With version 1.0.e-2, EHLO handshake fails and connections are deferred:

Apr 29 22:41:56 mx3210 postfix/smtp[29733]: Trusted TLS connection established to smtphm.sympatico.ca[65.55.172.251]:25: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
Apr 29 22:41:56 mx3210 postfix/smtp[29733]: warning: TLS library problem: 29733:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
Apr 29 22:41:56 mx3210 postfix/smtp[29733]: 0003A5F7F6: to=<dave.anglin@bell.net>, orig_to=<root>, relay=smtphm.sympatico.ca[65.55.172.251]:25, delay=13914, del
ays=13898/0.38/15/0, dsn=4.4.2, status=deferred (lost connection with smtphm.sympatico.ca[65.55.172.251] while performing the EHLO handshake)

Version 1.0.0g-1 works:
Apr 29 23:26:55 mx3210 postfix/smtp[11360]: Trusted TLS connection established to smtphm.sympatico.ca[65.55.172.251]:25: TLSv1 with cipher RC4-MD5 (128/128 bits)
Apr 29 23:26:58 mx3210 postfix/smtp[11360]: 5B1EF5F806: to=<dave.anglin@bell.net>, relay=smtphm.sympatico.ca[65.55.172.251]:25, delay=623, delays=605/0.26/16/1.4, dsn=2.6.0, status=sent (250 2.6.0  <20130430031634.GA4582@mx3210.hia.nrc.ca> Queued mail for delivery)

Can you reproduce this with:
openssl s_client -starttls smtp -connect smtphm.sympatico.ca:25

I notice that it's running a rather old version of exchange, and
I've seen various problems with old microsoft products and
announcing that you support a newer version of the TLS protocol
then they support.

If that is the problem, the only way to work around this is to
force an older version of the TLS protocol.

postfix seems to have this by default:
smtp_tls_protocols = !SSLv2

Try setting:
smtp_tls_protocols = TLS1

(The documentation isn't really clear on what the valid options
are.)


Kurt

smtp_tls_protocols = TLSv1

works.

Thanks,
Dave
--
John David Anglin	dave.anglin@bell.net

Hi,

I think this problem is a little more serious. It basically means that:

1. We have to disable TLSv1.1/1.2 if we want to be interoperable with
certain systems that are (sadly) still widely used. TLSv1.2 is a major
new feature, disabling it is not what we want.
2. Since you can't always disable TLSv1.1/1.2 in every application, it
means we sometimes have to disable TLS altogether, or where TLS is
required, you just won't be able to connect. This means openssl in
wheezy is sometimes unusable.

The discussion here[1] seems to be misguided. Of course it's nice for
every app to expose openssl options in its config, but openssl is what
is broken here.

As for blaming the remote side - GnuTLS apps in wheezy are able to talk
to MS Exchange (same exact servers having this error with postfix) with
no specific configuration changes, having TLSv1.2 still enabled (e.g. exim).

[1] http://web.archiveorange.com/archive/v/ATzXXOjuq9y3yWEltUyY

Thanks,

Gedalya

I'm pretty sure that the other side is broken, it's just that
openssl is exposing the problems on the other side.  Maybe
we can work around it, but in that case I need more info.

This is new for me.  In all recent cases I've seen gnutls had
the same problem talking to servers as openssl has.  So if this
is a server I can access over the internet, can you give more
details?


Kurt

Jun  9 07:03:27 mailout1 postfix/smtp[4748]: Untrusted TLS connection
established to mail.megacontractinginc.com[64.61.170.194]:25: TLSv1 with
cipher DES-CBC3-SHA (168/168 bits)
Jun  9 07:03:27 mailout1 postfix/smtp[4748]: warning: TLS library
problem: 4748:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:
Jun  9 07:03:27 mailout1 postfix/smtp[4748]: 727D91FED2: lost connection
with mail.megacontractinginc.com[64.61.170.194] while sending MAIL FROM
Jun  9 07:03:27 mailout1 postfix/smtp[4748]: Untrusted TLS connection
established to mail.megacontractinginc.com[50.74.229.90]:25: TLSv1 with
cipher DES-CBC3-SHA (168/168 bits)
Jun  9 07:03:27 mailout1 postfix/smtp[4748]: warning: TLS library
problem: 4748:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:

You can try to send to aaaaaaaaaaaaaa at megacontractinginc.com,
reproducing the problem would mean you get cut off after MAIL FROM, a
550 user unknown is success.
in my trials, postfix+openssl has the problem, exim+GnuTLS does not.
But I believe this should be the same with IIS6, etc, I don't think it
has anything to do with Exchange, or with any particular server. I'll
try to dig around more and bring more examples.

Thanks

openssl s_client -connect mail.megacontractinginc.com:25 -starttls smtp -crlf

But I can reproduce some weird behaviour with it that goes away
when I use -no_tls1_2.


Kurt

Right. I don't know how to do -crlf with gnutls-cli that's why I just
piped something to exim.. but it worked, without disabling TLS 1.2. I
don't doubt there's something wrong on the remote side but the remote
side is all over, and I believe we can and must find a way to work
around it.

Ooops.. silly me. --crlf, right there on the gnutls-cli man page :D

GnuTLS negotiates the same cipher as openssl would with only TLSv1 enabled.


$ swaks -f something@something.net -t dfgdgfg@example.com -s
mail.acsgs.com -tls
=== Trying mail.acsgs.com:25...
=== Connected to mail.acsgs.com.
<-  220 acsgsemail1.acsgs.com Microsoft ESMTP MAIL Service, Version:
6.0.3790.4675 ready at  Wed, 12 Jun 2013 15:18:43 -0600
  -> EHLO nws.gedalya.net
<-  250-acsgsemail1.acsgs.com Hello [xx.xx.xx.xx]
<-  250-TURN
<-  250-SIZE
<-  250-ETRN
<-  250-PIPELINING
<-  250-DSN
<-  250-ENHANCEDSTATUSCODES
<-  250-8bitmime
<-  250-BINARYMIME
<-  250-CHUNKING
<-  250-VRFY
<-  250-TLS
<-  250-STARTTLS
<-  250-X-EXPS GSSAPI NTLM
<-  250-AUTH GSSAPI NTLM
<-  250-X-LINK2STATE
<-  250-XEXCH50
<-  250 OK
  -> STARTTLS
<-  220 2.0.0 SMTP server ready
=== TLS started w/ cipher DES-CBC3-SHA
=== TLS peer subject DN="/C=US/ST=Utah/L=Sandy/O=Affiliated Computer
Services/OU=Global Services/CN=mail.acsgs.com"
  ~> EHLO nws.gedalya.net
<~  250-acsgsemail1.acsgs.com Hello [xx.xx.xx.xx]
<~  250-TURN
<~  250-SIZE
<~  250-ETRN
<~  250-PIPELINING
<~  250-DSN
<~  250-ENHANCEDSTATUSCODES
<~  250-8bitmime
<~  250-BINARYMIME
<~  250-CHUNKING
<~  250-VRFY
<~  250-X-EXPS GSSAPI NTLM LOGIN
<~  250-X-EXPS=LOGIN
<~  250-AUTH GSSAPI NTLM LOGIN
<~  250-AUTH=LOGIN
<~  250-X-LINK2STATE
<~  250-XEXCH50
<~  250 OK
  ~> MAIL FROM:<something@something.net>
*** Remote host closed connection unexpectedly.


$ openssl s_client -connect mail.acsgs.com:25 -starttls smtp -crlf
CONNECTED(00000003)
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU =
Terms of use at https://www.verisign.com/rpa (c)05, CN = VeriSign Class
3 Secure Server CA
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
  0 s:/C=US/ST=Utah/L=Sandy/O=Affiliated Computer Services/OU=Global
Services/CN=mail.acsgs.com
    i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
  1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
    i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification
Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFEzCCA/ugAwIBAgIQc/v1FFQpqdbVOIy00Zd9vDANBgkqhkiG9w0BAQUFADCB
......
EXVDfqHCvw==
-----END CERTIFICATE-----
subject=/C=US/ST=Utah/L=Sandy/O=Affiliated Computer Services/OU=Global
Services/CN=mail.acsgs.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use
at https://www.verisign.com/rpa (c)05/CN=VeriSign Class 3 Secure Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3076 bytes and written 545 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DES-CBC3-SHA
     Session-ID:
7505000001B9853811768E688C104416E731661E9846180362564B8460685E82
     Session-ID-ctx:
     Master-Key:
DA18807E33A53A66DB57339E5D68F1F0FAB1675980AEC6ADF4472D4DB987D993ED18EF1BDF39B0369F2535E2D691B492
     Key-Arg   : None
     PSK identity: None
     PSK identity hint: None
     SRP username: None
     Start Time: 1371072152
     Timeout   : 300 (sec)
     Verify return code: 20 (unable to get local issuer certificate)
---
250 OK
EHLO nws.gedalya.net
250-acsgsemail1.acsgs.com Hello [xx.xx.xx.xx]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
139789032576680:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:


$ gnutls-cli --crlf -s -p 25 mail.acsgs.com
WARNING: gnome-keyring:: couldn't connect to:
/home/jedi/.cache/keyring-V3kT53/pkcs11: No such file or directory
Resolving 'mail.acsgs.com'...
Connecting to '216.115.162.156:25'...

- Simple Client Mode:

220 acsgsemail1.acsgs.com Microsoft ESMTP MAIL Service, Version:
6.0.3790.4675 ready at  Wed, 12 Jun 2013 15:23:10 -0600
EHLO nws.gedalya.net
250-acsgsemail1.acsgs.com Hello [xx.xx.xx.xx]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-TLS
250-STARTTLS
250-X-EXPS GSSAPI NTLM
250-AUTH GSSAPI NTLM
250-X-LINK2STATE
250-XEXCH50
250 OK
STARTTLS
220 2.0.0 SMTP server ready
*** Starting TLS handshake
- Certificate type: X.509
  - Got a certificate list of 2 certificates.
  - Certificate[0] info:
   - subject `C=US,ST=Utah,L=Sandy,O=Affiliated Computer
Services,OU=Global Services,CN=mail.acsgs.com', issuer
`C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at
https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure Server
CA', RSA key 1024 bits, signed using RSA-SHA1, activated `2008-07-30
00:00:00 UTC', expires `2010-07-30 23:59:59 UTC', SHA-1 fingerprint
`766cb36ca76254171dab4ff747b413f974b8d2c6'
  - Certificate[1] info:
   - subject `C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms
of use at https://www.verisign.com/rpa (c)05,CN=VeriSign Class 3 Secure
Server CA', issuer `C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary
Certification Authority', RSA key 2048 bits, signed using RSA-SHA1,
activated `2005-01-19 00:00:00 UTC', expires `2015-01-18 23:59:59 UTC',
SHA-1 fingerprint `188590e94878478e33b6194e59fbbb28ff0888d5'
- The hostname in the certificate matches 'mail.acsgs.com'.
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: RSA
- Cipher: ARCFOUR-128
- MAC: MD5
- Compression: NULL
EHLO nws.gedalya.net
250-acsgsemail1.acsgs.com Hello [xx.xx.xx.xx]
250-TURN
250-SIZE
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-X-EXPS GSSAPI NTLM LOGIN
250-X-EXPS=LOGIN
250-AUTH GSSAPI NTLM LOGIN
250-AUTH=LOGIN
250-X-LINK2STATE
250-XEXCH50
250 OK
MAIL FROM:<something@something.net>
250 2.1.0 something@something.net....Sender OK
RCPT TO:<sggsdfgsd@example.com>
550 5.7.1 Unable to relay for sggsdfgsd@example.com
QUIT
221 2.0.0 acsgsemail1.acsgs.com Service closing transmission channel
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.

I didn't notice before that -no_tsl1_2 also resulted in a
different cipher being selected.  Without -no_tsl1_2 I get
DES-CBC3-SHA, with I get RC4-MD5.

gnutls-cli goes for:
- Key Exchange: RSA
- Cipher: ARCFOUR-128
- MAC: MD5


Kurt

forwarded 706423 http://rt.openssl.org/Ticket/Display.html?id=3072&user=guest&pass=guest
thanks

I forwarded it to upstream.


Kurt

OK, it's no longer "just some old Exchange 2003 servers".... this is major.

$ openssl s_client -connect smtp.live.com:587 -starttls smtp -crlf -quiet
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
Validation CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
250 OK
AUTH LOGIN
334 VXNlcm5hbWU6
140689921832616:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:337:


Found out about this at https://github.com/andris9/Nodemailer/issues/140

Gedalya

I'd like to confirm this bug as well and try and get it prioritised.
It's a major PITA that connections to live.com (and also many exchange
servers) are failing unless you provide specific SSL override options.


$ openssl s_client -connect smtp.live.com:587 -starttls smtp -tls1_2
-crlf
CONNECTED(00000003)
46912496296712:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:
...

$ openssl s_client -connect smtp.live.com:587 -starttls smtp -tls1_1
-crlf
CONNECTED(00000003)
46912496296712:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:
...

$ openssl s_client -connect smtp.live.com:587 -starttls smtp -tls1 -crlf
CONNECTED(00000003)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
Validation CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft
 Corporation/CN=smtp.live.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
   G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
 G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
...
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID:
    FD0100005E745018FFA58423A154B06801F16835D6A266306ACFB7D79DBB2E58
    Session-ID-ctx:
    Master-Key:
    C8851558B2E2D6B0165CEDD67F2FA2D02CD8DF49C206A1C1B14EAA3FE538A3FA101ACB7B71EFDB8A8CBB7F09CFD6C8B4
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1375150491
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 OK

Hmmm, and some additional details as well.

If you don't explicitly specify the protocol, it *appears* to initially
work.


$ openssl s_client -connect smtp.live.com:587 -starttls smtp -crlf
CONNECTED(00000003)
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization
Validation CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Redmond/O=Microsoft
 Corporation/CN=smtp.live.com
   i:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
   G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Organization Validation CA -
 G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
...
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID:
    03120000A01E273F7BF3F54958B1D2ECD7F623A4C7BE42388C94A825513167DA
    Session-ID-ctx:
    Master-Key:
    F8AD960F07FD339AFF0467E54BCC684FC26C735AA58CBA6E6856967D726F9FCDE0D3CAB2A566E43163D574174442C6FD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1375155252
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 OK



HOWEVER, if you send any command over the channel, it then causes an SSL
disconnect error.

$ echo -n -e 'ehlo messagingengine.com\nquit\n' | openssl s_client
-connect smtp.live.com:587 -starttls smtp -crlf -ign_eof
CONNECTED(00000003)
...
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID:
    03120000A01E273F7BF3F54958B1D2ECD7F623A4C7BE42388C94A825513167DA
    Session-ID-ctx:
    Master-Key:
    F8AD960F07FD339AFF0467E54BCC684FC26C735AA58CBA6E6856967D726F9FCDE0D3CAB2A566E43163D574174442C6FD
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1375155252
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 OK
250-BLU0-SMTP151.phx.gbl Hello [66.111.4.10]
250-TURN
250-SIZE 41943040
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-AUTH LOGIN PLAIN
250 OK
46912496296712:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:



If you make it use RC4 instead, it appears to work again.

[robm@betaweb1 postfix]$ echo -n -e 'ehlo messagingengine.com\nquit\n' |
openssl s_client -connect smtp.live.com:587 -starttls smtp -crlf
-ign_eof -cipher 'RC4'
CONNECTED(00000003)
...
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-MD5
    Session-ID:
    0B190000A64170B904A7991A84EE9DB8E85FF96F23D8BEAF6F8085E9B4869DB4
    Session-ID-ctx:
    Master-Key:
    4D8540CCBE1F647D80A0407A82143564398CC38B447DB1583D4BF0CEDA329DB09C5403311D6D7D6AD2A0AAD05738A658
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1375155540
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
250 OK
250-BLU0-SMTP163.phx.gbl Hello [66.111.4.10]
250-TURN
250-SIZE 41943040
250-ETRN
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-8bitmime
250-BINARYMIME
250-CHUNKING
250-VRFY
250-AUTH LOGIN PLAIN
250 OK
221 2.0.0 BLU0-SMTP163.phx.gbl Service closing transmission channel
read:errno=0



So something is confused when using the DES-CBC3-SHA cipher it appears,
but weirdly it appears only on the first write from openssl ->
smtp.live.com, reads from smtp.live.com -> openssl appear ok???

Anyway, the failure mode is really annoying. STARTTLS appears to work at
first, but then mysteriously fails at the first command you try and send
to the server.

Other problem reports:

http://postfix.1071664.n5.nabble.com/TLS-library-problem-after-updating-quot-openssl-quot-td16242.html
http://stackoverflow.com/questions/17011816/python-smtp-ssl-wrong-version-on-linux

I'm in contact with microsoft about this.  Today I got a reply
saying they couldn't reproduce this, and I've send them a debug
log and packet capture.


Kurt

Are we waiting for Microsoft?

This needs to be fixed by one side or the other in the interest of
interoperability, and somehow I find the scenario of it being fixed on
the open source side likely to materialize sooner.

Gedalya

http://www.ietf.org/mail-archive/web/tls/current/msg10471.html


Kurt

postfix sends to the server?

I currently see this in postfix's config:
tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH
tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!aNULL

smtpd_tls_ciphers = export
smtp_tls_mandatory_ciphers = medium

The first thing I have to wonder about is why it says:
"aNULL:-aNULL:ALL".  That doesn't seem to make sense to
me.  You start with the anonymous ciphers, you remove
them, but non permanent, and then you add ALL, which
which add them again, and you just end up with "ALL".
(But the order seems to be different, I don't really
understand.)

