Habilitando o STARTTLS para todos no Postfix com o Zarafa

1

Encontrei um problema que simplesmente não consigo resolver apenas pesquisando nele - preciso de ajuda especializada. Minha empresa executa seu próprio servidor de email (postfix com zarafa groupware). Somos uma companhia de seguros, por isso, muitas vezes recebemos e-mails com informações pessoais que não devem ser lidas por outras pessoas. Então, um dos nossos parceiros só quer enviá-los criptografados, o que é totalmente razoável. Mas parece que não funciona para usuários externos. Eu realmente não sei como explicar isso, mas vou tentar:

Eles verificaram nosso servidor de e-mail via:

openssl s_client -host mx01.cevo.de -port 25 -starttls smtp -debug

Qual falha com esta saída:

CONNECTED(00000003)
read from 0xec56b0 [0xec57e0] (4096 bytes => 38 (0x26))
0000 - 32 32 30 20 6d 78 30 31-2e 63 65 76 6f 2e 64 65   220 mx01.cevo.de
0010 - 20 45 53 4d 54 50 20 53-65 72 76 69 63 65 20 72    ESMTP Service r
0020 - 65 61 64 79 0d 0a                                 eady..
write to 0xec56b0 [0xec67f0] (25 bytes => 25 (0x19))
0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69   EHLO openssl.cli
0010 - 65 6e 74 2e 6e 65 74 0d-0a                        ent.net..
read from 0xec56b0 [0xec57e0] (4096 bytes => 94 (0x5E))
0000 - 32 35 30 2d 52 65 71 75-65 73 74 65 64 20 6d 61   250-Requested ma
0010 - 69 6c 20 61 63 74 69 6f-6e 20 6f 6b 61 79 2c 20   il action okay, 
0020 - 63 6f 6d 70 6c 65 74 65-64 0d 0a 32 35 30 2d 53   completed..250-S
0030 - 49 5a 45 20 32 30 34 38-30 30 30 30 0d 0a 32 35   IZE 20480000..25
0040 - 30 2d 45 54 52 4e 0d 0a-32 35 30 2d 38 42 49 54   0-ETRN..250-8BIT
0050 - 4d 49 4d 45 0d 0a 32 35-30 20 4f 4b 0d 0a         MIME..250 OK..
didn't found starttls in server response, try anyway...
write to 0xec56b0 [0x7fffd07d4ae0] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a                     STARTTLS..
read from 0xec56b0 [0xeb79b0] (8192 bytes => 30 (0x1E))
0000 - 35 30 33 20 42 61 64 20-73 65 71 75 65 6e 63 65   503 Bad sequence
0010 - 20 6f 66 20 63 6f 6d 6d-61 6e 64 73 0d 0a          of commands..
write to 0xec56b0 [0xec5730] (317 bytes => 317 (0x13D))
0000 - 16 03 01 01 38 01 00 01-34 03 03 94 e2 69 f3 8f   ....8...4....i..
0010 - cb a4 fd 61 49 3f 15 c4-5d a2 3f ca 4e f0 a9 eb   ...aI?..].?.N...
0020 - 71 72 6b ce 65 00 b9 0c-e1 ee 9f 00 00 9e c0 30   qrk.e..........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a c0 22 c0 21 00 a3   .,.(.$.....".!..
0040 - 00 9f 00 6b 00 6a 00 39-00 38 00 88 00 87 c0 32   ...k.j.9.8.....2
0050 - c0 2e c0 2a c0 26 c0 0f-c0 05 00 9d 00 3d 00 35   ...*.&.......=.5
0060 - 00 84 c0 12 c0 08 c0 1c-c0 1b 00 16 00 13 c0 0d   ................
0070 - c0 03 00 0a c0 2f c0 2b-c0 27 c0 23 c0 13 c0 09   ...../.+.'.#....
0080 - c0 1f c0 1e 00 a2 00 9e-00 67 00 40 00 33 00 32   [email protected]
0090 - 00 9a 00 99 00 45 00 44-c0 31 c0 2d c0 29 c0 25   .....E.D.1.-.).%
00a0 - c0 0e c0 04 00 9c 00 3c-00 2f 00 96 00 41 c0 11   .......<./...A..
00b0 - c0 07 c0 0c c0 02 00 05-00 04 00 15 00 12 00 09   ................
00c0 - 00 14 00 11 00 08 00 06-00 03 00 ff 01 00 00 6d   ...............m
00d0 - 00 0b 00 04 03 00 01 02-00 0a 00 34 00 32 00 0e   ...........4.2..
00e0 - 00 0d 00 19 00 0b 00 0c-00 18 00 09 00 0a 00 16   ................
00f0 - 00 17 00 08 00 06 00 07-00 14 00 15 00 04 00 05   ................
0100 - 00 12 00 13 00 01 00 02-00 03 00 0f 00 10 00 11   ................
0110 - 00 23 00 00 00 0d 00 20-00 1e 06 01 06 02 06 03   .#..... ........
0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02   ................
0130 - 03 03 02 01 02 02 02 03-00 0f 00 01 01            .............
^Tread from 0xec56b0 [0xecac90] (7 bytes => 7 (0x7))
0000 - 34 32 31 20 53 4d 54                              421 SMT
139855938602656:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 169 bytes and written 352 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Aqui está a entrada de log de mail.log para essa solicitação:

