SSL_accept erro com postfix oportunistic STARTTLS

2

Configurei o postfix 2.6.6 no centos 6 como mailrealy na frente de um servidor Exchange 2010. As coisas funcionam. Agora Eu gostaria de adicionar criptografia oportunista ao correio de entrada e saída.

Pelo menos para o recebimento de mensagens, isso parece funcionar para a maioria dos clientes. No entanto, existem algumas execuções para isso. Alguns hosts falharão com um "erro de aceitação SSL" e, em seguida, tentarão novamente sem STARTTLS. Por enquanto, tudo bem. Mas há alguns hosts que não voltarão, mais notavelmente meu servidor de troca (além de alguns servidores fora minha organização).

Estou certo em assumir que isso é basicamente um problema do cliente? Se assim for, então eu poderia desativar o anúncio de STARTTLS para determinados hosts, de acordo com link

No entanto, isso significaria que, de tempos em tempos, precisarei adicionar hosts a essa lista, para que também configurados incorretamente clientes fora da minha organização podem enviar mensagens. Existe uma solução melhor para isso?

Aqui estão algumas informações sobre minha configuração.

Meu main.cf

# Directory specification
alternate_config_directories = /etc/postfix
queue_directory = /opt/postfix/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix-2.6.6/examples
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES

# Basic Mail Relay Setup
myhostname = mymailserver.acme.com
smtp_helo_name=mail.acme.com
mail_owner = postfix
setgid_group = postdrop
inet_interfaces = all
mynetworks = /etc/postfix/mynetworks
mydestination = $myhostname, localhost.$mydomain
unknown_local_recipient_reject_code = 550
soft_bounce = no
disable_vrfy_command = yes
message_size_limit = 32768000
bounce_size_limit = 65536
header_size_limit = 32768

# Mail Timing Seetings and alerting thereof
maximal_queue_lifetime = 3d
bounce_queue_lifetime = 3d
delay_warning_time = 3h
bounce_template_file = /etc/postfix/bounce.cf
# Domain specification
mydomain = acme.com
myorigin = $mydomain
relay_domains = foo.acme.com, bar.acme.com
virtual_alias_domains = acme.com, openacme.org

# Debug options
debug_peer_level = 2
debugger_command =
     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
     ddd $daemon_directory/$process_name $process_id & sleep 5

# Command Path definition
sendmail_path = /usr/sbin/sendmail
newaliases_path = /usr/bin/newaliases
mailq_path = /usr/bin/mailq

# Map definition
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
transport_maps = hash:/etc/postfix/transport
virtual_alias_maps = regexp:/etc/postfix/virtual_domains hash:/etc/postfix/virtual

# Encryption
smtpd_tls_security_level = may
smtpd_tls_auth_only = yes
smtpd_tls_cert_file=/etc/postfix/ssl/cert.pem
smtpd_tls_key_file=/etc/postfix/ssl/clearkey.pem
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparams.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1
smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
smtpd_tls_eecdh_grade = strong
# also encrypt outgoing mail
smtp_tls_security_level = may
smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
# enable logging for debugging
smtpd_tls_loglevel = 2
smtp_tls_loglevel = 2

# SMTP Settings
smtpd_banner = $myhostname ESMTP

smtpd_data_restrictions =
    permit_mynetworks,
    reject_unauth_pipelining,
    permit

smtpd_client_restrictions =
    permit_mynetworks,
    reject_invalid_hostname,
    reject_rbl_client zen.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
    permit

smtpd_helo_required = yes

smtpd_helo_restrictions =
    permit_mynetworks,
    reject_unauth_pipelining,
    reject_invalid_hostname,
    permit

smtpd_sender_restrictions =
    permit_mynetworks,
    reject_non_fqdn_sender,
    check_sender_access hash:/etc/postfix/access_domains,
    check_sender_access pcre:/etc/postfix/access_domains_pcre,
    reject_unknown_sender_domain,
    permit

smtpd_recipient_restrictions =
    permit_mynetworks,
    permit_sasl_authenticated,
    reject_unauth_destination,
    reject_multi_recipient_bounce,
    reject_non_fqdn_recipient,
    reject_unknown_recipient_domain,
    reject_unlisted_recipient,
    check_recipient_access hash:/etc/postfix/internal_recipient,
    check_sender_access hash:/etc/postfix/access_domains,
    check_sender_access pcre:/etc/postfix/access_domains_pcre

Os starttls parecem ser anunciados corretamente:

