什麼是正確的 Postfix 設置以從老化的 Windows XP 機器啟用舊版 TLS v1.0 連接?
我有一個老化的 WinXP Embedded SP3 盒子(不要判斷;我們正在棄用它)需要發送電子郵件以獲取狀態更新等。
這曾經使用 GMail,但他們很快就會關閉對不安全應用程序的支持,因此我們需要在短期內解決這個問題。為此,我設置了一個基於 ubuntu-linux 的 postfix (v3.4.13) 伺服器,並嘗試將其配置為允許 TLS v1.0 連接。
在執行完全相同的客戶端的較新(基於 Windows 10 的電腦)上,他們能夠成功連接並發送電子郵件。但是由於某種原因,XP機器出錯了。
我需要在後綴中更改設置以允許這些老化的連接嗎?
失敗的連接範例(後綴日誌):
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: initializing the server-side TLS engine Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: connect from unknown[62.232.130.246] Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: setting up TLS connection from unknown[62.232.130.246] Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: unknown[62.232.130.246]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:before SSL initialization Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A3] (5 bytes => 5 (0x5)) Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 16 03 01 00 41 ....A Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A8] (65 bytes => 65 (0x41)) Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 01 00 00 3d 03 01 62 3c|93 7a a3 47 25 d5 46 cd ...=..b< .z.G%.F. Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0010 b6 ca 43 77 7c 91 23 47|60 f7 bb 1a 88 04 81 62 ..Cw|.#G `......b Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0020 07 e3 ac 35 20 1f 00 00|16 00 04 00 05 00 0a 00 ...5 ... ........ Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0030 09 00 64 00 62 00 03 00|06 00 13 00 12 00 63 01 ..d.b... ......c. Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0040 - <SPACES/NULLS> Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:before SSL initialization Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: write to 558F3C6A5600 [558F3C6B4750] (7 bytes => 7 (0x7)) Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 15 03 01 00 02 02 28 ......( Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL3 alert write:fatal:handshake failure Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:error in error Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept error from unknown[62.232.130.246]: -1 Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283: Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: lost connection after STARTTLS from unknown[62.232.130.246] Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: disconnect from unknown[62.232.130.246] ehlo=1 starttls=0/1 commands=1/2
從 win-10 機器成功連接(二進制序列為簡潔起見):
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: initializing the server-side TLS engine Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: connect from unknown[62.232.130.246] Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: setting up TLS connection from unknown[62.232.130.246] Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: unknown[62.232.130.246]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:before SSL initialization Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 7a ....z Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (122 bytes => 122 (0x7A)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 01 00 00 76 03 01 62 3c|92 0b e0 5b 1a 7f 9e 24 ...v..b< ...[...$ ... Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0070 00 00 17 00 00 ff 01 00|01 ........ . Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0079 - <SPACES/NULLS> Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:before SSL initialization Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read client hello Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server hello Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (4096 bytes => 4096 (0x1000)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 41 02 00 00|3d 03 01 4d d2 77 f9 9c ....A... =..M.w.. ... Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0ff0 e9 ec e3 86 00 de 9d 10|e3 38 fa a4 7d b1 d8 e8 ........ .8..}... Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write certificate Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write key exchange Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (330 bytes => 330 (0x14A)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 49 82 84 06 9b 2b e8 6b|4f 01 0c 38 77 2e f9 dd I....+.k O..8w... ... Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0130 bb bf c2 b5 eb 25 5e 18|74 6e ca ad 10 ee 91 51 .....%^. tn.....Q Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0140 2f 16 03 01 00 04 0e /...... Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0147 - <SPACES/NULLS> Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server done Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 25 ....% Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (37 bytes => 37 (0x25)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 10 00 00 21 20 01 8c 9c|11 84 58 2d d6 b3 77 7c ...! ... ..X-..w| Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0010 5c d0 87 bd 98 e7 0e a1|dd 10 51 c8 27 98 e9 3e \....... ..Q.'..> Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0020 cb 64 24 7a 0a .d$z. Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server done Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 14 03 01 00 01 ..... Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (1 bytes => 1 (0x1)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 01 . Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read client key exchange Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 30 ....0 Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (48 bytes => 48 (0x30)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 a4 a1 7c 35 01 99 6f 54|16 81 3a 80 00 a4 2e 99 ..|5..oT ..:..... Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0010 b1 2a 95 89 f3 37 0e 96|21 25 06 cc c8 8b 57 4e .*...7.. !%....WN Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0020 16 46 5f 54 0f 77 14 59|47 30 00 9e a5 6a b9 5f .F_T.w.Y G0...j._ Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read change cipher spec Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read finished Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: unknown[62.232.130.246]: Issuing session ticket, key expiration: 1648138531 Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write session ticket Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write change cipher spec Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (250 bytes => 250 (0xFA)) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 ba 04 00 00|b6 00 00 1c 20 00 b0 b0 ........ .... ... ... Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 00f0 db fc 56 30 de fc cf b4|70 68 ..V0.... ph Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write finished Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: Anonymous TLS connection established from unknown[62.232.130.246]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 0 (0x0)) Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: lost connection after STARTTLS from unknown[62.232.130.246] Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: disconnect from unknown[62.232.130.246] ehlo=1 starttls=1 commands=2
你沒有說 OpenSSL 的版本和建構(它決定了可用的密碼套件,以及協議,儘管協議不是你的問題)或 Ubuntu 版本(它有效地決定了上述內容),但是從錯誤消息中的源文件中它是顯然是 1.1.0 或更高版本,通常不支持 XP3 客戶端提供的任何密碼套件。如果客戶端根據其執行的 Windows 而有所不同,則可能它使用的是 schannel,並且 XP/S03(即使使用 SP)沒有做任何比 3DES 更好的密碼(在您的 ClientHello 轉儲中確認)。
最簡單的方法是客戶端可以執行 clear-SMTP(無 TLS)並且您將 postfix 配置為接受它;只要該伺服器僅用於那個蹩腳的客戶端,安全風險就不會比該客戶端已經糟糕得多。做不到這一點:
(我很確定)您可以下載(OpenSSL)源包(即已經由 Ubuntu 修補/調整的)加上 buildeps 和 buildtools,將配置步驟更改為 add
--enable-ssl-weak-ciphers
,然後重新建構和安裝;這應該是兼容的(現在支持 3DES,包含在 MEDIUM 中),儘管我個人不會在同一系統上執行任何重要的東西。否則,您要麼必須使用它建構自己的 OpenSSL 版本和自己的後綴,要麼假設您使用的是隱式(465,而不是 STARTTLS),在 bewteen 中放置一些(簡單的)內容,例如使用弱化建構的背靠背隧道對OpenSSL 的版本,這可能更簡單。或者只是使用更接近 XP 的 Ubuntu,比如 16.04——我碰巧在 WSL 上進行測試,並且有 OpenSSL 1.0.2g-plus-patches,它支持 3DES(和 TLS1.0——從以前開始的所有 OpenSSL 0.9.8 做到了)。如果您不想為此專用一個系統,請將其放在 VM 或 docker 或類似設備中。如果您的組織對過時或易受攻擊的事物版本進行網路範圍的掃描,這也可能有助於防止引起恐慌。