Join Log in
Score:0
avatar Server

What are the correct Postfix settings to enable legacy TLS v1.0 connections from an aging Windows XP box?

in flag
Jon Cage

I have an aging WinXP Embedded SP3 box (don't judge; We're in the process of deprecating it) which need to send email for status updates etc.

This used to use GMail but they're going to turn off support for insecure apps soon so we need a work around to resolve the issue in the short term. To that end, I've set up a ubuntu-linux-based postfix (v3.4.13) server and have tried to configure it to allow TLS v1.0 connections.

On newer (Windows 10 based machines) running the exact same client, they're able to successfully connect in and send email. For some reason though, the XP machine errors out.

Is there a setting I need to alter in postfix to allow these aged connections?

Failed connection example (postfix logs):

Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: initializing the server-side TLS engine
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: connect from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: setting up TLS connection from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: unknown[62.232.130.246]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:before SSL initialization
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A3] (5 bytes => 5 (0x5))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 16 03 01 00 41                                   ....A
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A8] (65 bytes => 65 (0x41))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 01 00 00 3d 03 01 62 3c|93 7a a3 47 25 d5 46 cd  ...=..b< .z.G%.F.
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0010 b6 ca 43 77 7c 91 23 47|60 f7 bb 1a 88 04 81 62  ..Cw|.#G `......b
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0020 07 e3 ac 35 20 1f 00 00|16 00 04 00 05 00 0a 00  ...5 ... ........
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0030 09 00 64 00 62 00 03 00|06 00 13 00 12 00 63 01  ..d.b... ......c.
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0040 - <SPACES/NULLS>
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:before SSL initialization
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: write to 558F3C6A5600 [558F3C6B4750] (7 bytes => 7 (0x7))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 15 03 01 00 02 02 28                             ......(
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL3 alert write:fatal:handshake failure
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:error in error
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept error from unknown[62.232.130.246]: -1
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: lost connection after STARTTLS from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: disconnect from unknown[62.232.130.246] ehlo=1 starttls=0/1 commands=1/2

Successful connection from a win-10 machine (binary sequences cut short for brevity):

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: initializing the server-side TLS engine
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: connect from unknown[62.232.130.246]
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: setting up TLS connection from unknown[62.232.130.246]
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: unknown[62.232.130.246]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:before SSL initialization
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 7a                                   ....z
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (122 bytes => 122 (0x7A))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 01 00 00 76 03 01 62 3c|92 0b e0 5b 1a 7f 9e 24  ...v..b< ...[...$

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0070 00 00 17 00 00 ff 01 00|01                       ........ .
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0079 - <SPACES/NULLS>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:before SSL initialization
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read client hello
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server hello
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (4096 bytes => 4096 (0x1000))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 41 02 00 00|3d 03 01 4d d2 77 f9 9c  ....A... =..M.w..

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0ff0 e9 ec e3 86 00 de 9d 10|e3 38 fa a4 7d b1 d8 e8  ........ .8..}...
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write certificate
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write key exchange
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (330 bytes => 330 (0x14A))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 49 82 84 06 9b 2b e8 6b|4f 01 0c 38 77 2e f9 dd  I....+.k O..8w...

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0130 bb bf c2 b5 eb 25 5e 18|74 6e ca ad 10 ee 91 51  .....%^. tn.....Q
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0140 2f 16 03 01 00 04 0e                             /......
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0147 - <SPACES/NULLS>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server done
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 25                                   ....%
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (37 bytes => 37 (0x25))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 10 00 00 21 20 01 8c 9c|11 84 58 2d d6 b3 77 7c  ...! ... ..X-..w|
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0010 5c d0 87 bd 98 e7 0e a1|dd 10 51 c8 27 98 e9 3e  \....... ..Q.'..>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0020 cb 64 24 7a 0a                                   .d$z.
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server done
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 14 03 01 00 01                                   .....
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (1 bytes => 1 (0x1))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 01                                               .
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read client key exchange
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 30                                   ....0
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (48 bytes => 48 (0x30))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 a4 a1 7c 35 01 99 6f 54|16 81 3a 80 00 a4 2e 99  ..|5..oT ..:.....
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0010 b1 2a 95 89 f3 37 0e 96|21 25 06 cc c8 8b 57 4e  .*...7.. !%....WN
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0020 16 46 5f 54 0f 77 14 59|47 30 00 9e a5 6a b9 5f  .F_T.w.Y G0...j._
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read change cipher spec
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read finished
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: unknown[62.232.130.246]: Issuing session ticket, key expiration: 1648138531
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write session ticket
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write change cipher spec
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (250 bytes => 250 (0xFA))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 ba 04 00 00|b6 00 00 1c 20 00 b0 b0  ........ .... ...

