[Postfixbuch-users] TLS und SMTP Auth Problem
Andreas Krummrich
brutus at iunius.org
Mo Mai 7 21:19:54 CEST 2007
Patrick Ben Koetter schrieb:
> * Andreas Krummrich <brutus at iunius.org>:
>
>> Hier der Output:
>>
>> brutus at itchy:~$ openssl s_client -starttls smtp -CAfile ca.crt -connect rom.iunius.org:25
>>
>
> Ist das ca.crt auch in Postfix eingebunden? In Deiner Config habe ich es nicht
> gesehen.
>
>
>
>> CONNECTED(00000003)
>> depth=1
>> /C=DE/ST=NRW/L=Troisdorf/O=iunius.org/OU=Berlin/CN=rom/emailAddress=brutus at iunius.org
>> verify return:1
>> depth=0 /C=DE/ST=NRW/L=Troisdorf/O=iunius.org/CN=rom.iunius.org
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/CN=rom.iunius.org
>>
>> i:/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/OU=Berlin/CN=rom/emailAddress=brutus at iunius.org
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>>
>
> <snip>
>
>
>> -----END CERTIFICATE-----
>> subject=/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/CN=rom.iunius.org
>> issuer=/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/OU=Berlin/CN=rom/emailAddress=brutus at iunius.org
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1501 bytes and written 351 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 1024 bit
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : DHE-RSA-AES256-SHA
>> Session-ID:
>> A366319E8BF413D080B983BBD8C4BE3DC1DFB990A663603657AC3AEB3E7B3BB4
>> Session-ID-ctx:
>> Master-Key:
>> B18F8A5FE8851866C76E19DE7FDD5449CE4A8E7E4AB5F15970F5E8B8F35395FE56A38669C780D888BA0A64FD65ACEE50
>> Key-Arg : None
>> Start Time: 1178461320
>> Timeout : 300 (sec)
>> Verify return code: 0 (ok)
>> ---
>> 250 8BITMIME
>> EHLO iunius.org
>> 250-rom.iunius.org
>> 250-AUTH LOGIN CRAM-MD5 PLAIN
>> 250-AUTH=LOGIN CRAM-MD5 PLAIN
>>
>
> Also qmail bietet LOGIN, PLAIN und CRAM-MD5 an. Das ist schon mal gut.
>
>
>> 250-PIPELINING
>> 250 8BITMIME
>> AUTH LOGIN
>> 334 VXNlcm5hbWU6
>> dGVzdA==
>> 334 UGFzc3dvcmQ6
>> dGVzdA==
>> 235 ok, go ahead (#2.0.0)
>>
>
> LOGIN geht. Auch gut. Du möchtest aber den Nutzer "test" und das Kennwort
> "test" umgehend ändern. Nicht das einer die kodierten, aber nicht
> verschlüsselten Strings gegen Dich verwendet.
>
> Da LOGIN zu gehen scheint, ein Vorschlag für einen Workaround:
> Unterstützt Dein Postfix den $smtp_sasl_mechanism_filter-Parameter (Postfix
> 2.3 und später)?
>
> Wenn ja, dann setze ihn auf Folgendes:
>
> smtp_sasl_mechanism_filter = !cram-md5, static:rest
>
>
Nein, das unterstützt er nicht. Ist noch ein uralter Postfix auf Debian
Woody.
> So wird Postfix CRAM-MD5 ignorieren und login oder plain nutzen. Das ist okay,
> solange Du TLS nutzt.
>
> Für plaintext-Mechanismen während TLS musst Du dann zusätzlich Folgendes
> setzen:
>
> smtp_sasl_tls_security_options = noanonymous
>
Auch das hat nichts gebracht.
