0

We had a previous colleague set up webmin with postfix to allow SMS messages to be sent from application servers and from email.

He left under a dark cloud and never provided any hand over!

Recently we have updated our firewall to use TLS and higher encryption levels. We made changes on our public facing systems and no issues at all! However, we have now been told that we are having issues with our SMS gateway. A web server, that sits in the DMZ on our ASA, performs SMS authentication where a user logs in, an SMS is generated from the system and sent via our SMS Gateway, and gets a login code to the users.

Since the firewall change, users are no longer receiving these text messages. After a bit of investigate it seemed our error was in relation to the CA not being listed in the TLS settings. Changing this brought us a new error, unknown CA. I created a new self signed certificate, updated all of the correct settings, and now receiving the following:

Mar 23 09:22:47 srvesms01 postfix/smtpd[14295]: connect from unknown[10.*.*.*]
Mar 23 09:22:53 srvesms01 postfix/smtpd[14083]: SSL_accept error from unknown[10.*.*.*]: -1
Mar 23 09:22:53 srvesms01 postfix/smtpd[14083]: warning: TLS library problem: 14083:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unkn own protocol:s23_srvr.c:647:
Mar 23 09:22:53 srvesms01 postfix/smtpd[14083]: lost connection after CONNECT from unknown[10.*.*.*]

The web server that is generating the SMS (10...*) is set up for TLS and has secure ciphers.

Can anyone please help me get to the bottom of this issue? This is all new to me so apologies for any silly questions!

Thanks

Diamond
  • 8,791
  • 3
  • 22
  • 37
Rich
  • 1
  • 1

1 Answers1

0

It sounds like the underlying issue is a mismatch in SSL/TLS protocols supported.

On the face of it, it looks as if either the client connecting to postfix (or SMPTD, specifically) is trying to use SSLv3.

It further seems as though SSLv3 is not supported - did your update include configuring only the use of TLS?

One way you can quickly check what your server supports (without going into the configuration) is to use openssl s_client:

  • openssl s_client -connect mail.server:25 -starttls smtp -ssl2
  • openssl s_client -connect mail.server:25 -starttls smtp -ssl3
  • openssl s_client -connect mail.server:25 -starttls smtp -tls1

You can then check both what your server supports, and whether any of these commands enable you to replicate the issue.

If need be, you can perform similar checks on the remote end.

One additional idea is to ensure you have suitable TLS settings in postfix:

  • pay attention to the value (in main.cf) of smtpd_tls_security_level
  • also check smtpd_tls_mandatory_ciphers, smtpd_tls_mandatory_protocols, and smtpd_tls_mandatory_exclude_ciphers
iwaseatenbyagrue
  • 3,588
  • 12
  • 22