SMTP SSLv3 issue

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • petzsch
    Junior Member
    • Sep 2016
    • 1
    #1

    SMTP SSLv3 issue

    I just installed OX and have an issue sending mails. I've disabled SSLv3 on my Postfix Server (Poodle Attack mitigation). Is it possible to prevent OX from using SSLv3?

    Code:
    Sep 26 11:06:44 twinkie postfix/submission/smtpd[27173]: connect from ox.petzsch.eu[78.46.88.52]
Sep 26 11:06:44 twinkie postfix/submission/smtpd[27173]: disconnect from ox.petzsch.eu[78.46.88.52]
Sep 26 11:06:45 twinkie postfix/submission/smtpd[27173]: connect from ox.petzsch.eu[78.46.88.52]
Sep 26 11:06:45 twinkie postfix/submission/smtpd[27173]: SSL_accept error from ox.petzsch.eu[78.46.88.52]: -1
Sep 26 11:06:45 twinkie postfix/submission/smtpd[27173]: warning: TLS library problem: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1349:
Sep 26 11:06:45 twinkie postfix/submission/smtpd[27173]: lost connection after STARTTLS from ox.petzsch.eu[78.46.88.52]
Sep 26 11:06:45 twinkie postfix/submission/smtpd[27173]: disconnect from ox.petzsch.eu[78.46.88.52]
    Edit: I found out about property”com.openexchange.smtp.ssl.protocols” in file ’smtp.properties’, but setting it to TLSv1 or TLSv1.2 doesn't solve my problem. Here is the relevant part of my postfix configuration:

