On Thu, Dec 16, 2004 at 10:20:53PM -0500, Dean Brooks wrote:
> On Thu, Dec 16, 2004 at 09:04:25PM -0600, Barry Pederson wrote:
>
> > There's a press release on Postini's website dated the 13th:
> >
> > "Postini Unveils Worlds Largest Encrypted Email Network; Builds TLS
> > Encryption Support Into Managed Service Offering"
> >
> > http://postini.com/news_events/pr/pr121304.php
> >
> > I wonder if they botched something with this new rollout.
>
> They did indeed appear to botch something.
GNUTLS:
porridge@melina11:~$ gnutls-cli postini.com.s8b2.psmtp.com -p 25 -s
Resolving 'postini.com.s8b2.psmtp.com'...
Connecting to '64.18.7.10:25'...
- Simple Client Mode:
220 Postini ESMTP 26 r5_2_4c1 ready. CA Business and Professions Code
Section 17538.45 forbids use of this system for unsolicited electronic
mail advertisements.
EHLO man
250-Postini says hello back
250-STARTTLS
250-8BITMIME
250 HELP
STARTTLS
220 Go ahead
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 1 certificates.
- Certificate[0] info:
# The hostname in the certificate does NOT match
# 'postini.com.s8b2.psmtp.com'.
[...]
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL
ehlo man
250-Postini says hello back
250-8BITMIME
250 HELP
quit
221 Catch you later
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.
porridge@melina11:~$
Similarily with OpenSSL:
porridge@melina11:~$ openssl s_client -host postini.com.s8b2.psmtp.com. -port 25 -starttls smtp
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
No client certificate CA names sent
---
SSL handshake has read 1273 bytes and written 350 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 918B63D414F2B3B1C9E5EBE0B88B6DF7840FD70D18CFD986C947E08A5C813FE8D03E237B5EEA5B0F7B97EDB7D9BE7860
Key-Arg : None
Start Time: 1103282157
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
220 Postini ESMTP 23 y5_2_4c1 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements.
quit
221 Catch you later
read:errno=0
porridge@melina11:~$
Note the last line with "errno=0". When connecting to my exim server, the last line is simply:
closed
I think that recently there was a fix in exim for such remote host behaviour...
Marcin
--
Marcin Owsiany
porridge@???
