[Résolu] Postfix error SSL handshake failure

[kalistyan]

J'ai mi en place un petit vps pour relayer certains domaines.
Tout fonctionne bien sur le port 25, mais cela coince sur le port 465.

main.cf

Code : Tout sélectionner

alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
inet_interfaces = all
myhostname = srv-relay.unnati.fr
readme_directory = no
relay_domains = $mydestination unnati.fr
smtp_tls_note_starttls_offer = yes
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/ssl/root_bundle.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/smtp.pem
smtpd_tls_key_file = /etc/ssl/private/smtp.key
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = yes
smtpd_tls_session_cache_timeout = 30s
smtpd_use_tls = yes
tls_random_source = dev:/dev/urandom
root@srv-relay:/#

master.cf

Code : Tout sélectionner

#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
#submission inet n       -       -       -       -       smtpd
#  -o syslog_name=postfix/submission
#  -o smtpd_tls_security_level=encrypt
#   -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#   -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
   -o syslog_name=postfix/smtps
   -o smtpd_tls_wrappermode=yes
   -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING

openssl s_client -starttls smtp -connect srv-relay.unnati.fr:25

Voici ce que me retourne une connexion client sur le port 25

Code : Tout sélectionner

CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=srv-relay.unnati.fr
   i:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF6jCCBNKgAwIBAgIQJjpjR3g/1nP9BeT3cO4w+jANBgkqhkiG9w0BAQsFADB4
MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEpMCcGA1UECxMg
U3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxJjAkBgNVBAMTHVN0YXJ0
Q29tIENsYXNzIDEgRFYgU2VydmVyIENBMB4XDTE2MDQwMTEyNTYwN1oXDTE3MDQw
MTEyNTYwN1owHjEcMBoGA1UEAwwTc3J2LXJlbGF5LnVubmF0aS5mcjCCASIwDQYJ
KoZIhvcNAQEBBQ..............AQoCggK+C7e9T4B3rnsFEezwENl+uGMlOsLw
Nj1ssHB3Sm07mg6Jgwz7ajGkLq3W6SgBaqt8rVqaIgBpiTO1xyQK1JF7+xhztMoo
HZq5yXdRTuHYx+0i3m88v83Qd2YE9xh95v3y+JFgqLDME7PAvuMlniwe0YDgChoQ
V9U89Q8giJBpisk/Hp4LLFxOBaSXVsfzfzog1w7pxB8e8QaPoGV1E1FsHWKyP5AU
fNxXhVkak7s+oT................gIfP2JfV1QXVr23b9O/qcZhSeP8kV24Oe
bUg6XBzUyx2FC0+wEQDNKvPeRCIQJsGTI7u0lSA4kGgDF3BlqVwZmj8CAwEAAaOC
AsgwggLEMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB
BQUHAwEwCQYDVR0TBAIwADAdBgNVHQ4EFgQUitHsc2JyK0k0nIqb46ZtVeiX4kYw
HwYDVR0jBBgwFoAU15FOAcSwv/jIZ5NEnOcz+q2T
-----END CERTIFICATE-----
subject=/CN=srv-relay.unnati.fr
issuer=/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
---
No client certificate CA names sent
---
SSL handshake has read 3798 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: CF167AA861F57C5FDE385AA7FA5C33EF082E0F57AB9A01B50E27083DD8A37424
    Session-ID-ctx: 
    Master-Key: 017C75728AAA582D2ACD55C373F7606AC19D59631A5A759EC0CFE67FABC12971EA797FA3F2422190F263B273085AEBD9
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1459949999
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)

Le fichier de log :

Code : Tout sélectionner

Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: initializing the server-side TLS engine
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: connect from srv-relay.unnati.fr[163.172.137.218]
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: setting up TLS connection from srv-relay.unnati.fr[163.172.137.218]
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: srv-relay.unnati.fr[163.172.137.218]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:before/accept initialization
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 read client hello A
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 write server hello A
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 write certificate A
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 write key exchange A
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 write server done A
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 flush data
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 read client key exchange A
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 read finished A
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 write change cipher spec A
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 write finished A
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: SSL_accept:SSLv3 flush data
Apr  6 15:46:44 srv-relay postfix/smtpd[24602]: Anonymous TLS connection established from srv-relay.unnati.fr[163.172.137.218]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

Même commande sur le port 465

Code : Tout sélectionner

CONNECTED(00000003)
didn't found starttls in server response, try anyway...
139893045806752:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 330 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
root@srv-relay:/#

Le fichier de log

Code : Tout sélectionner

Apr  6 15:57:17 srv-relay postfix/smtps/smtpd[24709]: connect from srv-relay.unnati.fr[163.172.137.218]
Apr  6 15:57:17 srv-relay postfix/smtps/smtpd[24709]: setting up TLS connection from srv-relay.unnati.fr[163.172.137.218]
Apr  6 15:57:17 srv-relay postfix/smtps/smtpd[24709]: srv-relay.unnati.fr[163.172.137.218]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Apr  6 15:57:17 srv-relay postfix/smtps/smtpd[24709]: SSL_accept:before/accept initialization
Apr  6 16:02:17 srv-relay postfix/smtps/smtpd[24709]: SSL_accept error from srv-relay.unnati.fr[163.172.137.218]: Connection timed out
Apr  6 16:02:17 srv-relay postfix/smtps/smtpd[24709]: apt-get lost connection after CONNECT from srv-relay.unnati.fr[163.172.137.218]
Apr  6 16:02:17 srv-relay postfix/smtps/smtpd[24709]: disconnect from srv-relay.unnati.fr[163.172.137.218]

Une suggestion ?

Merci

[gizmo78]

il la sort d'où la liste de cipher oO

t'as essayé:
telnet localhost 465
ehlo unnati.fr
starttls

?

mais le port 465 est deprecated, c'est submission et pas smtps maintenant et donc le port 587
le port 465 est gardé pour les vieux systèmes de ce que j'ai lu.

[kalistyan]

La liste cipher, aucune idée :d

Ton test donne ceci :

Code : Tout sélectionner

Apr  6 18:17:17 srv-relay postfix/smtps/smtpd[27098]: connect from localhost[::1]
Apr  6 18:17:17 srv-relay postfix/smtps/smtpd[27098]: setting up TLS connection from localhost[::1]
Apr  6 18:17:17 srv-relay postfix/smtps/smtpd[27098]: localhost[::1]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!aNULL"
Apr  6 18:17:17 srv-relay postfix/smtps/smtpd[27098]: SSL_accept:before/accept initialization
Apr  6 18:17:17 srv-relay postfix/smtps/smtpd[27098]: read from 55CF94339900 [55CF94341860] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Apr  6 18:17:26 srv-relay postfix/smtps/smtpd[27098]: read from 55CF94339900 [55CF94341860] (11 bytes => 11 (0xB))
Apr  6 18:17:26 srv-relay postfix/smtps/smtpd[27098]: 0000 65 68 6c 6f 20 75 6e 6e|61 74 69                 ehlo unn ati
Apr  6 18:17:26 srv-relay postfix/smtps/smtpd[27098]: SSL_accept:error in unknown state
Apr  6 18:17:26 srv-relay postfix/smtps/smtpd[27098]: SSL_accept error from localhost[::1]: -1
Apr  6 18:17:26 srv-relay postfix/smtps/smtpd[27098]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649:
Apr  6 18:17:26 srv-relay postfix/smtps/smtpd[27098]: lost connection after CONNECT from localhost[::1]
Apr  6 18:17:26 srv-relay postfix/smtps/smtpd[27098]: disconnect from localhost[::1]

[gizmo78]

