[Postfixbuch-users] TLS und SMTP Auth Problem

Andreas Krummrich brutus at iunius.org
Mo Mai 7 21:13:37 CEST 2007


Patrick Ben Koetter schrieb:
> * Andreas Krummrich <brutus at iunius.org>:
>   
>> Hier der Output:
>>
>> brutus at itchy:~$ openssl s_client -starttls smtp -CAfile ca.crt -connect rom.iunius.org:25
>>     
>
> Ist das ca.crt auch in Postfix eingebunden? In Deiner Config habe ich es nicht
> gesehen.
>
>
>   
>> CONNECTED(00000003)
>> depth=1  
>> /C=DE/ST=NRW/L=Troisdorf/O=iunius.org/OU=Berlin/CN=rom/emailAddress=brutus at iunius.org
>> verify return:1
>> depth=0 /C=DE/ST=NRW/L=Troisdorf/O=iunius.org/CN=rom.iunius.org
>> verify return:1
>> ---
>> Certificate chain
>>   0 s:/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/CN=rom.iunius.org
>>      
>> i:/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/OU=Berlin/CN=rom/emailAddress=brutus at iunius.org
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>>     
>
> <snip>
>
>   
>> -----END CERTIFICATE-----
>> subject=/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/CN=rom.iunius.org
>> issuer=/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/OU=Berlin/CN=rom/emailAddress=brutus at iunius.org
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 1501 bytes and written 351 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 1024 bit
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>      Protocol  : TLSv1
>>      Cipher    : DHE-RSA-AES256-SHA
>>      Session-ID:  
>> A366319E8BF413D080B983BBD8C4BE3DC1DFB990A663603657AC3AEB3E7B3BB4
>>      Session-ID-ctx:
>>      Master-Key:  
>> B18F8A5FE8851866C76E19DE7FDD5449CE4A8E7E4AB5F15970F5E8B8F35395FE56A38669C780D888BA0A64FD65ACEE50
>>      Key-Arg   : None
>>      Start Time: 1178461320
>>      Timeout   : 300 (sec)
>>      Verify return code: 0 (ok)
>> ---
>> 250 8BITMIME
>> EHLO iunius.org
>> 250-rom.iunius.org
>> 250-AUTH LOGIN CRAM-MD5 PLAIN
>> 250-AUTH=LOGIN CRAM-MD5 PLAIN
>>     
>
> Also qmail bietet LOGIN, PLAIN und CRAM-MD5 an. Das ist schon mal gut.
>
>   
>> 250-PIPELINING
>> 250 8BITMIME
>> AUTH LOGIN
>> 334 VXNlcm5hbWU6
>> dGVzdA==
>> 334 UGFzc3dvcmQ6
>> dGVzdA==
>> 235 ok, go ahead (#2.0.0)
>>     
>
> LOGIN geht. Auch gut. Du möchtest aber den Nutzer "test" und das Kennwort
> "test" umgehend ändern. Nicht das einer die kodierten, aber nicht
> verschlüsselten Strings gegen Dich verwendet.
>
> Da LOGIN zu gehen scheint, ein Vorschlag für einen Workaround:
> Unterstützt Dein Postfix den $smtp_sasl_mechanism_filter-Parameter (Postfix
> 2.3 und später)?
>
> Wenn ja, dann setze ihn auf Folgendes:
>
> smtp_sasl_mechanism_filter = !cram-md5, static:rest
>
>   
Nein, das unterstützt er nicht. Ist noch ein uralter Postfix auf Debian 
Woody.
> So wird Postfix CRAM-MD5 ignorieren und login oder plain nutzen. Das ist okay,
> solange Du TLS nutzt.
>
> Für plaintext-Mechanismen während TLS musst Du dann zusätzlich Folgendes
> setzen:
>
> smtp_sasl_tls_security_options = noanonymous
>   
Auch das hat nichts gebracht.
Ich habe eben mal das Loglevel für TLS erhöht und dabei kam folgendes 
herraus:
Vielleicht hilft das ja etwas weiter:

