NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: libsaslc TLS postfix client woes
christos%astron.com@localhost (Christos Zoulas) wrote:
> In article <55da8d55.Vwp89GtYfOZ+zHh/%jgw%sdf.org@localhost>, <jgw%sdf.org@localhost> wrote:
> >Up until yesterday the following was providing Postfix SMTP client SASL
> >TLS authentication with my email provider's outgoing email
> >server (configs have been sanitized for public posting):
> >
> > #/etc/postfix/main.cf
> > myhostname = beasty.sleepy.cat
> > mydomain = sleepy.cat
> > smtp_generic_maps = hash:/etc/postfix/generic
> > mynetworks_style = host
> > alias_maps = hash:/etc/mail/aliases
> > relayhost = [smtp.acme.com]:submission
> > smtp_sasl_auth_enable = yes
> > smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> > smtp_sasl_security_options = noplaintext, noanonymous
> > smtp_sasl_tls_security_options = noanonymous
> > smtp_tls_security_level = may
> > smtp_sasl_type = saslc
> >
> > #../generic
> > me%beasty.sleepy.cat@localhost me%acme.com@localhost
> >
> > #../sasl_passwd
> > [smtp.acme.com]:submission me%acme.com@localhost:secret_passwd
> >
> >Did chmod 600 for the sasl_passwd file and ran postmap(8) run on generic
> >and sasl_passwd for DB file generation, then checked with 'postfix check',
> >then reload configs with '/etc/rc.d/postfix reload'.
> >
> >Anyway, something has changed sometime since my previous -current update
> >dated ~May 2015; after upgrading to -current dated Aug 22, 2015 the above
> >configuration no longer works.
> >
> >Below appears to be the pertinent bits from /var/log/maillog; date prefix
> >removed for clarity:
> >
> > ..
> > beasty postfix/qmgr[7099]: 1AFE11F1FA9: \
> > from=<me%beasty.sleepy.cat@localhost>, size=290, nrcpt=1 (queue active)
> > beasty postfix/qmgr[7099]: warning: \
> > private/smtp socket: malformed response
> > beasty postfix/master[5621]: warning: \
> > process /usr/libexec/postfix/smtp pid 7139 killed by signal 4
> > ..
> > beasty postfix/master[5621]: warning: \
> > /usr/libexec/postfix/smtp:bad command startup -- throttling
> > beasty postfix/error[5878]: 1AFE11F1FA9: \
> > to=<someone%somewhere.com@localhost>, relay=none, \
> > delay=1.4, delays=0.16/1.2/0/0.07, dsn=4.3.0, \
> > status=undeliverable (unknown mail transport error)
> >
> >I'm hoping someone can point me towards a solution or work-around
> >so I can go back to using the native tools for mail relaying.
>
> I don't see what could do it in the saslc code. Perhaps something changed
> in openssl? Can you try to use the previous openssl libraries and see if
> that fixes it?
>
Looking through some of the more recent CVS commits for openssl I found this:
--
Revision 1.7 / (download) - annotate - [select for diffs], Sat May 16 17:32:54 2015 UTC (3 months, 1 week ago) by joerg
Branch: MAIN
CVS Tags: HEAD
Changes since 1.6: +2 -2 lines
Diff to previous 1.6 (colored)
Optimize i386 support in libcrypto:
- Enable optional SSE2 assembler versions. Regenerate.
- Hook up assembler version of GCM.
--
The system I'm using has a VIA C3 Samuel 2/Ezra CPU (i386) which
unfortunately doesn't support SSE. Does "optional" means it's now required
or will simply be used if presented to the binary?
Back to Postfix, the posttls-finger(1) tool seems to my uneducated eye to
suggest that things ought to be working:
% posttls-finger -a ipv4 -L verbose -l encrypt -p '!SSLv2 !SSLv3 TLSv1' '[smtp.acme.com]:submission'
posttls-finger: initializing the client-side TLS engine
posttls-finger: Connected to smtp.acme.com[***.***.***.180]:587
posttls-finger: < 220 smtp.acme.com ESMTP
posttls-finger: > EHLO beasty.sleepy.cat
posttls-finger: < 250-smtp.acme.com
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SIZE 0
posttls-finger: < 250 AUTH LOGIN PLAIN
posttls-finger: > STARTTLS
posttls-finger: < 220 ready for tls
posttls-finger: setting up TLS connection to smtp.acme.com[***.***.***.180]:587
posttls-finger: mail.acme.com[***.***.***.180]:587: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH:!eNULL"
posttls-finger: mail.acme.com[***.***.***.180]:587: depth=1 verify=0 subject=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
posttls-finger: mail.acme.com[***.***.***.180]:587: depth=1 verify=0 subject=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
posttls-finger: mail.acme.com[***.***.***.180]:587: depth=0 verify=1 subject=/serialNumber=***/OU=***/OU=\
See www.rapidssl.com/resources/cps (c)12/OU=Domain Control Validated - RapidSSL(R)/CN=mail.acme.com
posttls-finger: mail.acme.com[***.***.***.180]:587: subject_CN=smtp.vfemail.net, issuer_CN=RapidSSL CA,\
fingerprint=D2:0F:...:23:95, pkey_fingerprint=05:A7:...:B4:00
posttls-finger: > EHLO beasty.sleepy.cat
posttls-finger: < 250-smtp.acme.com
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SIZE 0
posttls-finger: < 250 AUTH LOGIN PLAIN
posttls-finger: > QUIT
posttls-finger: < 221 smtp.acme.com
posttls-finger(1) doesn't actually send any mail so perhaps the "malformed
reponse" shown in the maillog comes later in the session.
Jeff
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This email has a PGP signature attached; verify
using PGP public key at http://jgw.sdf.org/pgp/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUx97aAAoJELZg2zktVKWMNZUP/ispNTlNSjx0QoKChol0sZSF
55ZvdtINHvA5DL0M78kXVkFqzWDdnAjE857iK8fXbj5Az6tx05DY+iovf6qUyLKF
X/5Jm82B8xAlSu8AlM37su8TzAgh51rw0UPJ1qhfaiamjognk6Yc0fFCnsWlaElp
1toKk++UghXfcWkY4hs3t6S//Nzf1WTg3mwKHVfmMJy2I2doXjI1Ok2ogB11gQX9
7HqJVpHcRzdel3iAUgmzruexQzBXpuBdylAjLfGiF7bVgP3bK4teck/D46BP09qJ
XBPKgNwbHtCRqArfRjMb92EhzgZjUftadJwDmPFlE7N1nn2tBP2pmwb8lhq18CsS
2uyflSrVMwFuRYYCXcfPTYl+mUTg0kA9MAp/gNVOAc+9B7TfjWN1HkCBnOuBFtI2
7nH7xJ3eEeOaoTRZPXo0WSWcAtWDXXbdZXW8cgVUIxggQLVA22CTKMRUTGfeJwcS
KAbzyZu/z2/V04Ygnu2hzgAGulw4qvv0cREiOVHVdpgaq8hEH2/U/yKqaXTf5NCp
P+9NKQDGgnt2cWNibUAzF563uvnOL3OnnjeT6/PLsfzJkpOFPi/H/UHc8a6Hjc8F
l2S9u+5Lu4DFfXjewTRT8NLmeal3kppHBwHIeGVavWlmLET0bvSj486qimXVv2SN
fwEG5kbnu8pX89ZowR8U
=KFMw
-----END PGP SIGNATURE-----
Home |
Main Index |
Thread Index |
Old Index