DevHeads.net

STARTTLS / DANE difficulties?

We are migrating our Postfix MX services and in the process have
disrupted a setup which has been very stable for the past couple of
years. One of the remaining items is this sort of message which only
started very recently:

Jul 10 11:55:29 mx31 postfix-p25/smtpd[70030]: connect from
hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: warning: TLS library
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate:/usr/src/crypto/openssl/ssl/s3_pkt.c:1493:SSL alert number
42:
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: lost connection after
STARTTLS from hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: disconnect from
hr1.samba.org[144.76.82.147] ehlo=1 starttls=1 commands=2

I thought that these errors were the result of a misconfigured
certificate or private key for the postfix service. However, I have
examined these and they appear to be correct:

postconf -n | grep -i tls
smtp_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
IDEA, RC2, RC5
smtp_tls_key_file = /usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_key_file =
/usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# ll /usr/local/etc/pki/tls/private/
total 18
-rw------- 1 root wheel 3243 Jun 7 15:37 2016003E.key
lrwxr-xr-x 1 root wheel 12 Jul 10 12:19 ca.harte-lyne.mx31.key ->
2016003E.key

ll /usr/local/etc/pki/tls/certs
total 565
-rw-r--r-- 1 root wheel 10164 Jun 7 15:37 2016003E.pem
-rw-r--r-- 1 root wheel 822512 Jul 10 12:05 ca-bundle.crt
lrwxr-xr-x 1 root wheel 22 Jul 10 12:07 ca.harte-lyne.mx31.crt
-> ca.harte-lyne.mx31.pem
lrwxr-xr-x 1 root wheel 12 Jul 10 12:06 ca.harte-lyne.mx31.pem
-> 2016003E.pem

# openssl x509 -noout -text -in
/usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 538312766 (0x2016003e)
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN=CA_HLL_ISSUER_2016, OU=Networked Data Services,
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=harte-lyne, DC=ca
Validity
Not Before: Jun 1 00:00:00 2018 GMT
Not After : Jun 30 23:59:59 2023 GMT
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=hamilton, DC=harte-lyne, DC=ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
. . .

Can someone interpret for me what these messages are telling me? Is
samba.org misconfigured or me?

Comments

Re: STARTTLS / DANE difficulties?

By Viktor Dukhovni at 07/10/2018 - 13:30

What is the MX hostname associated with this Postfix instance? What
domains does it serve? That has bearing on the TLSA records seen
by the connecting SMTP client.

The client rejected the server's certificate chain. The details
are known only to the client.

"Correct" is in the eye of the beholder. Did the certificate chain
match the associated DANE TLSA records? Might samba.org have reason
to expect to authenticate your server via WebPKI? You're using a
private CA...

Its current cert chain seems to match the TLSA records for the above
name, though two of the three TLSA records seem redundant:

mx31.harte-lyne.ca. IN A 216.185.71.31 ; AD=1 NoError
mx31.harte-lyne.ca. IN AAAA ? ; AD=1 NODATA
_25._tcp.mx31.harte-lyne.ca. IN CNAME _tlsa._dane.trust.harte-lyne.ca. ; AD=1 NoError
_tlsa._dane.trust.harte-lyne.ca. IN TLSA 2 0 2 67274b355428905895c6b581950e0ed4f7d043f31f7e7020b716b7faa06776b6aadd33e127624b6e8c75c520a01d9cad3bd29f18fa7dcb3d5fd3917510e6722a ; AD=1 NoError
_tlsa._dane.trust.harte-lyne.ca. IN TLSA 2 1 2 380259229e21a1946b38cfc594cbc993b61bc93762b7b6c6637b3eef9c5a2bb70c589b91beb73bd1304eac11b3917e33819e2b47d25d4966435a2a3e83c1f80f ; AD=1 NoError
_tlsa._dane.trust.harte-lyne.ca. IN TLSA 2 1 2 c26e0ec16a46a97386e8f31f8ecc971f2d73136aa377dfdaac2b2b00f7cab4bb29b17d913c82093b41fd0d9e40b66a68361c126f1f4017f9ce60eabc5adba90e ; AD=1 NoError
mx31.harte-lyne.ca[216.185.71.31]: pass: TLSA match: depth = 1, name = mx31.harte-lyne.ca
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384
name = mx31.harte-lyne.ca
name = mx31
name = mx31.hamilton
name = mx31.hamilton.harte-lyne.ca
depth = 0
Issuer CommonName = CA_HLL_ISSUER_2016
Issuer Organization = Harte & Lyne Limited
notBefore = 2018-06-01T00:00:00Z
notAfter = 2023-06-30T23:59:59Z
Subject CommonName = mx31.harte-lyne.ca
Subject Organization = Harte & Lyne Limited
pkey sha256 [nomatch] <- 3 1 1 3fa3dae08e2fecff0611a75767ee0995a115e308a181ad79a6d163315742b270
cert sha512 [nomatch] <- 3 0 2 cc5bd085ba7e1c136539083bf32ad6512b6c0fe5a31a8f2f775b627ab1c6525d7464c751191a4e1747072f5bd63d364713e48a4636ca25e31532ca0657444c7f
pkey sha512 [nomatch] <- 3 1 2 39248e9342c4fc8fb67dac3f51e7a2d9e77d7a37df6fac0272006cc7d757e5346c9e11f93f7f8c34cacf95cd0e60d1ab5b3fc2b9881551fa9bc9a6fb6e3300a8
depth = 1
Issuer CommonName = CA_HLL_ROOT_2016
Issuer Organization = Harte & Lyne Limited
notBefore = 2016-11-01T00:00:00Z
notAfter = 2035-11-01T23:59:59Z
Subject CommonName = CA_HLL_ISSUER_2016
Subject Organization = Harte & Lyne Limited
pkey sha256 [nomatch] <- 2 1 1 9c19d0fed453f6c49cd9f569af9b5da75ef6d8baabd26308eee88adb2d06a3b5
cert sha512 [nomatch] <- 2 0 2 ab23a715c42f6cf8a2502b725969adedf1f6c6bedbb483fb49badc5470232297b34a3a7716b2dd7eb086bd6e462599db95f9af3415209eadea71450c72af942a
pkey sha512 [matched] <- 2 1 2 380259229e21a1946b38cfc594cbc993b61bc93762b7b6c6637b3eef9c5a2bb70c589b91beb73bd1304eac11b3917e33819e2b47d25d4966435a2a3e83c1f80f
depth = 2
Issuer CommonName = CA_HLL_ROOT_2016
Issuer Organization = Harte & Lyne Limited
notBefore = 2016-11-01T00:00:00Z
notAfter = 2036-10-31T23:59:59Z
Subject CommonName = CA_HLL_ROOT_2016
Subject Organization = Harte & Lyne Limited
pkey sha256 [nomatch] <- 2 1 1 4bd5dd98b37237136d1a5b2e45ee8ed1c9f2c2569b6dc94f0951da5af6d090c4
cert sha512 [nomatch] <- 2 0 2 4a4ea8374f20e46009b03bd19793598b5f4e0d38aeba39644f6b8659057ca16a4c5bfd7f3779ec83c1d26c732edbc9d41454f9866d25109bcde177eae58a4481
pkey sha512 [matched] <- 2 1 2 c26e0ec16a46a97386e8f31f8ecc971f2d73136aa377dfdaac2b2b00f7cab4bb29b17d913c82093b41fd0d9e40b66a68361c126f1f4017f9ce60eabc5adba90e

[ 4096-bit keys are IMHO overkill. ]

RE: STARTTLS / DANE difficulties?

By Fazzina, Angelo at 07/10/2018 - 13:05

When you test connecting to your servers yourself do you get any errors ?
Not sure if sslv3 is ok to see if using TLS ???

Commands to try, just replace with your server name
openssl s_client -connect mta5.uits.uconn.edu:465
openssl s_client -starttls smtp -connect mta5.uits.uconn.edu:587

openssl s_client -connect <yourname>:465
openssl s_client -starttls smtp -connect <yourname>:587

good luck.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

<a href="mailto: ... at uconn dot edu"> ... at uconn dot edu</a>
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

We are migrating our Postfix MX services and in the process have
disrupted a setup which has been very stable for the past couple of
years. One of the remaining items is this sort of message which only
started very recently:

Jul 10 11:55:29 mx31 postfix-p25/smtpd[70030]: connect from
hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: warning: TLS library
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate:/usr/src/crypto/openssl/ssl/s3_pkt.c:1493:SSL alert number
42:
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: lost connection after
STARTTLS from hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: disconnect from
hr1.samba.org[144.76.82.147] ehlo=1 starttls=1 commands=2

I thought that these errors were the result of a misconfigured
certificate or private key for the postfix service. However, I have
examined these and they appear to be correct:

postconf -n | grep -i tls
smtp_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
IDEA, RC2, RC5
smtp_tls_key_file = /usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_key_file =
/usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# ll /usr/local/etc/pki/tls/private/
total 18
-rw------- 1 root wheel 3243 Jun 7 15:37 2016003E.key
lrwxr-xr-x 1 root wheel 12 Jul 10 12:19 ca.harte-lyne.mx31.key ->
2016003E.key

ll /usr/local/etc/pki/tls/certs
total 565
-rw-r--r-- 1 root wheel 10164 Jun 7 15:37 2016003E.pem
-rw-r--r-- 1 root wheel 822512 Jul 10 12:05 ca-bundle.crt
lrwxr-xr-x 1 root wheel 22 Jul 10 12:07 ca.harte-lyne.mx31.crt
-> ca.harte-lyne.mx31.pem
lrwxr-xr-x 1 root wheel 12 Jul 10 12:06 ca.harte-lyne.mx31.pem
-> 2016003E.pem

