Ubuntu

什麼是正確的 Postfix 設置以從老化的 Windows XP 機器啟用舊版 TLS v1.0 連接?

  • March 25, 2022

我有一個老化的 WinXP Embedded SP3 盒子(不要判斷;我們正在棄用它)需要發送電子郵件以獲取狀態更新等。

這曾經使用 GMail,但他們很快就會關閉對不安全應用程序的支持,因此我們需要在短期內解決這個問題。為此,我設置了一個基於 ubuntu-linux 的 postfix (v3.4.13) 伺服器,並嘗試將其配置為允許 TLS v1.0 連接。

在執行完全相同的客戶端的較新(基於 Windows 10 的電腦)上,他們能夠成功連接並發送電子郵件。但是由於某種原因,XP機器出錯了。

我需要在後綴中更改設置以允許這些老化的連接嗎?

失敗的連接範例(後綴日誌):

Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: initializing the server-side TLS engine
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: connect from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: setting up TLS connection from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: unknown[62.232.130.246]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:before SSL initialization
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A3] (5 bytes => 5 (0x5))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 16 03 01 00 41                                   ....A
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A8] (65 bytes => 65 (0x41))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 01 00 00 3d 03 01 62 3c|93 7a a3 47 25 d5 46 cd  ...=..b< .z.G%.F.
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0010 b6 ca 43 77 7c 91 23 47|60 f7 bb 1a 88 04 81 62  ..Cw|.#G `......b
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0020 07 e3 ac 35 20 1f 00 00|16 00 04 00 05 00 0a 00  ...5 ... ........
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0030 09 00 64 00 62 00 03 00|06 00 13 00 12 00 63 01  ..d.b... ......c.
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0040 - <SPACES/NULLS>
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:before SSL initialization
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: write to 558F3C6A5600 [558F3C6B4750] (7 bytes => 7 (0x7))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 15 03 01 00 02 02 28                             ......(
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL3 alert write:fatal:handshake failure
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:error in error
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept error from unknown[62.232.130.246]: -1
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: lost connection after STARTTLS from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: disconnect from unknown[62.232.130.246] ehlo=1 starttls=0/1 commands=1/2

從 win-10 機器成功連接(二進制序列為簡潔起見):

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: initializing the server-side TLS engine
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: connect from unknown[62.232.130.246]
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: setting up TLS connection from unknown[62.232.130.246]
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: unknown[62.232.130.246]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:before SSL initialization
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 7a                                   ....z
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (122 bytes => 122 (0x7A))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 01 00 00 76 03 01 62 3c|92 0b e0 5b 1a 7f 9e 24  ...v..b< ...[...$

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0070 00 00 17 00 00 ff 01 00|01                       ........ .
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0079 - <SPACES/NULLS>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:before SSL initialization
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read client hello
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server hello
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (4096 bytes => 4096 (0x1000))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 41 02 00 00|3d 03 01 4d d2 77 f9 9c  ....A... =..M.w..

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0ff0 e9 ec e3 86 00 de 9d 10|e3 38 fa a4 7d b1 d8 e8  ........ .8..}...
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write certificate
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write key exchange
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (330 bytes => 330 (0x14A))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 49 82 84 06 9b 2b e8 6b|4f 01 0c 38 77 2e f9 dd  I....+.k O..8w...

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0130 bb bf c2 b5 eb 25 5e 18|74 6e ca ad 10 ee 91 51  .....%^. tn.....Q
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0140 2f 16 03 01 00 04 0e                             /......
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0147 - <SPACES/NULLS>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server done
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 25                                   ....%
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (37 bytes => 37 (0x25))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 10 00 00 21 20 01 8c 9c|11 84 58 2d d6 b3 77 7c  ...! ... ..X-..w|
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0010 5c d0 87 bd 98 e7 0e a1|dd 10 51 c8 27 98 e9 3e  \....... ..Q.'..>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0020 cb 64 24 7a 0a                                   .d$z.
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server done
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 14 03 01 00 01                                   .....
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (1 bytes => 1 (0x1))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 01                                               .
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read client key exchange
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 30                                   ....0
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (48 bytes => 48 (0x30))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 a4 a1 7c 35 01 99 6f 54|16 81 3a 80 00 a4 2e 99  ..|5..oT ..:.....
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0010 b1 2a 95 89 f3 37 0e 96|21 25 06 cc c8 8b 57 4e  .*...7.. !%....WN
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0020 16 46 5f 54 0f 77 14 59|47 30 00 9e a5 6a b9 5f  .F_T.w.Y G0...j._
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read change cipher spec
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read finished
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: unknown[62.232.130.246]: Issuing session ticket, key expiration: 1648138531
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write session ticket
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write change cipher spec
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (250 bytes => 250 (0xFA))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 ba 04 00 00|b6 00 00 1c 20 00 b0 b0  ........ .... ...

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 00f0 db fc 56 30 de fc cf b4|70 68                    ..V0.... ph
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write finished
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: Anonymous TLS connection established from unknown[62.232.130.246]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 0 (0x0))
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: lost connection after STARTTLS from unknown[62.232.130.246]
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: disconnect from unknown[62.232.130.246] ehlo=1 starttls=1 commands=2

你沒有說 OpenSSL 的版本和建構(它決定了可用的密碼套件,以及協議,儘管協議不是你的問題)或 Ubuntu 版本(它有效地決定了上述內容),但是從錯誤消息中的源文件中它是顯然是 1.1.0 或更高版本,通常不支持 XP3 客戶端提供的任何密碼套件。如果客戶端根據其執行的 Windows 而有所不同,則可能它使用的是 schannel,並且 XP/S03(即使使用 SP)沒有做任何比 3DES 更好的密碼(在您的 ClientHello 轉儲中確認)。

最簡單的方法是客戶端可以執行 clear-SMTP(無 TLS)並且您將 postfix 配置為接受它;只要該伺服器僅用於那個蹩腳的客戶端,安全風險就不會比該客戶端已經糟糕得多。做不到這一點:

(我很確定)您可以下載(OpenSSL)源包(即已經由 Ubuntu 修補/調整的)加上 buildeps 和 buildtools,將配置步驟更改為 add --enable-ssl-weak-ciphers,然後重新建構和安裝;這應該是兼容的(現在支持 3DES,包含在 MEDIUM 中),儘管我個人不會在同一系統上執行任何重要的東西。否則,您要麼必須使用它建構自己的 OpenSSL 版本自己的後綴,要麼假設您使用的是隱式(465,而不是 STARTTLS),在 bewteen 中放置一些(簡單的)內容,例如使用弱化建構的背靠背隧道對OpenSSL 的版本,這可能更簡單。

或者只是使用更接近 XP 的 Ubuntu,比如 16.04——我碰巧在 WSL 上進行測試,並且有 OpenSSL 1.0.2g-plus-patches,它支持 3DES(和 TLS1.0——從以前開始的所有 OpenSSL 0.9.8 做到了)。如果您不想為此專用一個系統,請將其放在 VM 或 docker 或類似設備中。如果您的組織對過時或易受攻擊的事物版本進行網路範圍的掃描,這也可能有助於防止引起恐慌。

引用自:https://serverfault.com/questions/1096958