从老化的 Windows XP 机器启用旧式 TLS v1.0 连接的正确 Postfix 设置是什么?

tag-icon tag-icon ubuntu ssl postfix
从老化的 Windows XP 机器启用旧式 TLS v1.0 连接的正确 Postfix 设置是什么?

我有一个老化的 WinXP Embedded SP3 盒子(不要评判;我们正在弃用它)需要发送电子邮件来获取状态更新等。

这曾经使用过 GMail,但他们很快就会关闭对不安全应用程序的支持,所以我们需要采取一些措施来在短期内解决这个问题。为此,我设置了一个基于 ubuntu-linux 的 postfix (v3.4.13) 服务器,并尝试将其配置为允许 TLS v1.0 连接。

在运行相同客户端的较新机器(基于 Windows 10 的机器)上,它们能够成功连接并发送电子邮件。但由于某种原因,XP 机器出现错误。

我是否需要在 Postfix 中更改某个设置以允许这些老化的连接?

连接失败示例(Postfix 日志):

Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: initializing the server-side TLS engine
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: connect from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: setting up TLS connection from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: unknown[62.232.130.246]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:before SSL initialization
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A3] (5 bytes => 5 (0x5))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 16 03 01 00 41                                   ....A
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A8] (65 bytes => 65 (0x41))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 01 00 00 3d 03 01 62 3c|93 7a a3 47 25 d5 46 cd  ...=..b< .z.G%.F.
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0010 b6 ca 43 77 7c 91 23 47|60 f7 bb 1a 88 04 81 62  ..Cw|.#G `......b
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0020 07 e3 ac 35 20 1f 00 00|16 00 04 00 05 00 0a 00  ...5 ... ........
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0030 09 00 64 00 62 00 03 00|06 00 13 00 12 00 63 01  ..d.b... ......c.
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0040 - <SPACES/NULLS>
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:before SSL initialization
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: write to 558F3C6A5600 [558F3C6B4750] (7 bytes => 7 (0x7))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 15 03 01 00 02 02 28                             ......(
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL3 alert write:fatal:handshake failure
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:error in error
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept error from unknown[62.232.130.246]: -1
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: lost connection after STARTTLS from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: disconnect from unknown[62.232.130.246] ehlo=1 starttls=0/1 commands=1/2

从 win-10 机器成功连接(为简洁起见,二进制序列缩短):

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: initializing the server-side TLS engine
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: connect from unknown[62.232.130.246]
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: setting up TLS connection from unknown[62.232.130.246]
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: unknown[62.232.130.246]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:before SSL initialization
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 7a                                   ....z
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (122 bytes => 122 (0x7A))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 01 00 00 76 03 01 62 3c|92 0b e0 5b 1a 7f 9e 24  ...v..b< ...[...$

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0070 00 00 17 00 00 ff 01 00|01                       ........ .
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0079 - <SPACES/NULLS>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:before SSL initialization
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read client hello
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server hello
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (4096 bytes => 4096 (0x1000))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 41 02 00 00|3d 03 01 4d d2 77 f9 9c  ....A... =..M.w..

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0ff0 e9 ec e3 86 00 de 9d 10|e3 38 fa a4 7d b1 d8 e8  ........ .8..}...
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write certificate
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write key exchange
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (330 bytes => 330 (0x14A))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 49 82 84 06 9b 2b e8 6b|4f 01 0c 38 77 2e f9 dd  I....+.k O..8w...

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0130 bb bf c2 b5 eb 25 5e 18|74 6e ca ad 10 ee 91 51  .....%^. tn.....Q
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0140 2f 16 03 01 00 04 0e                             /......
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0147 - <SPACES/NULLS>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server done
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 25                                   ....%
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (37 bytes => 37 (0x25))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 10 00 00 21 20 01 8c 9c|11 84 58 2d d6 b3 77 7c  ...! ... ..X-..w|
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0010 5c d0 87 bd 98 e7 0e a1|dd 10 51 c8 27 98 e9 3e  \....... ..Q.'..>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0020 cb 64 24 7a 0a                                   .d$z.
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server done
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 14 03 01 00 01                                   .....
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (1 bytes => 1 (0x1))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 01                                               .
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read client key exchange
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 30                                   ....0
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (48 bytes => 48 (0x30))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 a4 a1 7c 35 01 99 6f 54|16 81 3a 80 00 a4 2e 99  ..|5..oT ..:.....
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0010 b1 2a 95 89 f3 37 0e 96|21 25 06 cc c8 8b 57 4e  .*...7.. !%....WN
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0020 16 46 5f 54 0f 77 14 59|47 30 00 9e a5 6a b9 5f  .F_T.w.Y G0...j._
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read change cipher spec
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read finished
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: unknown[62.232.130.246]: Issuing session ticket, key expiration: 1648138531
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write session ticket
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write change cipher spec
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (250 bytes => 250 (0xFA))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 ba 04 00 00|b6 00 00 1c 20 00 b0 b0  ........ .... ...