    Code:
    smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
# TLS Server
smtpd_tls_exclude_ciphers = RC4, aNULL, MD5, SHA
# TLS Client
smtp_tls_exclude_ciphers = RC4, aNULL, MD5, SHA
    Code:
    com.openexchange.exception.OXException: smtp-3015 Categories=USER_INPUT Message='The SMTP server twinkie.petzsch.eu cannot be accessed using a secure SSL connection for user markus@petzsch.eu. Please change configuration accordingly.' exceptionID=2081467534-16
        com.openexchange.exception.locale: de_DE
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1989)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1096)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1342)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1369)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1353)
        at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:598)
        at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:525)
        at com.sun.mail.smtp.SMTPTransport.startTLS(SMTPTransport.java:2058)
        at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:709)
        at javax.mail.Service.connect(Service.java:366)
        at com.openexchange.smtp.AbstractSMTPTransport.connectTransport(AbstractSMTPTransport.java:601)
        at com.openexchange.smtp.AbstractSMTPTransport.transport(AbstractSMTPTransport.java:716)
        at com.openexchange.smtp.AbstractSMTPTransport.sendMimeMessage(AbstractSMTPTransport.java:1068)
        at com.openexchange.smtp.AbstractSMTPTransport.sendMailMessage(AbstractSMTPTransport.java:923)
        at com.openexchange.smtp.DefaultSMTPTransport.sendMailMessage(DefaultSMTPTransport.java:102)
        at com.openexchange.mail.MailServletInterfaceImpl.sendMessages(MailServletInterfaceImpl.java:3190)
        at com.openexchange.mail.json.actions.NewAction.performWithUploads(NewAction.java:434)
        at com.openexchange.mail.json.actions.NewAction.perform(NewAction.java:184)
        at com.openexchange.mail.json.actions.AbstractMailAction.perform(AbstractMailAction.java:226)
        at com.openexchange.ajax.requesthandler.DefaultDispatcher.doCallAction(DefaultDispatcher.java:292)
        at com.openexchange.ajax.requesthandler.DefaultDispatcher.callAction(DefaultDispatcher.java:268)
        at com.openexchange.ajax.requesthandler.DefaultDispatcher.perform(DefaultDispatcher.java:209)
        at com.openexchange.ajax.requesthandler.DispatcherServlet.handle(DispatcherServlet.java:452)
        at com.openexchange.ajax.requesthandler.DispatcherServlet.doPost(DispatcherServlet.java:376)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at com.openexchange.ajax.AJAXServlet.doService(AJAXServlet.java:544)
        at com.openexchange.ajax.SessionServlet.doService(SessionServlet.java:184)
        at com.openexchange.ajax.requesthandler.DispatcherServlet.service(DispatcherServlet.java:266)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at com.openexchange.http.grizzly.service.http.OSGiServletHandler$FilterChainImpl.doFilter(OSGiServletHandler.java:445)
        at com.openexchange.http.grizzly.servletfilter.RequestReportingFilter.doFilter(RequestReportingFilter.java:135)
        at com.openexchange.http.grizzly.service.http.OSGiServletHandler$FilterChainImpl.doFilter(OSGiServletHandler.java:435)
        at com.openexchange.http.grizzly.servletfilter.WrappingFilter.doFilter(WrappingFilter.java:206)
        at com.openexchange.http.grizzly.service.http.OSGiServletHandler$FilterChainImpl.doFilter(OSGiServletHandler.java:435)
        at com.openexchange.http.grizzly.service.http.OSGiAuthFilter.doFilter(OSGiAuthFilter.java:140)
        at com.openexchange.http.grizzly.service.http.OSGiServletHandler$FilterChainImpl.doFilter(OSGiServletHandler.java:435)
        at com.openexchange.http.grizzly.service.http.OSGiServletHandler$FilterChainImpl.invokeFilterChain(OSGiServletHandler.java:413)
        at org.glassfish.grizzly.servlet.ServletHandler.doServletService(ServletHandler.java:252)
        at org.glassfish.grizzly.servlet.ServletHandler.service(ServletHandler.java:194)
        at com.openexchange.http.grizzly.service.http.OSGiMainHandler.service(OSGiMainHandler.java:232)
        at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:164)
        at org.glassfish.grizzly.http.server.HttpHandlerChain.service(HttpHandlerChain.java:196)
        at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:164)
        at org.glassfish.grizzly.http.server.OXHttpServerFilter.handleRead(OXHttpServerFilter.java:363)
        at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:265)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:200)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:134)
        at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
        at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:78)
        at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:770)
        at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
        at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
        at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$MDCProvidingRunnable.run(CustomThreadPoolExecutor.java:2509)
        at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.runTask(CustomThreadPoolExecutor.java:821)
        at com.openexchange.threadpool.internal.CustomThreadPoolExecutor$Worker.run(CustomThreadPoolExecutor.java:848)
        at java.lang.Thread.run(Thread.java:745)
    I found the issue: The problem was the cyphersuite... seems like my JAVA Engine on Debian 8.0 only supports SHA cyphers, which I had disabled in the Postfix configuration:

    from: http://localhost:8009/stats/diagnost...m=ciphersuites

    Code:
         * TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
     * TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
     * TLS_RSA_WITH_AES_256_CBC_SHA
     * TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
     * TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
     * TLS_DHE_RSA_WITH_AES_256_CBC_SHA
     * TLS_DHE_DSS_WITH_AES_256_CBC_SHA
     * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
     * TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
     * TLS_RSA_WITH_AES_128_CBC_SHA
     * TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
     * TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
     * TLS_DHE_RSA_WITH_AES_128_CBC_SHA
     * TLS_DHE_DSS_WITH_AES_128_CBC_SHA
     * TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
     * TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
     * SSL_RSA_WITH_3DES_EDE_CBC_SHA
     * TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
     * TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
     * SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
     * SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
     * TLS_EMPTY_RENEGOTIATION_INFO_SCSV
    Any idea howto get stronger cyphers into OpenJDK on Debian 8?
    Last edited by petzsch; 09-26-2016, 04:09 PM.
    Tags: None
    Previous template Next
    Working...
    X