Re: [exim] PostINI and TLS - SMTP Transport errors

Top Pagina
Delete this message
Reply to this message
Auteur: Marcin Owsiany
Datum:  
Aan: exim-users
Onderwerp: Re: [exim] PostINI and TLS - SMTP Transport errors
On Thu, Dec 16, 2004 at 10:20:53PM -0500, Dean Brooks wrote:
> On Thu, Dec 16, 2004 at 09:04:25PM -0600, Barry Pederson wrote:
>
> > There's a press release on Postini's website dated the 13th:
> >
> > "Postini Unveils World’s Largest Encrypted Email Network; Builds TLS
> > Encryption Support Into Managed Service Offering"
> >
> >      http://postini.com/news_events/pr/pr121304.php

> >
> > I wonder if they botched something with this new rollout.
>
> They did indeed appear to botch something.


GNUTLS:

porridge@melina11:~$ gnutls-cli postini.com.s8b2.psmtp.com -p 25 -s
Resolving 'postini.com.s8b2.psmtp.com'...
Connecting to '64.18.7.10:25'...

- Simple Client Mode:

220 Postini ESMTP 26 r5_2_4c1 ready. CA Business and Professions Code
Section 17538.45 forbids use of this system for unsolicited electronic
mail advertisements.
EHLO man
250-Postini says hello back
250-STARTTLS
250-8BITMIME
250 HELP
STARTTLS
220 Go ahead
*** Starting TLS handshake
- Certificate type: X.509
- Got a certificate list of 1 certificates.

- Certificate[0] info:
# The hostname in the certificate does NOT match
# 'postini.com.s8b2.psmtp.com'.
[...]
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS 1.0
- Key Exchange: RSA
- Cipher: AES 256 CBC
- MAC: SHA
- Compression: NULL

ehlo man
250-Postini says hello back
250-8BITMIME
250 HELP
quit
221 Catch you later
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.
porridge@melina11:~$

Similarily with OpenSSL:

porridge@melina11:~$ openssl s_client -host postini.com.s8b2.psmtp.com. -port 25 -starttls smtp
CONNECTED(00000003)
depth=0 /C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
   i:/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Redwood City/O=Postini, Inc./OU=PSMTP/CN=*.psmtp.com
issuer=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
---
No client certificate CA names sent
---
SSL handshake has read 1273 bytes and written 350 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: 918B63D414F2B3B1C9E5EBE0B88B6DF7840FD70D18CFD986C947E08A5C813FE8D03E237B5EEA5B0F7B97EDB7D9BE7860
    Key-Arg   : None
    Start Time: 1103282157
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
220 Postini ESMTP 23 y5_2_4c1 ready.  CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements.
quit
221 Catch you later
read:errno=0
porridge@melina11:~$


Note the last line with "errno=0". When connecting to my exim server, the last line is simply:

closed


I think that recently there was a fix in exim for such remote host behaviour...

Marcin
--
Marcin Owsiany
porridge@???