postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Upgrade from 2.4.5 to 2.7.1 and MS Outlook cl

Re: Upgrade from 2.4.5 to 2.7.1 and MS Outlook clients

From: Victor Duchovni <Victor.Duchovni_at_nospam>
Date: Tue Oct 26 2010 - 19:48:57 GMT
To: postfix-users@postfix.org

On Tue, Oct 26, 2010 at 11:40:49AM +0200, Laurent CARON wrote:

> Oct 26 11:34:06 sargon postfix/smtpd[23238]: SSL_accept:SSLv3 write certificate request B
> Oct 26 11:34:06 sargon postfix/smtpd[23238]: SSL_accept:SSLv3 flush data
> Oct 26 11:34:06 sargon postfix/smtpd[23238]: SSL_accept error from unknown[192.168.14.249]: -1
> Oct 26 11:34:06 sargon postfix/smtpd[23238]: lost connection after STARTTLS from unknown[192.168.14.249]

The client disconnected. To find out why, check for A/V software on the
client or firewalls, etc, that may interfere with the SSL sesssion. Also,
see whether the client supports STARTTLS on 587, rather than the obsolete
SMTP inside SSL on 465. Perhaps, less likely, the client did not like
the server certificate.

> smtpd_banner = $myhostname SMTP
> smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> smtpd_tls_CApath = /etc/ssl/certs
> smtpd_tls_ask_ccert = yes

Consider turning this off, unless you really make use of client certs,
the client may not have a cert, and may give up for that reason.

> smtpd_tls_cert_file = /etc/postfix/certs/mail_lncsa_com.crt
> smtpd_tls_key_file = /etc/postfix/certs/mail_lncsa_com.key
> smtpd_tls_loglevel = 2
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_database = btree:/var/run/smtpd_tls_cache

Looks good. Works on port 587:

smtp-finger: initializing the client-side TLS engine
smtp-finger: Connected to mail.lncsa.com[213.215.28.11]:587
smtp-finger: < 220 sargon.lncsa.com SMTP
smtp-finger: > EHLO hqmtaint01.ms.com
smtp-finger: < 250-sargon.lncsa.com
smtp-finger: < 250-PIPELINING
smtp-finger: < 250-SIZE 10240000
smtp-finger: < 250-ETRN
smtp-finger: < 250-STARTTLS
smtp-finger: < 250-ENHANCEDSTATUSCODES
smtp-finger: < 250 8BITMIME
smtp-finger: > STARTTLS
smtp-finger: < 220 2.0.0 Ready to start TLS
smtp-finger: setting up TLS connection to mail.lncsa.com[213.215.28.11]:587
smtp-finger: mail.lncsa.com[213.215.28.11]:587: TLS cipher list "aNULL:ALL:+RC4:@STRENGTH:!eNULL"
smtp-finger: looking for session sargon.lncsa.com&p=1&c=aNULL:ALL:+RC4:@STRENGTH:!eNULL in local cache
smtp-finger: SSL_connect:before/connect initialization
smtp-finger: SSL_connect:SSLv2/v3 write client hello A
smtp-finger: SSL_connect:SSLv3 read server hello A
smtp-finger: mail.lncsa.com[213.215.28.11]:587: certificate verification depth=1 verify=1 subject=/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1
smtp-finger: mail.lncsa.com[213.215.28.11]:587: certificate verification depth=0 verify=1 subject=/C=FR/O=mail.lncsa.com/OU=GT77022724/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.lncsa.com
smtp-finger: SSL_connect:SSLv3 read server certificate A
smtp-finger: SSL_connect:SSLv3 read server key exchange A
smtp-finger: SSL_connect:SSLv3 read server certificate request B
smtp-finger: SSL_connect:SSLv3 read server done A
smtp-finger: SSL_connect:SSLv3 write client certificate A
smtp-finger: SSL_connect:SSLv3 write client key exchange A
smtp-finger: SSL_connect:SSLv3 write change cipher spec A
smtp-finger: SSL_connect:SSLv3 write finished A
smtp-finger: SSL_connect:SSLv3 flush data
smtp-finger: SSL_connect:SSLv3 read server session ticket A
smtp-finger: SSL_connect:SSLv3 read finished A
smtp-finger: save session sargon.lncsa.com&p=1&c=aNULL:ALL:+RC4:@STRENGTH:!eNULL to local cache
smtp-finger: mail.lncsa.com[213.215.28.11]:587 CommonName mail.lncsa.com
smtp-finger: mail.lncsa.com[213.215.28.11]:587: Trusted subject_CN=mail.lncsa.com, issuer_CN=Equifax Secure Global eBusiness CA-1
smtp-finger: mail.lncsa.com[213.215.28.11]:587 sha1 fingerprint FA:5C:CD:6F:BB:23:ED:5D:82:D7:8F:E9:83:6A:EA:3D:DC:16:DB:DA
smtp-finger: Trusted TLS connection established to mail.lncsa.com[213.215.28.11]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
--- Certificate chain 0 s:/C=FR/O=mail.lncsa.com/OU=GT77022724/OU=See www.rapidssl.com/resources/cps (c)09/OU=Domain Control Validated - RapidSSL(R)/CN=mail.lncsa.com i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1 -----BEGIN CERTIFICATE----- MIIDzTCCAzagAwIBAgIDCrGoMA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNVBAYTAlVT MRwwGgYDVQQKExNFcXVpZmF4IFNlY3VyZSBJbmMuMS0wKwYDVQQDEyRFcXVpZmF4 IFNlY3VyZSBHbG9iYWwgZUJ1c2luZXNzIENBLTEwHhcNMDkwMjExMDkzODAxWhcN MTIwNDEyMDgzODAxWjCBuDELMAkGA1UEBhMCRlIxFzAVBgNVBAoTDm1haWwubG5j c2EuY29tMRMwEQYDVQQLEwpHVDc3MDIyNzI0MTEwLwYDVQQLEyhTZWUgd3d3LnJh cGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA5MS8wLQYDVQQLEyZEb21haW4g Q29udHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKTEXMBUGA1UEAxMObWFpbC5s bmNzYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDF1Y+Xlk4R aH9pcOqj54llBOmW97SUHwq5JLBGlb50TdUgupDTtYmh6GEEBJTyPI4YFI3NqdOz QCwtOEkvspIr+LA2acgoRX2fs5uERhzSgTMEVspxMRkhuBN5xH9D/2sm+MyR0ffv 0Wbky6wQRsjgsn/Wu2ALr6Ix03xcZMj6UWcdaFNyfi9TSXc4MY7x6V0hLWYGAXzx /OcvWM5q022uuxaboyJaBvr98L9QYEuLSsLgZlT0A1WPG/Rg58HoEkLdc+jBj8Dv cpyZwg01wF1sY90sfvc5/F/hG/4YLzW8AumYjUBJjZV3imJTCP0efOpYS1f8F1DC FlDxvhcjAE8PAgMBAAGjgb0wgbowDgYDVR0PAQH/BAQDAgTwMB0GA1UdDgQWBBSk S1xisuqoSPpFyMELw7tcp5aiiTA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3Js Lmdlb3RydXN0LmNvbS9jcmxzL2dsb2JhbGNhMS5jcmwwHwYDVR0jBBgwFoAUvqig dHJQa0S3ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAKezlAZFK+HwwFa1XmuJ4 ac1onbRxoJvooGzwU/oryRU6yj0yk7FW03CF4ib9f6I9uHOOYMzPJsBv6ZeS4SBD pcNykmsinCP7WnlGVPBHXUNU+FIwOfBwJ0SraAGswjwmy4GA6WRsulu/RhmQZyqM +3ynaf9gqn8oRCd/I4FJ+GM= -----END CERTIFICATE----- 1 s:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1 i:/C=US/O=Equifax Secure Inc./CN=Equifax Secure Global eBusiness CA-1 -----BEGIN CERTIFICATE----- MIICkDCCAfmgAwIBAgIBATANBgkqhkiG9w0BAQQFADBaMQswCQYDVQQGEwJVUzEc MBoGA1UEChMTRXF1aWZheCBTZWN1cmUgSW5jLjEtMCsGA1UEAxMkRXF1aWZheCBT ZWN1cmUgR2xvYmFsIGVCdXNpbmVzcyBDQS0xMB4XDTk5MDYyMTA0MDAwMFoXDTIw MDYyMTA0MDAwMFowWjELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0VxdWlmYXggU2Vj dXJlIEluYy4xLTArBgNVBAMTJEVxdWlmYXggU2VjdXJlIEdsb2JhbCBlQnVzaW5l c3MgQ0EtMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuucXkAJlsTRVPEnC UdXfp9E3j9HngXNBUmCbnaEXJnitx7HoJpQytd4zjTov2/KaelpzmKNc6fuKcxtc 58O/gGzNqfTWK8D3+ZmqY6KxRwIP1ORROhI8bIpaVIRw28HFkM9yRcuoWcDNM50/ o5brhTMhHD4ePmBudpxnhcXIw2ECAwEAAaNmMGQwEQYJYIZIAYb4QgEBBAQDAgAH MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUvqigdHJQa0S3ySPY+6j/s1dr aGwwHQYDVR0OBBYEFL6ooHRyUGtEt8kj2Puo/7NXa2hsMA0GCSqGSIb3DQEBBAUA A4GBADDiAVGqx+pf2rnQZQ8w1j7aDRRJbpGTJxQx78T3LUX47Me/okENI7SS+RkA Z70Br83gcfxaz2TE4JaY0KNA4gGK7ycH8WUBikQtBmV1UsCGECAhX2xrD2yuCRyv 8qIYNMR1pHMc8Y3c7635s3a0kr/clRAevsvIO1qEYBlWlKlV -----END CERTIFICATE----- > smtpd_use_tls = yes The non-deprecated syntax is: smtpd_tls_security_level = may -- Viktor.