[hansolo@desk ~]$ telnet 1.2.3.4 25
Trying 1.2.3.4...
Connected to 1.2.3.4.
Escape character is '^]'.
220 **************************

EHLO test
250-mx.acme.com
250-PIPELINING
250-SIZE 32768000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

E também a configuração ssl parece bem para mim (corrija-me por favor):

[hansolo@desk ~]$ openssl s_client -starttls smtp -connect mail.acme.com:25
CONNECTED(00000003)
depth=2 C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2
verify return:1
depth=1 C = CH, O = SwissSign AG, CN = SwissSign Server Silver CA 2014 - G22
verify return:1
depth=0 OU = Domain Validated Only, CN = mail.acme.com
verify return:1
---
Certificate chain
 0 s:/OU=Domain Validated Only/CN=mail.acme.com
   i:/C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
 1 s:/C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
   i:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
 2 s:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
   i:/C=CH/O=SwissSign AG/CN=SwissSign Silver CA - G2
---
Server certificate
-----BEGIN CERTIFICATE-----
<server certificate removed for posting>
-----END CERTIFICATE-----
subject=/OU=Domain Validated Only/CN=mail.acme.com
issuer=/C=CH/O=SwissSign AG/CN=SwissSign Server Silver CA 2014 - G22
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5583 bytes and written 362 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 0CE08FBFFEE1F856B84FF5D042E6FDB2D9A0A415565FCB04A04C565CA7EBC12C
    Session-ID-ctx:
    Master-Key: 4B215AFF8DEB9043F19346361EA98A617C1155E984C77C0B6FB74083897EAE6A502DB717CE249F81F2A19A1D31B38DEC
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 43 a8 9a 29 4e 52 05 78-60 eb 46 15 09 e8 21 f4   C..)NR.x'.F...!.
    0010 - 37 65 55 f8 8c 51 12 a7-37 14 29 41 1d 7b a0 fb   7eU..Q..7.)A.{..
    0020 - fb 6a d4 6e 49 c9 41 cd-1d cc ec a8 23 90 4f a3   .j.nI.A.....#.O.
    0030 - 5d 8d 73 6a 0e fc 69 df-58 63 1f c7 6b 43 13 39   ].sj..i.Xc..kC.9
    0040 - 5e ee 73 df 3a 80 8a d5-e3 bf 80 f5 47 c2 33 e1   ^.s.:.......G.3.
    0050 - f5 dc 2f 9e 12 15 7d 3a-ac 3c 27 e8 73 24 05 65   ../...}:.<'.s$.e
    0060 - 0c 5a da 9f 79 a2 a3 80-31 24 ea 22 1f 12 4e ea   .Z..y...1$."..N.
    0070 - e7 d5 0b a6 d9 0b 7f 55-fd a0 bb 2e aa 93 3e b8   .......U......>.
    0080 - c5 ff 46 6b 55 3e ff ee-00 e0 20 d1 2e fc d5 62   ..FkU>.... ....b
    0090 - 40 fe 9b 4e 38 ab 63 92-c3 41 48 28 71 48 06 91   @..N8.c..AH(qH..

    Start Time: 1458037878
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN

E aqui estão os registros:

Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: initializing the server-side TLS engine
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: connect from unknown[192.168.0.235]
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: setting up TLS connection from unknown[192.168.0.235]
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: unknown[192.168.0.235]: TLS cipher list "ALL:+RC4:@STRENGTH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CDB3-SHA:!KRB5-DES:!CBC3-SHA"
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: SSL_accept:before/accept initialization
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: SSL_accept:error in SSLv2/v3 read client hello A
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: SSL_accept error from unknown[192.168.0.235]: -1
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: warning: TLS library problem: 24499:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:644:
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: lost connection after STARTTLS from unknown[192.168.0.235]
Mar 15 15:15:25 mymailserver postfix/smtpd[24499]: disconnect from unknown[192.168.0.235]

Além disso, pelo menos o Gmail me diz que meu e-mail não está criptografado.

Qualquer ajuda ou dicas apreciadas.

Editar
Acontece que o nosso firewall (Cisco ASA) atrapalha o protocolo ESMTP com sua inspeção de protocolo. Veja esta postagem do blog para detalhes e uma resolução. Pelo menos o gmail não reclama mais da falta de criptografia. Eu preciso verificar mais se esta é a solução completa.

    
por Isaac 15.03.2016 / 15:44

0 respostas