Jan 21 15:09:58 mx01 postfix/smtpd[1401]: connect from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
Jan 21 15:10:10 mx01 postfix/smtpd[1401]: lost connection after EHLO from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]
Jan 21 15:10:10 mx01 postfix/smtpd[1401]: disconnect from ec2-52-31-143-162.eu-west-1.compute.amazonaws.com[52.31.143.162]

Então eu tentei do meu laptop no trabalho com o mesmo comando e funcionou sem nenhum problema:

CONNECTED(00000003)
read from 0xbdef20 [0xbdf020] (4096 bytes => 32 (0x20))
0000 - 32 32 30 20 6d 78 30 31-2e 63 65 76 6f 2e 64 65   220 mx01.cevo.de
0010 - 20 45 53 4d 54 50 20 50-6f 73 74 66 69 78 0d 0a    ESMTP Postfix..
write to 0xbdef20 [0xbe0030] (25 bytes => 25 (0x19))
0000 - 45 48 4c 4f 20 6f 70 65-6e 73 73 6c 2e 63 6c 69   EHLO openssl.cli
0010 - 65 6e 74 2e 6e 65 74 0d-0a                        ent.net..
read from 0xbdef20 [0xbdf020] (4096 bytes => 138 (0x8A))
0000 - 32 35 30 2d 6d 78 30 31-2e 63 65 76 6f 2e 6c 6f   250-mx01.cevo.lo
0010 - 63 61 6c 0d 0a 32 35 30-2d 50 49 50 45 4c 49 4e   cal..250-PIPELIN
0020 - 49 4e 47 0d 0a 32 35 30-2d 53 49 5a 45 20 32 30   ING..250-SIZE 20
0030 - 39 37 31 35 32 30 0d 0a-32 35 30 2d 56 52 46 59   971520..250-VRFY
0040 - 0d 0a 32 35 30 2d 45 54-52 4e 0d 0a 32 35 30 2d   ..250-ETRN..250-
0050 - 53 54 41 52 54 54 4c 53-0d 0a 32 35 30 2d 45 4e   STARTTLS..250-EN
0060 - 48 41 4e 43 45 44 53 54-41 54 55 53 43 4f 44 45   HANCEDSTATUSCODE
0070 - 53 0d 0a 32 35 30 2d 38-42 49 54 4d 49 4d 45 0d   S..250-8BITMIME.
0080 - 0a 32 35 30 20 44 53 4e-0d 0a                     .250 DSN..
write to 0xbdef20 [0x7ffdc4723d90] (10 bytes => 10 (0xA))
0000 - 53 54 41 52 54 54 4c 53-0d 0a                     STARTTLS..
read from 0xbdef20 [0xad1c10] (8192 bytes => 30 (0x1E))
0000 - 32 32 30 20 32 2e 30 2e-30 20 52 65 61 64 79 20   220 2.0.0 Ready 
0010 - 74 6f 20 73 74 61 72 74-20 54 4c 53 0d 0a         to start TLS..
write to 0xbdef20 [0xbdefa0] (318 bytes => 318 (0x13E))
...
subject=/OU=Domain Control Validated/OU=PositiveSSL Wildcard/CN=*.cevo.de
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 5189 bytes and written 488 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 244534A357837835FF9B28366E16DAA71E7D71C53AA9C0C5BBA8A2CFE065AA5A
    Session-ID-ctx: 
    Master-Key: 9E8041FD2EC1DD4D3F9FDCEC2D920FA35EA403356DC7498767A43CC650314B0378D73BC7E786C29881BAB7EEE123DF6B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 12 89 a5 2e e9 2a 80 e0-29 9a e8 71 41 96 27 ef   .....*..)..qA.'.