The "+RC4" shouldn't change much either, since that just
reorders things (and doesn't add anything), and then you
reorder the whole thing with @STRENGTH.

Please not that openssl's default (DEFAULT) is ALL:!aNULL:!eNULL
where the ! permanently deletes those from the list and can't be
added later again.

I really see no good reason to have anonymous ciphers in the list
since they are vulnerable to a MITM attack.  And the list as it
is now has actually has anonymous ciphers at the start.  It starts
with:
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=None Enc=AES(256)  Mac=SHA1
ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
ADH-CAMELLIA256-SHA     SSLv3 Kx=DH       Au=None Enc=Camellia(256) Mac=SHA1
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD

This specially doesn't make sense for the mandatory list, but
I would say that this doesn't make sense for the opportunistic
list either.

The non-mandatory list (smtpd_tls_ciphers, tls_export_cipherlist)
currently has 103 ciphers.

When changing it from:
aNULL:-aNULL:ALL:+RC4:@STRENGTH
to:
ALL:-aNULL:+RC4:@STRENGTH

This will already reduce the list to 84 ciphers.

And when using:
ALL:!aNULL:+RC4:@STRENGTH
it's reduced to 82.

There are probably a number of other types you might
want to remove.  I don't think PSK and SRP are going
to be used much, so you could do this:
ALL:!aNULL:!eNULL:!SRP:!PSK:@STRENGTH

You might also want to consider changing the order, for
instance placing DES near the end, but the worst still
at the end:
ALL:!aNULL:!eNULL:!SRP:!PSK:@STRENGTH:+3DES:+LOW:+EXPORT


Kurt

smtp_tls_exclude_ciphers =
smtp_tls_mandatory_exclude_ciphers =

And from the manpage:
       The underlying cipherlists for grades other than "null"
       include anonymous ciphers, but these are automatically
       filtered out if the Postfix SMTP client is configured to
       verify server certificates.  You are very unlikely to need
       to take any steps to exclude anonymous ciphers, they are
       excluded automatically as necessary.  If you must exclude
       anonymous ciphers at the "may" or "encrypt" security
       levels, when the Postfix SMTP client does not need or use
       peer certificates, set "smtp_tls_exclude_ciphers = aNULL".
       To exclude anonymous ciphers only when TLS is enforced, set
       "smtp_tls_mandatory_exclude_ciphers = aNULL".

I'm a little confused by this.  I can understand that for
smtp_tls_security_level=may that you might want to allow
anonymous ciphers, since you're happy to send it to anybody or not
encrypted at all.  But I'm not sure what the encrypt level really
means.  It uses the mandatory values, but does that just accept any
certificate it sees?  Does it check the CA-path?  The hostname?  I
have a feeling it only does some of those things at the verify
level.  So I have to wonder what that level gets you more than the
may level other than a different list of acceptable ciphers.

I'm going to assume that if you set the level to fingerprint,
verify or secure that it excludes aNULL itself, even if that's
nowhere in the config file.

The manpage actually says this about it:

    With OpenSSL 1.0.0 and later the cipherlist may start with an
    "aNULL:" prefix, which restores the 0.9.8-compatible ordering
    of the aNULL ciphers to the top of the list when they are
    enabled. This prefix is not needed with previous OpenSSL
    releases.
aNULL:-aNULL:ALL:+RC4:!SRP:!PSK:!SEED:!MD5:!CAMELLIA:@STRENGTH:+3DES:+LOW:+EXPORT

I had to exclude CAMELLIA to get a reasanable list again with all
those anonymous ciphers.

I also wonder why so many people have complained about this.  I
assume that they run at the may level in which case it should just
retry without encryption, and they shouldn't see any problems?


Kurt

For what it's worth, this is now a bit different (3.1.3):

tls_export_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH
tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH
tls_low_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH
tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!aNULL

smtpd_tls_ciphers = medium
smtp_tls_mandatory_ciphers = medium

Are people still having this problem?

Scott K

Dear Customer,
 We attempted to deliver your item at 3:30pm on 9th March, 2020. (Read enclosed file details)
The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically sent.

If the parcel is not scheduled for re-delivery or picked up within 72 hours, it will be returned to the sender.

Label Number: (Read enclosed file details)
Class: Package Services
Service(s): (Read enclosed file details)
Status: e-Notification sent

Read the enclosed file for details.
 UPS Customer Service.

Good Day,


My name is Dr Nelson Rodriguez. I have a very good business
opportunity that will benefit both of us.Kindly get back to me
for more details.


Regards,

Dr Nelson Rodriguez
(Dir., Research & Development)