...

Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 00f0 db fc 56 30 de fc cf b4|70 68                    ..V0.... ph
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write finished
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: Anonymous TLS connection established from unknown[62.232.130.246]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 0 (0x0))
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: lost connection after STARTTLS from unknown[62.232.130.246]
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: disconnect from unknown[62.232.130.246] ehlo=1 starttls=1 commands=2

答案1

您没有说明 OpenSSL 的版本和内部版本(这决定了可用的密码套件,以及协议,尽管协议不是您的问题所在)或 Ubuntu 版本(这实际上决定了上述内容),但从错误消息中的源文件来看,它显然是 1.1.0 或更高版本,并且通常不支持您的 XP3 客户端提供的任何密码套件。如果客户端因运行的 Windows 而异,则可能是它使用了 schannel,而 XP/S03(即使有 SP)也没有比 3DES 更好的密码(在您的 ClientHello 转储中得到确认)。

最简单的解决方法是,如果客户端可以执行 clear-SMTP(无 TLS),并且您配置 postfix 以接受该操作;只要此服务器仅用于一个不可靠的客户端,安全风险就不会比该客户端本身更严重。如果做不到这一点:

(我很确定)你可以下载(OpenSSL)源包(即已经被 Ubuntu 修补/调整过的)加上 buildeps 和 buildtools,将配置步骤改为添加--enable-ssl-weak-ciphers,然后重建并安装;这样应该兼容(现在支持 3DES,包含在 MEDIUM 中),但如果有重要的东西在同一系统上运行,我个人不会冒险。否则,您必须构建自己的 OpenSSL 版本使用它来创建您自己的后缀,或者假设您正在使用隐式(465,而不是 STARTTLS)在其间放置一些(简单的)东西,比如用弱化版本的 OpenSSL 构建的背靠背 stunnel 对,这可能更简单。

或者只需使用更接近 XP 的 Ubuntu,例如 16.04——我碰巧在 WSL 上测试了它,并且有 OpenSSL 1.0.2g-plus-patches,它确实支持 3DES(和 TLS1.0——0.9.8 之前的所有 OpenSSL 都支持 3DES)。如果您不想为此专门设置一个系统,请将其放入 VM 或 docker 或类似设备中。顺便说一句,如果您的组织对过时或易受攻击的版本进行网络范围的扫描,这也可能有助于防止它引起恐慌。

答案2

不是在评判你。我也是 WinXP 爱好者。

以下内容适用于已有 20 多年历史的 Outlook 2002,其后缀为 3.5.17(20 年后的 2022 年发布)和 OpenSSL 1.1.1n(也是 2022 年):

主文件:

smtpd_tls_cert_file=... # your .pem file goes here
smtpd_tls_key_file=... # your .pem file goes here
smtpd_tls_security_level=may

smtp_tls_security_level = secure
# important:
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1.1
smtp_tls_mandatory_ciphers = high

smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous

master.cf:

submission inet n       -       y       -       -       smtpd
  -o syslog_name=postfix/submission
  #-o smtpd_tls_security_level=encrypt
  -o smtpd_tls_security_level=may
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=yes
  -o smtpd_reject_unlisted_recipient=no
  -o smtpd_client_restrictions=$mua_client_restrictions
  -o smtpd_helo_restrictions=$mua_helo_restrictions
  -o smtpd_sender_restrictions=$mua_sender_restrictions
  -o smtpd_recipient_restrictions=
  #-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject_unauth_destination
  -o milter_macro_daemon_name=ORIGINATING

在上面的 master.cf 中,注释掉的内容及其各自的替换值很重要。

希望这可以帮助!

相关内容