    0010 - 58 29 f0 f7 c1 56 66 9a-9e 9e 7b 0f 47 8f 97 06   X)...Vf...{.G...
    0020 - 47 bd 53 50 75 dd 8e 41-4f ea 52 f9 21 fc 30 1a   G.SPu..AO.R.!.0.
    0030 - 68 55 29 29 3c 33 80 f7-b4 af d6 32 21 80 78 24   hU))<3.....2!.x$
    0040 - e7 37 e9 24 77 71 72 58-0e c9 fb 23 2f b8 3c 4d   .7.$wqrX...#/.<M
    0050 - 31 1b bb 8d bf ca b5 cd-ec 24 81 be e4 4f 00 d4   1........$...O..
    0060 - 14 3f e5 68 5b 58 6c 19-b4 a2 03 a7 71 9e f7 58   .?.h[Xl.....q..X
    0070 - 7a 0d b8 dc a6 0e 2c b5-24 5f 8e 33 2c 64 c2 82   z.....,.$_.3,d..
    0080 - d2 25 ed bd e0 17 90 4a-29 a6 b1 4e f7 19 be d6   .%.....J)..N....
    0090 - b0 4d 3f c3 83 29 ec c4-24 e9 5e e0 48 b2 b7 12   .M?..)..$.^.H...
    00a0 - 8a 64 02 71 fe c3 42 e0-2b d7 99 da d3 04 7e 60   .d.q..B.+.....~'

    Compression: 1 (zlib compression)
    Start Time: 1453385327
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 DSN

E a entrada de registro da solicitação:

Jan 21 15:11:49 mx01 postfix/smtpd[1401]: connect from unknown[172.19.5.135]
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: setting up TLS connection from unknown[172.19.5.135]
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: unknown[172.19.5.135]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:before/accept initialization
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read client hello A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write server hello A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write certificate A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write key exchange A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write server done A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 flush data
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read client key exchange A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 read finished A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write session ticket A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write change cipher spec A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 write finished A
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: SSL_accept:SSLv3 flush data
Jan 21 15:11:49 mx01 postfix/smtpd[1401]: Anonymous TLS connection established from unknown[172.19.5.135]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Aqui está o main.cfg (removi todos os comentários e linhas em branco desnecessárias):