Ich habe eben mal das Loglevel für TLS erhöht und dabei kam folgendes
herraus:
Vielleicht hilft das ja etwas weiter:
May 7 21:12:01 santa postfix/smtpd[28035]: connect from
bart.springfield.home[10.10.42.10]
May 7 21:12:01 santa postfix/smtpd[28035]: setting up TLS connection
from bart.springfield.home[10.10.42.10]
May 7 21:12:01 santa postfix/smtpd[28035]: TLS connection established
from bart.springfield.home[10.10.42.10]: TLSv1 with cipher RC4-MD5
(128/128 bits)
May 7 21:12:01 santa postfix/smtpd[28035]: 41CC2CD57D:
client=bart.springfield.home[10.10.42.10], sasl_method=CRAM-MD5,
sasl_username=brutus
May 7 21:12:01 santa postfix/cleanup[28037]: 41CC2CD57D:
message-id=<463F79BA.1070303 at iunius.org>
May 7 21:12:01 santa postfix/qmgr[28034]: 41CC2CD57D:
from=<brutus at iunius.org>, size=627, nrcpt=1 (queue active)
May 7 21:12:01 santa postfix/smtpd[28035]: disconnect from
bart.springfield.home[10.10.42.10]
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:before/connect
initialization
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv2/v3 write
client hello A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv2/v3
read server hello A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3
read server hello A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3
read server hello A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 read server
hello A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3
read server certificate A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3
read server certificate A
May 7 21:12:01 santa postfix/smtp[28038]: Peer cert verify depth=1
/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/OU=Berlin/CN=rom/Email=brutus at iunius.org
May 7 21:12:01 santa postfix/smtp[28038]: verify return:1
May 7 21:12:01 santa postfix/smtp[28038]: Peer cert verify depth=0
/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/CN=rom.iunius.org
May 7 21:12:01 santa postfix/smtp[28038]: verify return:1
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 read server
certificate A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3
read server key exchange A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3
read server key exchange A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 read server
key exchange A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3
read server certificate request A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3
read server certificate request A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 read server
done A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 write
client key exchange A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 write
change cipher spec A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 write
finished A
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 flush data
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3
read finished A
May 7 21:12:01 santa last message repeated 3 times
May 7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 read finished A
May 7 21:12:01 santa postfix/smtp[28038]: Verified:
subject_CN=rom.iunius.org, issuer=rom
May 7 21:12:01 santa postfix/smtp[28038]: TLS connection established to
rom.iunius.org: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
May 7 21:12:01 santa postfix/smtp[28038]: 41CC2CD57D:
to=<krummrich at msim.de>, relay=rom.iunius.org[81.169.142.6], delay=0,
status=bounced (host rom.iunius.org[81.169.142.6] said: 553 sorry, that
domain isn't in my list of allowed rcpthosts; no valid cert for
gatewaying (#5.7.1))
May 7 21:12:02 santa postfix/cleanup[28037]: 09A0DCD57E:
message-id=<20070507191202.09A0DCD57E at santa.springfield.home>
May 7 21:12:02 santa postfix/qmgr[28034]: 09A0DCD57E: from=<>,
size=2484, nrcpt=1 (queue active)
May 7 21:12:02 santa postfix/smtp[28183]: starting TLS engine
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:before/connect
initialization
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv2/v3 write
client hello A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv2/v3
read server hello A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3
read server hello A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3
read server hello A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 read server
hello A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3
read server certificate A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3
read server certificate A
May 7 21:12:02 santa postfix/smtp[28183]: Peer cert verify depth=1
/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/OU=Berlin/CN=rom/Email=brutus at iunius.org
May 7 21:12:02 santa postfix/smtp[28183]: verify return:1
May 7 21:12:02 santa postfix/smtp[28183]: Peer cert verify depth=0
/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/CN=rom.iunius.org
May 7 21:12:02 santa postfix/smtp[28183]: verify return:1
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 read server
certificate A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3
read server key exchange A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3
read server key exchange A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 read server
key exchange A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3
read server certificate request A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3
read server certificate request A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 read server
done A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 write
client key exchange A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 write
change cipher spec A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 write
finished A
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 flush data
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3
read finished A
May 7 21:12:02 santa last message repeated 3 times
May 7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 read finished A
May 7 21:12:02 santa postfix/smtp[28183]: Verified:
subject_CN=rom.iunius.org, issuer=rom
May 7 21:12:02 santa postfix/smtp[28183]: TLS connection established to
rom.iunius.org: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
May 7 21:12:02 santa postfix/smtp[28183]: 09A0DCD57E:
to=<brutus at iunius.org>, relay=rom.iunius.org[81.169.142.6], delay=0,
status=sent (250 ok 1178565071 qp 30441)
Gruß,
Andreas
Mehr Informationen über die Mailingliste Postfixbuch-users