DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th October 2012
Dazhelpwiz Dazhelpwiz is offline
Port Guard
 
Join Date: May 2008
Location: Townsville, Australia
Posts: 34
Thanked 2 Times in 2 Posts
Unhappy [SOLVED] OBSD, Postfix, TLS, Sasl

Hi Guys,

Its been a long time since I posted here but I need some fresh eyes to look at this issue Ive encountered. Im sure there is a simple solution, most likely a config error on my part but Im not entirely sure.

Ok, so on to the point. Im currently configuring an OBSD 5.1 box with postfix/SA/procmail, pretty standard stuff and that all works perfect, as expected.

I have sasl configured and authenticating just fine for smtp auth. Good so far.

Now, the issue. TLS. I cant get both sasl and TLS to work together happily. Last time I did this was on a 4.6 machine where it worked flawlessly.

I followed the same receipe I worked out. now the wierdness.

Without auth, I can successfully run the TLS connection/conversation. (thunderbird settings - no authentication, port 587)
Code:
connect from unknown[10.0.0.66]
Oct 30 16:08:37 mail postfix/smtps/smtpd[8919]: Anonymous TLS connection established from unknown[10.0.0.66]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Oct 30 16:08:37 mail postfix/smtps/smtpd[8919]: 73BA9701C3E: client=unknown[10.0.0.66]
Oct 30 16:08:37 mail postfix/cleanup[6618]: 73BA9701C3E: message-id=<508F6EE4.40902@wardles.com.au>
Oct 30 16:08:37 mail postfix/qmgr[31005]: 73BA9701C3E: from=<xxxxx@xxxxxx.com.au>, size=50340, nrcpt=1 (queue active)
Oct 30 16:08:37 mail postfix/smtps/smtpd[8919]: disconnect from unknown[10.0.0.66]
With auth, it spits a bad cert error. (thunderbird setting: ssl/tls, normal password)
Code:
connect from unknown[10.0.0.66]
Oct 30 16:08:20 mail postfix/smtps/smtpd[8919]: Anonymous TLS connection established from unknown[10.0.0.66]: SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Oct 30 16:08:20 mail postfix/smtps/smtpd[8919]: warning: TLS library problem: 8919:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:/usr/src/lib/libssl/ssl/../src/ssl/s3_pkt.c:1195:SSL alert number 42:
Any idea would be helpful. I generated the certs and CA myself using openssl thats with OBSD by default.

Im using dovecot for the imap/pop3 servers. Same deal, if I leave on default ports (143/110) it seems to use a TLS connection which doesnt make sense, or the logs are lying to me.
Code:
mail dovecot: imap-login: Login: user=<xxxxxx>, method=PLAIN, rip=10.0.0.66, lip=10.0.0.72, mpid=1787, TLS
set it to 993, SSL/TLS and you get:
Code:
mail dovecot: imap-login: Disconnected (no auth attempts): rip=10.0.0.66, lip=10.0.0.72, TLS: SSL_read() failed: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: SSL alert number 42
Something doesnt add up...

I can post any config files you like, I havent yet as I didnt want to clutter this post to much.

If Ive done something completely stupid, please point it out haha.

Last edited by Dazhelpwiz; 31st October 2012 at 01:11 AM. Reason: more info, its late, been doing this all day..
Reply With Quote
  #2   (View Single Post)  
Old 30th October 2012
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,891
Thanked 214 Times in 189 Posts
Default

I'm going to take a wild guess -- supported only by a quick Google search -- that your certificate is the problem.

http://www.mail-archive.com/openssl-.../msg47175.html
Reply With Quote
  #3   (View Single Post)  
Old 31st October 2012
Dazhelpwiz Dazhelpwiz is offline
Port Guard
 
Join Date: May 2008
Location: Townsville, Australia
Posts: 34
Thanked 2 Times in 2 Posts
Default

I googled, but I didnt come across that one. Thanks jggimi. I knew you lads would know the answer.

I generated some new RSA 2048 bit keys and all was ok.
Code:
postfix/smtps/smtpd[9783]: connect from unknown[10.0.0.66]
Oct 31 11:02:20 mail postfix/smtps/smtpd[9783]: Anonymous TLS connection established from unknown[10.0.0.66]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Oct 31 11:02:21 mail postfix/smtps/smtpd[9783]: 02621701C3F: client=unknown[10.0.0.66], sasl_method=PLAIN, sasl_username=xxxxxxx
Oct 31 11:02:21 mail postfix/cleanup[23539]: 02621701C3F: message-id=<5090789C.4040201@xxxxxx.com.au>
Id thank you but it seems to be removed.

To clarify further. I was doing it the older way (atleast what I think was the older method), where pem files werent necessarily needed. just the old .crt/.key files. That was most likely it. I went over the openssl docs again and saw the difference. (as well as the postfix TLS man, even though I read it 20 times yesterday I guess it didnt click as I had been trying to solve it for so long - amazing what a nights sleep can do).

Thank you again kind sir.

Last edited by Dazhelpwiz; 31st October 2012 at 01:11 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mutt and SASL divadgnol67 OpenBSD Packages and Ports 3 11th March 2011 04:48 PM
Problem with Postfix and Sasl auth unixbsd OpenBSD General 1 27th April 2009 03:26 AM
unable to install Postfix from ports on OBSD 4.3 Pollywog OpenBSD Packages and Ports 25 22nd July 2008 03:32 AM
Postfix, SASL w/ LDAP kronic OpenBSD General 2 19th June 2008 06:49 AM
Working Configuration for Openbsd 4.0 - Postfix - SASL - TLS roundkat Guides 0 4th May 2008 05:38 PM


All times are GMT. The time now is 09:17 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick