Current-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: openssl3+postfix issue (ca md too weak)
On Tue, Nov 14, 2023 at 02:39:53AM +0000, Taylor R Campbell wrote:
> [trimming tech-crypto from cc because this is a policy and
> configuration issue, not a cryptography issue]
>
> > Date: Mon, 13 Nov 2023 20:34:04 +0100
> > From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
> >
> > I'm facing an issue with postfix+openssl3 which may be critical (depending
> > on how it can be fixed).
> >
> > Now my postfix setup fails to send mails with
> > Nov 13 20:20:53 comore postfix/smtp[6449]: warning: TLS library problem: error:0A00018E:SSL routines::ca md too weak:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c:984:
>
> 1. This says `warning'; does the mail actually fail to go through, or
> are you just alarmed by the warning?
it fails:
Nov 13 20:21:48 comore postfix/smtp[4182]: warning: TLS library problem: error:0A00018E:SSL routines::ca md too weak:/usr/src/crypto/external/bsd/openssl/dist/ssl/statem/statem_lib.c:984:
Nov 13 20:21:48 comore postfix/smtp[4182]: D2EF31805C: to=<bouyer%lip6.fr@localhost>, relay=mail.soc.lip6.fr[132.227.86.2]:465, delay=1441, delays=1441/0.05/0.02/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)
>
> 2. Can you describe your mail topology?
This is a simple mail client (my laptop); outgoing emails go through
2 mails servers (depending on the from, and a relay map). Both mail
servers requires SMTP AUTH (which is why I enforce
smtp_tls_security_level = verify), configured as:
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/home/bouyer/.postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
>
> 3. Can you describe the postfix configuration on every node involved
> in the topology?
the mails servers this client talks to are both running sendmail,
on netbsd-9
> 4. Can you share master.cf on every node involved if it's not the
> default?
on the client master.cf is the default, with this additional line:
relay-smtps unix - - n - - smtp
# Client-side SMTPS requires "encrypt" or stronger.
-o smtp_tls_security_level=verify
-o smtp_tls_wrappermode=yes
-o smtp_starttls_timeout=60
-o smtp_helo_timeout=60
>
> 5. If you connect to the server with `openssl s_client', what happens?
It works:
openssl s_client -connect mail.soc.lip6.fr:465 -verify_return_error
[...]
Start Time: 1699948718
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
220 asim.lip6.fr ESMTP Sendmail 8.15.2/8.15.2; Tue, 14 Nov 2023 08:58:37 +0100 (MET)
Also, tnftp talking to a web server with the exact same certificate and
certificate chain has no problem either
This is one of the thing I have a hard time to understand: why can't I
reproduce this error with other TLS client ?
>
> > So, as far as I understand, we end up with a postfix installation which
> > can't talk to servers with valid certificates.
>
> Unless anything has changed in the past couple years, I don't think
> there is any widespread deployment of SMTP TLS server authentication
> that means anything for general MTAs -- at best, TLS in SMTP serves as
> opportunistic encryption to defend against passive eavesdroppers.
There is actually, for SMTP AUTH
And I don't think using an MTA for SMTP AUTH is that unusual
--
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
NetBSD: 26 ans d'experience feront toujours la difference
--
Home |
Main Index |
Thread Index |
Old Index