Tiens rajoute ca:

disable_vrfy_command = yes
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3, TLSv1, TLSv1.1, TLSv1.2
smtp_tls_protocols=!SSLv2,!SSLv3, TLSv1, TLSv1.1, TLSv1.2
smtpd_tls_loglevel            = 1
smtpd_tls_auth_only           = yes
smtpd_tls_security_level      = may
smtpd_tls_received_header     = yes
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, TLSv1, TLSv1.1, TLSv1.2
smtpd_tls_mandatory_ciphers   = high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

smtpd_tls_exclude_ciphers     = aNULL, DES, 3DES, MD5, DES+MD5, RC4, PSK

ca aidera la sécurité
et le disable_vrfy_command ca empêche de vérifier qu'une adresse existe bien pour la spammer après

edit: test ca: openssl s_client -debug -starttls smtp -connect localhost:465

t'aurais peut être un retour plus parlant avec le debug

edit 2: la liste de cipher y a surement moyen de la faire plus sécu et optimisé

[kalistyan]

Cela fonctionne!

Pour smtps, j'ai dû commenter la ligne suivante :

Code : Tout sélectionner

-o smtpd_tls_wrappermode=yes

J'ai aussi activé submission et cela fonctionne.

Par conséquent, les ports, 25, 465 & 587 fonctionne.

J'ai bien entendu rajouté ta configuration, merci.

Lors d'un envoi sur le port 587 cela donne :

Code : Tout sélectionner

7/04/2016 10:00:28 Resolving hostname srv-relay.unnati.fr.
07/04/2016 10:00:28 Connecting to 163.172.137.218.
07/04/2016 10:00:28 Connected.
07/04/2016 10:00:28 SMTP connection to srv-relay.unnati.fr successful
07/04/2016 10:00:28 SSL status: "before/connect initialization"
07/04/2016 10:00:28 SSL status: "before/connect initialization"
07/04/2016 10:00:28 SSL status: "SSLv3 write client hello A"
07/04/2016 10:00:28 SSL status: "SSLv3 read server hello A"
07/04/2016 10:00:28 SSL status: "SSLv3 read server certificate A"
07/04/2016 10:00:28 SSL status: "SSLv3 read server key exchange A"
07/04/2016 10:00:28 SSL status: "SSLv3 read server done A"
07/04/2016 10:00:28 SSL status: "SSLv3 write client key exchange A"
07/04/2016 10:00:28 SSL status: "SSLv3 write change cipher spec A"
07/04/2016 10:00:28 SSL status: "SSLv3 write finished A"
07/04/2016 10:00:28 SSL status: "SSLv3 flush data"
07/04/2016 10:00:28 SSL status: "SSLv3 read finished A"
07/04/2016 10:00:28 SSL status: "SSL negotiation finished successfully"
07/04/2016 10:00:28 SSL status: "SSL negotiation finished successfully"
07/04/2016 10:00:28 Cipher: name = ECDHE-RSA-AES256-SHA; description = ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
; bits = 256; version = TLSv1/SSLv3; 
07/04/2016 10:00:29 Encoding text
07/04/2016 10:00:29 Disconnecting.
07/04/2016 10:00:29 SMTP disconnected from srv-relay.unnati.fr
07/04/2016 10:00:29 Disconnected.
07/04/2016 10:00:29 Message sent successfully.

[kvm]

SSLv3 ?
Pas moyen d'avoir du TLS à la place ?

[kalistyan]

Il y a surement moyen, question de paramétrage...

[gizmo78]

normalement si tu utilise ce que je t'ai donné sur ton relay et ton serveur mail, tu peux plus faire de SSLv3.

[kalistyan]

Ah... J'ai pourtant collé ta conf.

[gizmo78]

faudrait que l'on se cale pour que tu m'envoie un mail et que je regarde les logs

[kalistyan]

On peut se caler un rdv ? :d

[gizmo78]

si tu veux ^^

mp et on voit ca