May  7 21:12:01 santa postfix/smtpd[28035]: connect from 
bart.springfield.home[10.10.42.10]
May  7 21:12:01 santa postfix/smtpd[28035]: setting up TLS connection 
from bart.springfield.home[10.10.42.10]
May  7 21:12:01 santa postfix/smtpd[28035]: TLS connection established 
from bart.springfield.home[10.10.42.10]: TLSv1 with cipher RC4-MD5 
(128/128 bits)
May  7 21:12:01 santa postfix/smtpd[28035]: 41CC2CD57D: 
client=bart.springfield.home[10.10.42.10], sasl_method=CRAM-MD5, 
sasl_username=brutus
May  7 21:12:01 santa postfix/cleanup[28037]: 41CC2CD57D: 
message-id=<463F79BA.1070303 at iunius.org>
May  7 21:12:01 santa postfix/qmgr[28034]: 41CC2CD57D: 
from=<brutus at iunius.org>, size=627, nrcpt=1 (queue active)
May  7 21:12:01 santa postfix/smtpd[28035]: disconnect from 
bart.springfield.home[10.10.42.10]
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:before/connect 
initialization
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv2/v3 write 
client hello A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv2/v3 
read server hello A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3 
read server hello A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3 
read server hello A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 read server 
hello A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3 
read server certificate A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3 
read server certificate A
May  7 21:12:01 santa postfix/smtp[28038]: Peer cert verify depth=1 
/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/OU=Berlin/CN=rom/Email=brutus at iunius.org
May  7 21:12:01 santa postfix/smtp[28038]: verify return:1
May  7 21:12:01 santa postfix/smtp[28038]: Peer cert verify depth=0 
/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/CN=rom.iunius.org
May  7 21:12:01 santa postfix/smtp[28038]: verify return:1
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 read server 
certificate A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3 
read server key exchange A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3 
read server key exchange A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 read server 
key exchange A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3 
read server certificate request A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3 
read server certificate request A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 read server 
done A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 write 
client key exchange A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 write 
change cipher spec A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 write 
finished A
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 flush data
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:error in SSLv3 
read finished A
May  7 21:12:01 santa last message repeated 3 times
May  7 21:12:01 santa postfix/smtp[28038]: SSL_connect:SSLv3 read finished A
May  7 21:12:01 santa postfix/smtp[28038]: Verified: 
subject_CN=rom.iunius.org, issuer=rom
May  7 21:12:01 santa postfix/smtp[28038]: TLS connection established to 
rom.iunius.org: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
May  7 21:12:01 santa postfix/smtp[28038]: 41CC2CD57D: 
to=<krummrich at msim.de>, relay=rom.iunius.org[81.169.142.6], delay=0, 
status=bounced (host rom.iunius.org[81.169.142.6] said: 553 sorry, that 
domain isn't in my list of allowed rcpthosts; no valid cert for 
gatewaying (#5.7.1))
May  7 21:12:02 santa postfix/cleanup[28037]: 09A0DCD57E: 
message-id=<20070507191202.09A0DCD57E at santa.springfield.home>
May  7 21:12:02 santa postfix/qmgr[28034]: 09A0DCD57E: from=<>, 
size=2484, nrcpt=1 (queue active)
May  7 21:12:02 santa postfix/smtp[28183]: starting TLS engine
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:before/connect 
initialization
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv2/v3 write 
client hello A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv2/v3 
read server hello A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3 
read server hello A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3 
read server hello A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 read server 
hello A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3 
read server certificate A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3 
read server certificate A
May  7 21:12:02 santa postfix/smtp[28183]: Peer cert verify depth=1 
/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/OU=Berlin/CN=rom/Email=brutus at iunius.org
May  7 21:12:02 santa postfix/smtp[28183]: verify return:1
May  7 21:12:02 santa postfix/smtp[28183]: Peer cert verify depth=0 
/C=DE/ST=NRW/L=Troisdorf/O=iunius.org/CN=rom.iunius.org
May  7 21:12:02 santa postfix/smtp[28183]: verify return:1
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 read server 
certificate A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3 
read server key exchange A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3 
read server key exchange A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 read server 
key exchange A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3 
read server certificate request A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3 
read server certificate request A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 read server 
done A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 write 
client key exchange A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 write 
change cipher spec A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 write 
finished A
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 flush data
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:error in SSLv3 
read finished A
May  7 21:12:02 santa last message repeated 3 times
May  7 21:12:02 santa postfix/smtp[28183]: SSL_connect:SSLv3 read finished A
May  7 21:12:02 santa postfix/smtp[28183]: Verified: 
subject_CN=rom.iunius.org, issuer=rom
May  7 21:12:02 santa postfix/smtp[28183]: TLS connection established to 
rom.iunius.org: TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
May  7 21:12:02 santa postfix/smtp[28183]: 09A0DCD57E: 
to=<brutus at iunius.org>, relay=rom.iunius.org[81.169.142.6], delay=0, 
status=sent (250 ok 1178565071 qp 30441)

Gruß,
    Andreas




Mehr Informationen über die Mailingliste Postfixbuch-users