message_size_limit = 20971520
# mailbox_size_limit = 51200000
command_directory = /usr/sbin
daemon_directory = /usr/lib/postfix
myhostname = mx01.cevo.local
myorigin = mx01.cevo.local
smtp_helo_name = mx01.cevo.de
append_dot_mydomain = no
inet_interfaces = all
inet_protocols = ipv4
mydestination = $myhostname, localhost.$mydomain, localhost
mynetworks = 127.0.0.0/8 172.19.3.29 172.19.3.36 172.19.3.41 172.19.3.50 172.19.3.123 192.168.100.28 172.19.3.18
masquerade_domains = $mydomain
masquerade_exceptions = root 
transport_maps = hash:/etc/postfix/transport
disable_vrfy_command = no
smtpd_banner = mx01.cevo.de ESMTP $mail_name
local_header_rewrite_clients =
virtual_alias_domains = 
virtual_alias_maps = hash:/etc/postfix/virtual,
        ldap:/etc/postfix/ldap.groups,
        ldap:/etc/postfix/ldap.distlist,
        ldap:/etc/postfix/ldap.sharedfolderremote,
        ldap:/etc/postfix/ldap.sharedfolderlocal,
        ldap:/etc/postfix/ldap.virtual    
virtual_mailbox_domains = ldap:/etc/postfix/ldap.virtualdomains    
virtual_mailbox_maps = hash:/etc/postfix/virtual,
        ldap:/etc/postfix/ldap.groups,
        ldap:/etc/postfix/ldap.distlist,
        ldap:/etc/postfix/ldap.sharedfolderremote,
        ldap:/etc/postfix/ldap.sharedfolderlocal,
        ldap:/etc/postfix/ldap.virtual
virtual_transport = lmtp:127.0.0.1:2003
canonical_maps = hash:/etc/postfix/canonical
relocated_maps = hash:/etc/postfix/relocated
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
smtpd_recipient_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        reject_unauth_destination,
        reject_unlisted_recipient
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
smtpd_tls_cert_file = /etc/ssl/certs/star_cevo_de.pem
smtpd_tls_key_file = /etc/ssl/private/star_cevo_de.key
smtpd_tls_CAfile = /etc/ssl/certs/star_cevo_de.cabundle   
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s 
tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = yes   
smtpd_sasl_local_domain =    
smtpd_sasl_security_options = noanonymous    
smtp_tls_security_level = may
broken_sasl_auth_clients = yes
smtp_tls_loglevel = 2
smtpd_tls_loglevel = 2
smtpd_tls_dh1024_param_file = /etc/postfix/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem
tls_preempt_cipherlist = yes
smtpd_tls_eecdh_grade = strong

master.cfg:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (50)
# ==========================================================================
25      inet  n       -       n       -       -       smtpd
465       inet  n       -       n       -       -       smtpd  -o smtpd_sasl_auth_enable=yes -o smtpd_tls_wrappermode=yes

#628      inet  n       -       n       -       -       qmqpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
#qmgr     fifo  n       -       n       300     1       nqmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
smtp      unix  -       -       n       -       -       smtp
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
local     unix  -       n       n       -       -       local
#virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
#587      inet  n       -       n       -       -       smtpd -v -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes
relay    unix  -       -       n       -       -       smtp
trace    unix  -       -       n       -       0       bounce
proxymap  unix -       -       n       -       -       proxymap
anvil    unix  -       -       n       -       1       anvil
scache   unix  -       -       -       -       1       scache
discard          unix  -       -       n       -       -       discard
tlsmgr    unix  -       -       n       1000?   1       tlsmgr

Então, como você pode ver, eu posso usar o SSL da minha máquina (como do "dentro"), mas de fora não funciona. Estou no final do meu conhecimento, que é bastante baixo quando se trata de postfix e mail tbh. Eu já pesquisei como o inferno, mas não encontrei uma solução que resolvesse meu problema.

    
por Mortorq 21.01.2016 / 15:21

1 resposta

1

Você não está oferecendo o TLS, pelo menos não quando visto de fora:

[me@risby ~]$ telnet mx01.cevo.de 25
Trying 195.244.228.205...
Connected to mx01.cevo.de.
Escape character is '^]'.
220 mx01.cevo.de ESMTP Service ready
ehlo me
250-Requested mail action okay, completed
250-SIZE 20480000
250-ETRN
250-8BITMIME
250 OK

Meu palpite é que você tem um firewall adaptável (como, mas não limitado a, o CISCO PIX) no caminho, que é famoso por "ajudar" a correção do fluxo SMTP para remover o banner TLS.

Diga ao firewall para parar de mexer nos dados SMTP ou, melhor ainda, jogá-lo pela janela e usar iptables , e os clientes externos também devem poder se beneficiar do TLS.

    
por 21.01.2016 / 15:26