_version = 3.5.9
OK with same main.cf now we have all TLS versions
Testing protocols via sockets
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered (deprecated)
TLS 1.1 offered (deprecated)
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
now i test it with producion some hours
