Langsamer Versand, wo kommt SSL3 her?

Stefan G. Weichinger lists at xunil.at
Di Apr 5 10:43:55 CEST 2022


Mein postfix/dovecot-Setup ist eigentlich seit Jahren recht robust am 
Laufen.

Ich hab mich auch nicht mehr allzu aktiv damit befasst, weil es eben 
sehr ok zu funktionieren schien.

Letztens beobachte ich Verzögerungen beim Versenden von Mails und muss 
mich nun wieder etwas näher einarbeiten.

-

Ich versende aus Thunderbird 91.7.0 unter Fedora 35, per STARTTLS, auf 
Port 587.

Und in letzter Zeit braucht das immer einige Zeit, bis das Mail dann 
endlich raus geht.


So ein Vorgang sieht in etwa so aus:

  journalctl --since 10:00 -u postfix | grep 38541
Apr 05 10:33:03 oc.oops.co.at postfix/submission/smtpd[38541]: 
initializing the server-side TLS engine
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: connect 
from localhost[127.0.0.1]
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: setting 
up TLS connection from localhost[127.0.0.1]
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
localhost[127.0.0.1]: TLS cipher list 
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:before SSL initialization
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:before SSL initialization
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: SSL3 
alert write:fatal:protocol version
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:error in error
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept error from localhost[127.0.0.1]: -1
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: warning: 
TLS library problem: error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported 
protocol:ssl/statem/statem_srvr.c:1685:
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: lost 
connection after STARTTLS from localhost[127.0.0.1]
Apr 05 10:33:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: connect 
from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: setting 
up TLS connection from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: 
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: TLS cipher list 
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:before SSL initialization
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:before SSL initialization
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: 
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: Decrypting session ticket, 
key expiration: 1649146784
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:SSLv3/TLS read client hello
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:SSLv3/TLS write server hello
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:SSLv3/TLS write change cipher spec
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:TLSv1.3 write encrypted extensions
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:SSLv3/TLS write finished
Apr 05 10:36:41 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:TLSv1.3 early data
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:TLSv1.3 early data
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:SSLv3/TLS read finished
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]: 
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: Reusing old session (RFC 
5077 session ticket)
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]: Anonymous 
TLS connection established from 
unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b]: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 
server-signature RSA-PSS (2048 bits)
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]: 
2F88988924: client=unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b], 
sasl_method=PLAIN, sasl_username=oc at oc.oops.co.at
Apr 05 10:36:42 oc.oops.co.at postfix/submission/smtpd[38541]: 
disconnect from unknown[2001:470:51e4:0:c577:c9ad:a9e5:216b] ehlo=2 
starttls=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=8
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: connect 
from localhost[127.0.0.1]
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: setting 
up TLS connection from localhost[127.0.0.1]
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
localhost[127.0.0.1]: TLS cipher list 
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:before SSL initialization
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:before SSL initialization
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: SSL3 
alert write:fatal:protocol version
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept:error in error
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
SSL_accept error from localhost[127.0.0.1]: -1
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: warning: 
TLS library problem: error:14209102:SSL 
routines:tls_early_post_process_client_hello:unsupported 
protocol:ssl/statem/statem_srvr.c:1685:
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: lost 
connection after STARTTLS from localhost[127.0.0.1]
Apr 05 10:37:04 oc.oops.co.at postfix/submission/smtpd[38541]: 
disconnect from localhost[127.0.0.1] ehlo=1 starttls=0/1 commands=1/2