# openssl x509 -noout -text -in
/usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 538312766 (0x2016003e)
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN=CA_HLL_ISSUER_2016, OU=Networked Data Services,
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=harte-lyne, DC=ca
Validity
Not Before: Jun 1 00:00:00 2018 GMT
Not After : Jun 30 23:59:59 2023 GMT
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=hamilton, DC=harte-lyne, DC=ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
. . .

Can someone interpret for me what these messages are telling me? Is
samba.org misconfigured or me?

RE: STARTTLS / DANE difficulties?

By Fazzina, Angelo at 07/10/2018 - 13:17

My test of connecting to your server
openssl s_client -starttls smtp -connect mx31.harte-lyne.ca:587

Start Time: 1531242804
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
MY SERVER

Start Time: 1531242903
Timeout : 300 (sec)
Verify return code: 0 (ok)

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

<a href="mailto: ... at uconn dot edu"> ... at uconn dot edu</a>
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

When you test connecting to your servers yourself do you get any errors ?
Not sure if sslv3 is ok to see if using TLS ???

Commands to try, just replace with your server name
openssl s_client -connect mta5.uits.uconn.edu:465
openssl s_client -starttls smtp -connect mta5.uits.uconn.edu:587

openssl s_client -connect <yourname>:465
openssl s_client -starttls smtp -connect <yourname>:587

good luck.

-ANGELO FAZZINA

ITS Service Manager:
Spam and Virus Prevention
Mass Mailing
G Suite/Gmail

<a href="mailto: ... at uconn dot edu"> ... at uconn dot edu</a>
University of Connecticut,  ITS, SSG, Server Systems
860-486-9075

We are migrating our Postfix MX services and in the process have
disrupted a setup which has been very stable for the past couple of
years. One of the remaining items is this sort of message which only
started very recently:

Jul 10 11:55:29 mx31 postfix-p25/smtpd[70030]: connect from
hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: warning: TLS library
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate:/usr/src/crypto/openssl/ssl/s3_pkt.c:1493:SSL alert number
42:
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: lost connection after
STARTTLS from hr1.samba.org[144.76.82.147]
Jul 10 11:55:30 mx31 postfix-p25/smtpd[70030]: disconnect from
hr1.samba.org[144.76.82.147] ehlo=1 starttls=1 commands=2

I thought that these errors were the result of a misconfigured
certificate or private key for the postfix service. However, I have
examined these and they appear to be correct:

postconf -n | grep -i tls
smtp_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtp_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
IDEA, RC2, RC5
smtp_tls_key_file = /usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_starttls_timeout = ${stress?10}${stress:120}s
smtpd_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
smtpd_tls_fingerprint_digest = sha256
smtpd_tls_key_file =
/usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# ll /usr/local/etc/pki/tls/private/
total 18
-rw------- 1 root wheel 3243 Jun 7 15:37 2016003E.key
lrwxr-xr-x 1 root wheel 12 Jul 10 12:19 ca.harte-lyne.mx31.key ->
2016003E.key

ll /usr/local/etc/pki/tls/certs
total 565
-rw-r--r-- 1 root wheel 10164 Jun 7 15:37 2016003E.pem
-rw-r--r-- 1 root wheel 822512 Jul 10 12:05 ca-bundle.crt
lrwxr-xr-x 1 root wheel 22 Jul 10 12:07 ca.harte-lyne.mx31.crt
-> ca.harte-lyne.mx31.pem
lrwxr-xr-x 1 root wheel 12 Jul 10 12:06 ca.harte-lyne.mx31.pem
-> 2016003E.pem

# openssl x509 -noout -text -in
/usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 538312766 (0x2016003e)
Signature Algorithm: sha512WithRSAEncryption
Issuer: CN=CA_HLL_ISSUER_2016, OU=Networked Data Services,
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=harte-lyne, DC=ca
Validity
Not Before: Jun 1 00:00:00 2018 GMT
Not After : Jun 30 23:59:59 2023 GMT
O=Harte & Lyne Limited, L=Hamilton, ST=Ontario, C=CA,
DC=hamilton, DC=harte-lyne, DC=ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
. . .

Can someone interpret for me what these messages are telling me? Is
samba.org misconfigured or me?