Jump to content

email notifications broke with Postfix TLS


Recommended Posts

Posted

I run a mail server as part of my day job.  It was working for sending notifications for my ISY back in summer.  I noticed today (I don't send a lot of notifications)  that I can nolonger send notifications.  I found that the ISY has problems exchanging certificates.

 

Below is the TLS log for SMTPD for the ISY connection and one using openssl s_client.  This mail server handles many clients and we have never had an issue like this.

Broken ISY connection

Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: initializing the server-side TLS engine
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: connect from <redact>[<client IP>]
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: setting up TLS connection from <redact>[<client IP>]
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: <redact>[<client IP>]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: SSL_accept:before/accept initialization
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: SSL_accept:SSLv3 read client hello A
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: SSL_accept:SSLv3 write server hello A
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: SSL_accept:SSLv3 write certificate A
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: SSL_accept:SSLv3 write server done A
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: SSL_accept:SSLv3 flush data
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: SSL_accept:SSLv3 read client certificate A
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: SSL_accept:failed in SSLv3 read client key exchange A
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: SSL_accept error from <redact>[<client IP>]: lost connection
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: lost connection after STARTTLS from <redact>[<client IP>]
Feb 15 20:27:42 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30347]: disconnect from <redact>[<client IP>] ehlo=1 starttls=0/1 commands=1/2

Now the working openssl option

openssl s_client -connect <FQHD Server>:587 -starttls smtp -tls1_2
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: connect from <redact>[<client IP>]
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: setting up TLS connection from <redact>[<client IP>]
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: <redact>[<client IP>]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:before/accept initialization
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 read client hello A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 write server hello A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 write certificate A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 write key exchange A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 write server done A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 flush data
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 read client certificate A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 read client key exchange A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 read certificate verify A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 read finished A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: <redact>[<client IP>]: Issuing session ticket, key expiration: 1487209809
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 write session ticket A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 write change cipher spec A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 write finished A
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: SSL_accept:SSLv3 flush data
Feb 15 20:27:24 ip-10-251-26-185 postfix/smtpd-submission/smtpd[30312]: Anonymous TLS connection established from <redact>[<client IP>]: TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Any help would be great or if this is a bug in the ISY happy to run other tests and report back.

Posted

What version of ISY firmware are you using?

 

Modern versions removed SSL3. Older versions may only support SSL3.

Your Postfix may have had a patch to remove less secure ciphers.

 

Finally, what is the setting of the 'HTTPS Client' settings in the 'Dashboard' ? (These settings apply to the SMTP client as well).

Posted

Yeah I had modified those settings following the guide:

http://www.universal-devices.com/docs/ISY994%20Series%20Network%20Security%20Guide.pdf

 

Turning off client Verify fixed the mail sending.

BTW even though the log says SSL3  that's only cypher setting, my server is actually setup to reject SSLv3 connections.  If you do s_client with -sslv3  the connection is rejected.

 

Strangly I was setting up pushover as a workaround.  That also was not working, it was fixed when I disabled verify on the client setting in the dashboard.  Go figure.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...