-

# postconf -n

address_verify_map = btree:/var/lib/postfix/verify_cache
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
compatibility_level = 3.6
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd 
$daemon_directory/$process_name $process_id & sleep 5
home_mailbox = .maildir/
html_directory = no
inet_protocols = all
local_recipient_maps = $virtual_mailbox_maps
local_transport = virtual
mail_owner = postfix
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 20480000
meta_directory = /etc/postfix
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
mydestination = localhost.$mydomain, localhost
myhostname = oc.oops.co.at
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:localhost:11332
postscreen_access_list = permit_mynetworks, 
cidr:/etc/postfix/postscreen_spf_whitelist.cidr, 
cidr:/etc/postfix/postscreen_access.cidr
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org=127.0.0.[4..7]*6 
zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 
bl.spameatingmonkey.net bl.spamcop.net spamtrap.trblspam.com 
b.barracudacentral.org=127.0.0.2*7 dnsbl.inps.de=127.0.0.2*7 
bl.mailspike.net=127.0.0.2*5 bl.mailspike.net=127.0.0.[10;11;12]*4 
dnsbl.sorbs.net=127.0.0.10*8 dnsbl.sorbs.net=127.0.0.5*6 
dnsbl.sorbs.net=127.0.0.7*3 dnsbl.sorbs.net=127.0.0.8*2 
dnsbl.sorbs.net=127.0.0.6*2 dnsbl.sorbs.net=127.0.0.9*2 
zen.spamhaus.org*2 zen.spamhaus.org=127.0.0.[10;11]*8 
zen.spamhaus.org=127.0.0.[4..7]*6 zen.spamhaus.org=127.0.0.3*4 
zen.spamhaus.org=127.0.0.2*3 hostkarma.junkemailfilter.com=127.0.0.2*3 
hostkarma.junkemailfilter.com=127.0.0.4*1 
hostkarma.junkemailfilter.com=127.0.1.2*1 
wl.mailspike.net=127.0.0.[18;19;20]*-2 
hostkarma.junkemailfilter.com=127.0.0.1*-2 ix.dnsbl.manitu.net 
mail.bl.blocklist.de iadb.isipp.com=127.0.[0..255].[0..255]*-2 
iadb.isipp.com=127.3.100.[6..200]*-2
postscreen_dnsbl_threshold = 3
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 30d
postscreen_non_smtp_command_action = drop
postscreen_non_smtp_command_enable = no
postscreen_non_smtp_command_ttl = 30d
postscreen_pipelining_enable = no
postscreen_use_tls = $smtpd_use_tls
queue_directory = /var/spool/postfix
readme_directory = no
relay_domains = hash:/etc/postfix/relay_domains
relocated_maps = hash:/etc/postfix/relocated
sample_directory = /etc/postfix
sendmail_path = /usr/sbin/sendmail
setgid_group = postdrop
shlib_directory = /usr/lib64/postfix/${mail_version}
smtp_bind_address6 = 2a01:7e01:e001:29e::4711
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination, 
reject_unknown_recipient_domain, reject_unverified_recipient, 
check_recipient_access hash:/etc/postfix/verify_domains, 
check_recipient_access hash:/etc/postfix/roleaccount_exceptions, 
check_client_access cidr:/etc/postfix/client_checks, 
check_policy_service inet:127.0.0.1:12340, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, 
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = /var/run/dovecot/auth-client
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_sasl_type = dovecot
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/oc.oops.co.at/fullchain.pem
smtpd_tls_dh1024_param_file = /etc/ssl/dhparams.pem
smtpd_tls_key_file = /etc/letsencrypt/live/oc.oops.co.at/privkey.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
tls_medium_cipherlist = 
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/virtual_alias_maps.cf, 
hash:/etc/postfix/virtual_alias_maps
virtual_gid_maps = static:5000
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = 
proxy:mysql:/etc/postfix/virtual_mailbox_domains.cf
virtual_mailbox_limit = 512000000
virtual_mailbox_maps = proxy:mysql:/etc/postfix/virtual_mailbox_maps.cf
virtual_minimum_uid = 5000
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000

# master.cf

submission inet n       -       n       -       -       smtpd
         -o syslog_name=postfix/submission
         -o smtpd_tls_security_level=encrypt
         -o smtpd_sasl_auth_enable=yes
         -o smtpd_sasl_security_options=noanonymous
         -o smtpd_sasl_local_domain=$myhostname
         -o smtpd_client_restrictions=permit_sasl_authenticated,reject
         #-o smtpd_sender_login_maps=hash:/etc/postfix/virtual
         -o smtpd_sasl_security_options=noanonymous
         -o smtpd_sasl_tls_security_options=noanonymous
         #-o smtpd_sender_restrictions=reject_sender_login_mismatch
         -o 
smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject


amavisfeed unix  -       -       n       -       2       lmtp
         -o lmtp_data_done_timeout=1200
         -o lmtp_send_xforward_command=yes
         -o disable_dns_lookups=yes

127.0.0.1:10025 inet n  -       n       -       -       smtpd
         -o content_filter=
         -o local_recipient_maps=
         -o relay_recipient_maps=
         -o smtpd_tls_security_level=none
         -o smtpd_delay_reject=no
         -o smtpd_restriction_classes=
         -o smtpd_client_restrictions=
         -o smtpd_helo_restrictions=
         -o smtpd_sender_restrictions=
         -o smtpd_recipient_restrictions=permit_mynetworks,reject
         -o smtpd_data_restrictions=reject_unauth_pipelining
         -o smtpd_end_of_data_restrictions=
         -o mynetworks=127.0.0.0/8
         -o smtpd_error_sleep_time=0
         -o smtpd_soft_error_limit=1001
         -o smtpd_hard_error_limit=1000
         -o smtpd_client_connection_count_limit=0
         -o smtpd_client_connection_rate_limit=0
         -o 
receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters

smtp-ipv4-only unix  -       -       n        -       -       smtp
         -o inet_protocols=ipv4
smtp-ipv6-only unix  -       -       n        -       -       smtp
         -o inet_protocols=ipv6
     -o smtp_bind_address6=2a01:7e01:e001:29e::4711

#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache



---


Ich dachte, ich hätte SSLv3 längst deaktiviert, aber irgendwo scheint 
das noch verwendet zu werden, bzw. es wird versucht, es zu verwenden?

Der Postfix ist Version 3.6.5-r2 unter Gentoo.

Für sachdienliche Hinweise wäre ich sehr dankbar ;-)


Mehr Informationen über die Mailingliste Postfixbuch-users