View Single Post
  #1   (View Single Post)  
Old 30th October 2012
Dazhelpwiz Dazhelpwiz is offline
Port Guard
 
Join Date: May 2008
Location: Townsville, Australia
Posts: 34
Unhappy [SOLVED] OBSD, Postfix, TLS, Sasl

Hi Guys,

Its been a long time since I posted here but I need some fresh eyes to look at this issue Ive encountered. Im sure there is a simple solution, most likely a config error on my part but Im not entirely sure.

Ok, so on to the point. Im currently configuring an OBSD 5.1 box with postfix/SA/procmail, pretty standard stuff and that all works perfect, as expected.

I have sasl configured and authenticating just fine for smtp auth. Good so far.

Now, the issue. TLS. I cant get both sasl and TLS to work together happily. Last time I did this was on a 4.6 machine where it worked flawlessly.

I followed the same receipe I worked out. now the wierdness.

Without auth, I can successfully run the TLS connection/conversation. (thunderbird settings - no authentication, port 587)
Code:
connect from unknown[10.0.0.66]
Oct 30 16:08:37 mail postfix/smtps/smtpd[8919]: Anonymous TLS connection established from unknown[10.0.0.66]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Oct 30 16:08:37 mail postfix/smtps/smtpd[8919]: 73BA9701C3E: client=unknown[10.0.0.66]
Oct 30 16:08:37 mail postfix/cleanup[6618]: 73BA9701C3E: message-id=<508F6EE4.40902@wardles.com.au>
Oct 30 16:08:37 mail postfix/qmgr[31005]: 73BA9701C3E: from=<xxxxx@xxxxxx.com.au>, size=50340, nrcpt=1 (queue active)
Oct 30 16:08:37 mail postfix/smtps/smtpd[8919]: disconnect from unknown[10.0.0.66]
With auth, it spits a bad cert error. (thunderbird setting: ssl/tls, normal password)
Code:
connect from unknown[10.0.0.66]
Oct 30 16:08:20 mail postfix/smtps/smtpd[8919]: Anonymous TLS connection established from unknown[10.0.0.66]: SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Oct 30 16:08:20 mail postfix/smtps/smtpd[8919]: warning: TLS library problem: 8919:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:/usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1195:SSL alert number 42:
Any idea would be helpful. I generated the certs and CA myself using openssl thats with OBSD by default.

Im using dovecot for the imap/pop3 servers. Same deal, if I leave on default ports (143/110) it seems to use a TLS connection which doesnt make sense, or the logs are lying to me.
Code:
mail dovecot: imap-login: Login: user=<xxxxxx>, method=PLAIN, rip=10.0.0.66, lip=10.0.0.72, mpid=1787, TLS
set it to 993, SSL/TLS and you get:
Code:
mail dovecot: imap-login: Disconnected (no auth attempts): rip=10.0.0.66, lip=10.0.0.72, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42
Something doesnt add up...

I can post any config files you like, I havent yet as I didnt want to clutter this post to much.

If Ive done something completely stupid, please point it out haha.

Last edited by Dazhelpwiz; 31st October 2012 at 01:11 AM. Reason: more info, its late, been doing this all day..
Reply With Quote