SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Fabian Schirmer
mail at f4bs.eu
Fr Mär 3 01:08:24 CET 2017
Hallo Frank,
ich gehe mal davon aus, dass wir hier über die MX sprechen, die für
deine Absenderdomain (ebenfalls?) zuständig sind.
Also für meinen persönlichen Geschmack sind das bei mx1 doch ein
bisschen zu wenig Ciphers, die du da anbietest. Insbesondere beim Thema
TLS auf Port 25 läuft man da (leider) sehr schnell Gefahr, dass die
Gegenseite da nicht mitspielt.
SCAN RESULTS FOR MX1.W3MAN.COM:25
----------------------------------------------------------------
* TLSV1_2 Cipher Suites:
Preferred:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
Accepted:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
* TLSV1 Cipher Suites:
Preferred:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
Accepted:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
* TLSV1_1 Cipher Suites:
Preferred:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
Accepted:
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
und bei mx2 wiederum ein paar zu viel (anon?? wtf!?):
SCAN RESULTS FOR MX2.W3MAN.COM:25
---------------------------------------------------
* TLSV1 Cipher Suites:
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_AES_256_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok
TLS_DH_anon_WITH_AES_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits 250 2.0.0 Ok
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_SEED_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_AES_128_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_AES_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_SEED_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_SEED_CBC_SHA - 128 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_RC4_128_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_RC4_128_MD5 DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_RC4_128_SHA - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_RC4_128_MD5 - 128 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits 250 2.0.0 Ok
* TLSV1_1 Cipher Suites:
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_AES_256_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_AES_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits 250 2.0.0 Ok
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_SEED_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_AES_128_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_AES_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_SEED_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_SEED_CBC_SHA - 128 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_RC4_128_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_RC4_128_MD5 DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_RC4_128_SHA - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_RC4_128_MD5 - 128 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits 250 2.0.0 Ok
* TLSV1_2 Cipher Suites:
Preferred:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
Accepted:
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-1024 bits 256 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-1024 bits 256 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits 256 bits 250 2.0.0 Ok
TLS_DH_anon_WITH_AES_256_GCM_SHA384 DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_ECDH_anon_WITH_AES_256_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_AES_256_CBC_SHA256 DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_AES_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits 250 2.0.0 Ok
TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits 250 2.0.0 Ok
TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits 250 2.0.0 Ok
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_SEED_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits 128 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_AES_128_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_AES_128_GCM_SHA256 DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_AES_128_CBC_SHA256 DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_AES_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_SEED_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_SEED_CBC_SHA - 128 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH-256 bits 128 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_RC4_128_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_RC4_128_MD5 DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_RC4_128_SHA - 128 bits 250 2.0.0 Ok
TLS_RSA_WITH_RC4_128_MD5 - 128 bits 250 2.0.0 Ok
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits 250 2.0.0 Ok
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits 250 2.0.0 Ok
TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA ECDH-256 bits ANONYMOUS 250 2.0.0 Ok
TLS_DH_anon_WITH_3DES_EDE_CBC_SHA DH-1024 bits ANONYMOUS 250 2.0.0 Ok
TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits 250 2.0.0 Ok
Du solltest beachten, dass es eine schlechte Idee ist, den Backup-MX in
Sachen config zu vernachlässigen. Weil dann das beste Konzept als Ganzes
nutzlos bzw umsonst ist.
Prüfe am besten auch mal, ob deine DH-Param-Datei
"${config_directory}/dh4096.pem" OK ist (vorhanden und für postfix
erreichbar). Denn die DHE-Ciphers fehlen. Es sei denn dies ist Absicht.
Ich habe bei mir folgendes bei tls_exclude_ciphers zu stehen:
= aNULL, eNULL, 3DES, RC4, kRSA, kSRP, kPSK
Ich bin der Meinung, dass die daraus resultierenden Ciphers ein guter
Kompromiss sind aus (relativ noch) hoher SIcherheit und mit dennoch ein
wenig Legacy-Support.
Man muss jedoch bedenken, dass die allgemeine Sichtweise zum Thema
SSL-Support und Mail-Transit ist, dass man lieber alte, unsichere
Ciphers anbietet anstatt Gefahr zu laufen, dass das sendende System dann
auf Plaintext umschaltet und somit ja das eigentlich gewünschte TLS
"umgeht". (Lustiger- und Ironischerweise sieht man das beim Thema HTTPS
ganz anders - da muss das alles am besten schon gestern der neueste Shit
von morgen sein.)
Muss jeder für sich selbst abwägen, was da das Beste ist.
Grüsse, Fabian
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20170303/8491fbeb/attachment.html>
Mehr Informationen über die Mailingliste Postfixbuch-users