postfix server configured for TLS not accepting connections

lxvor · 08-17-2010, 04:32 PM

Hi,

I have configured my postfix server to use TLS (STARTTLS) but with no certificates either on server or client. Here are the TLS parameters in main.cf.
=========
smtpd_tls_security_level = may
# Obsolete, but still supported
#smtpd_use_tls = yes
#smtp_use_tls = yes
# Obsolete, but still supported
#smtpd_enforce_tls = yes
smtpd_tls_cert_file = none
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
=========

So according to the postfix doc this should allow my smtp client (I wrote a simple c++ SSL client) to issue a STARTTLS command and send encrypted emails without using certs. But all I get on the server side is this server log. The error on the server side appear after my client calls SSL_connect(m_ssl):

===============
Aug 17 14:38:12 linux-m9ry postfix/postfix-script[18272]: refreshing the Postfix mail system
Aug 17 14:38:12 linux-m9ry postfix/master[2934]: reload configuration /etc/postfix
Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: initializing the server-side TLS engine
Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: connect from mycomputer.corp.company.com[441.212.55.56]
Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: setting up TLS connection from mycomputer.corp.company.com[441.212.55.56]
Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: mycomputer.corp.company.com[441.212.55.56]: TLS cipher list "ALL:+RC4:@STRENGTH"
Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: SSL_accept:before/accept initialization
Aug 17 14:38:50 linux-m9ry postfix/smtpd[18280]: read from B7FBA9E0 [B7FC8128] (11 bytes => -1 (0xFFFFFFFF))
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: read from B7FBA9E0 [B7FC8128] (11 bytes => 11 (0xB))
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0000 80 7a 01 03 01 00 51 .z....Q
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0007 - <SPACES/NULLS>
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: read from B7FBA9E0 [B7FC8133] (113 bytes => -1 (0xFFFFFFFF))
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: read from B7FBA9E0 [B7FC8133] (113 bytes => 113 (0x71))
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0000 00 00 39 00 00 38 00 00|35 00 00 16 00 00 13 00 ..9..8.. 5.......
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0010 00 0a 07 00 c0 00 00 33|00 00 32 00 00 2f 00 00 .......3 ..2../..
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0020 07 05 00 80 03 00 80 00|00 05 00 00 04 01 00 80 ........ ........
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0030 00 00 15 00 00 12 00 00|09 06 00 40 00 00 14 00 ........ ...@....
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0040 00 11 00 00 08 00 00 06|04 00 80 00 00 03 02 00 ........ ........
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0050 80 61 d2 f1 28 71 46 54|d9 23 93 b9 2d 6e 8a 32 .a..(qFT .#..-n.2
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0060 68 bb fa a3 e4 28 f1 d2|ca a1 90 11 6d 64 f5 3a h....(.. ....md.:
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0070 - <SPACES/NULLS>
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: write to B7FBA9E0 [B7FD64B0] (7 bytes => 7 (0x7))
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: 0000 15 03 01 00 02 02 28 ......(
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: SSL3 alert write:fatal:handshake failure
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: SSL_accept:error in SSLv3 read client hello B
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: SSL_accept:error in SSLv3 read client hello B
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: SSL_accept error from mycomputer.corp.company.com[441.212.55.56]: -1
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: warning: TLS library problem: 18280:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1006:
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: lost connection after STARTTLS from mycomputer.corp.company.com[441.212.55.56]
Aug 17 14:39:24 linux-m9ry postfix/smtpd[18280]: disconnect from mycomputer.corp.company.com[441.212.55.56]
================================================

I would really appreciate any advise or help with this. I can also provice the C++ client code if that is needed.

Thanks in advance.

Berhanie · 08-18-2010, 02:31 AM

Quote:

warning: TLS library problem: 18280:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1006

The documentation says:

Quote:

... Postfix supports configurations with no certificates. This entails the use of just the anonymous TLS ciphers, which are not supported by typical SMTP clients...
a certificate-less Postfix SMTP server will be unable to receive email from most TLS enabled clients.

Try to connect using s_client. A successful connection looks like this (postfix is configured with smtpd_tls_cert_file = none):

Code:

# specify anonymous ciphers explicitly 
[berhanie@machine ~]$ openssl s_client -starttls smtp -connect localhost:25 -cipher aNULL
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 634 bytes and written 318 bytes
---
New, TLSv1/SSLv3, Cipher is ADH-CAMELLIA256-SHA
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ADH-CAMELLIA256-SHA
    ...

lxvor · 08-19-2010, 10:28 AM

Hi,

Thanks for that explanation. That is very useful.

I did get the TLS communication working with a server certificate.

Now I will try without certs.