NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2006-03

Re: TLS handshake failure

From: Lutz Jaenicke (Lutz.Jaenickeaet.TU-Cottbus.DE)
Date: Wed Mar 01 2006 - 12:27:48 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Mar 01, 2006 at 10:18:54AM -0800, Ed Sawicki wrote:
> Recently, I setup TLS on Postfix 2.2.8. It is working fine for
> inbound mail as this sample from the log shows:
>
> Feb 25 02:26:10 kmalone1 postfix/smtpd[18262]: connect from
> smtp.treasurystrategies.com[207.86.60.118]
> Feb 25 02:26:11 kmalone1 postfix/smtpd[18262]: setting up TLS connection
> from smtp.treasurystrategies.com[207.86.60.118]
> Feb 25 02:26:11 kmalone1 postfix/smtpd[18262]: TLS connection established
> from smtp.treasurystrategies.com[207.86.60.118]: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
>
> It does not work for outbound mail:
>
> Feb 25 02:26:33 kmalone1 postfix/smtp[18265]: initializing the client-side
> TLS engine
> Feb 25 02:26:33 kmalone1 postfix/smtp[18265]: setting up TLS connection to
> TreasuryStrategies.com
> Feb 25 02:26:33 kmalone1 postfix/smtp[18265]: warning: TLS library
> problem: 18265:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> record mac:s3_pkt.c:1052:SSL alert number 20:
> Feb 25 02:26:33 kmalone1 postfix/smtp[18265]: 014349B234:
> to=<infoTreasuryStrategies.com>,
> relay=TreasuryStrategies.com[207.86.60.66], delay=0, status=deferred
> (Cannot start TLS: handshake failure)
>
> The problem occurs with other remote TLS hosts as well.

Hmm:
openssl s_client -starttls smtp -connect 207.86.60.66:25

  CONNECTED(00000003)
  ....
  New, TLSv1/SSLv3, Cipher is AES256-SHA
  ...
  220 treasurystrat.com ESMTP ready

Mar 1 19:25:02 serv01 postfix/smtp[19029]: setting up TLS connection to TreasuryStrategies.com
Mar 1 19:25:02 serv01 postfix/smtp[19029]: certificate verification failed for treasurystrategies.com: num=18:self signed certificate
Mar 1 19:25:02 serv01 postfix/smtp[19029]: certificate peer name verificationfailed for treasurystrategies.com: CommonName mis-match: treasurystrat.com
Mar 1 19:25:02 serv01 postfix/smtp[19029]: Unverified: subject_CN=treasurystrat.com, issuer=treasurystrat.com
Mar 1 19:25:02 serv01 postfix/smtp[19029]: TLS connection established to TreasuryStrategies.com: TLSv1 with cipher AES256-SHA (256/256 bits)
Mar 1 19:25:02 serv01 postfix/smtp[19029]: Server certificate could not be verified
Mar 1 19:25:03 serv01 postfix/smtp[19029]: C65FA3691: to=<testtlsTreasuryStrategies.com>, relay=TreasuryStrategies.com[207.86.60.66], delay=3, status=sent (250 2.0.0 4405e6fe-00047687 Message accepted for delivery)
Mar 1 19:25:03 serv01 postfix/qmgr[11771]: C65FA3691: removed

What version of OpenSSL does your system use?

Regards,
Lutz
--
Lutz Jaenicke Lutz.Jaenickeaet.TU-Cottbus.DE
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]