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 00f0 db fc 56 30 de fc cf b4|70 68                    ..V0.... ph
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write finished
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: Anonymous TLS connection established from unknown[62.232.130.246]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 0 (0x0))
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: lost connection after STARTTLS from unknown[62.232.130.246]
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: disconnect from unknown[62.232.130.246] ehlo=1 starttls=1 commands=2
66
0 + 0
ssl
Score:2
dave_thompson_085 avatar Server
jp flag
dave_thompson_085

You don't say which version and build of OpenSSL (which determines the ciphersuites available, and also protocols although protocol isn't your problem here) or Ubuntu release (which effectively determines the above), but from the sourcefile in the error message it's clearly 1.1.0 or higher, and that normally doesn't support any of the ciphersuites offered by your XP3 client. If the client varies depending on the Windows it's running on, probably it's using schannel, and XP/S03 (even with SPs) didn't do any ciphers better than 3DES (confirmed in your ClientHello dump).

Easiest out would be if client can do clear-SMTP (no TLS) and you configure postfix to accept that; as long as this server is only used for that one lame client the security risk isn't much worse than that client already is. Failing that:

(I'm pretty sure) you can download the (OpenSSL) source package (i.e. as already patched/tweaked by Ubuntu) plus buildeps and buildtools, change the config step to add --enable-ssl-weak-ciphers, and rebuild and install; this should be compatible (and now support 3DES, included in MEDIUM), although personally I wouldn't chance it if anything important runs on the same system. Otherwise you either must build your own OpenSSL version and your own postfix using it, or assuming you are using implicit (465, not STARTTLS) put something (simple) in bewteen, like a back-to-back pair of stunnel built with a weakened version of OpenSSL, which is probably simpler.

OR just use a Ubuntu closer in age to XP, like 16.04 -- which I happen to have on WSL for testing, and has OpenSSL 1.0.2g-plus-patches which does support 3DES (and TLS1.0 -- all OpenSSL since before 0.9.8 does that). If you don't want to dedicate a system for this put it in a VM or docker or similar. Which incidentally might also help prevent it causing panic if your organization does network-wide scans for obsolete or vulnerable versions of things.

0 + 0
in flag
Jon Cage
It's running on `Ubuntu 20.04.4 LTS` and `OpenSSL 1.1.1f 31 Mar 2020` currently. Thanks for the suggestions - will take a look.
0
Reply
in flag
Jon Cage
Recompiling with `enable-ssl-weak-ciphers` nailed it. Thank you very much indeed for your help. Now to work on the plan to eliminate that machine altogether :-)
0
Reply
Score:0
XP_is_the_best avatar Server
za flag
XP_is_the_best

Not judging you. Fellow WinXP lover here.

The following will work for Outlook 2002, which is more than 20 years old, with postfix 3.5.17 (released 20 years later in 2022) and OpenSSL 1.1.1n (also 2022):

main.cf:

smtpd_tls_cert_file=... # your .pem file goes here
smtpd_tls_key_file=... # your .pem file goes here
smtpd_tls_security_level=may

smtp_tls_security_level = secure
# important:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
smtp_tls_mandatory_ciphers = high

smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

master.cf:

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  #-o smtpd_tls_security_level=encrypt
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  #-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
  -o milter_macro_daemon_name=ORIGINATING

In master.cf above, what's commented out and their respective replacement values are important.

Hope this helps!

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.