我有一个老化的 WinXP Embedded SP3 盒子(不要判断;我们正在弃用它)需要发送电子邮件以获取状态更新等。
这曾经使用 GMail,但他们很快就会关闭对不安全应用程序的支持,因此我们需要在短期内解决这个问题。为此,我设置了一个基于 ubuntu-linux 的 postfix (v3.4.13) 服务器,并尝试将其配置为允许 TLS v1.0 连接。
在运行完全相同的客户端的较新(基于 Windows 10 的计算机)上,他们能够成功连接并发送电子邮件。但是由于某种原因,XP机器出错了。
我需要在后缀中更改设置以允许这些老化的连接吗?
失败的连接示例(后缀日志):
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: initializing the server-side TLS engine
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: connect from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: setting up TLS connection from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: unknown[62.232.130.246]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:before SSL initialization
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A3] (5 bytes => 5 (0x5))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 16 03 01 00 41 ....A
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: read from 558F3C6A5600 [558F3C6AC5A8] (65 bytes => 65 (0x41))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 01 00 00 3d 03 01 62 3c|93 7a a3 47 25 d5 46 cd ...=..b< .z.G%.F.
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0010 b6 ca 43 77 7c 91 23 47|60 f7 bb 1a 88 04 81 62 ..Cw|.#G `......b
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0020 07 e3 ac 35 20 1f 00 00|16 00 04 00 05 00 0a 00 ...5 ... ........
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0030 09 00 64 00 62 00 03 00|06 00 13 00 12 00 63 01 ..d.b... ......c.
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0040 - <SPACES/NULLS>
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:before SSL initialization
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: write to 558F3C6A5600 [558F3C6B4750] (7 bytes => 7 (0x7))
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: 0000 15 03 01 00 02 02 28 ......(
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL3 alert write:fatal:handshake failure
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept:error in error
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: SSL_accept error from unknown[62.232.130.246]: -1
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: lost connection after STARTTLS from unknown[62.232.130.246]
Mar 24 15:51:22 smtp-relay postfix/smtpd[83942]: disconnect from unknown[62.232.130.246] ehlo=1 starttls=0/1 commands=1/2
从 win-10 机器成功连接(二进制序列为简洁起见):
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: initializing the server-side TLS engine
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: connect from unknown[62.232.130.246]
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: setting up TLS connection from unknown[62.232.130.246]
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: unknown[62.232.130.246]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:before SSL initialization
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 7a ....z
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (122 bytes => 122 (0x7A))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 01 00 00 76 03 01 62 3c|92 0b e0 5b 1a 7f 9e 24 ...v..b< ...[...$
...
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0070 00 00 17 00 00 ff 01 00|01 ........ .
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0079 - <SPACES/NULLS>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:before SSL initialization
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read client hello
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server hello
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (4096 bytes => 4096 (0x1000))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 41 02 00 00|3d 03 01 4d d2 77 f9 9c ....A... =..M.w..
...
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0ff0 e9 ec e3 86 00 de 9d 10|e3 38 fa a4 7d b1 d8 e8 ........ .8..}...
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write certificate
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write key exchange
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (330 bytes => 330 (0x14A))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 49 82 84 06 9b 2b e8 6b|4f 01 0c 38 77 2e f9 dd I....+.k O..8w...
...
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0130 bb bf c2 b5 eb 25 5e 18|74 6e ca ad 10 ee 91 51 .....%^. tn.....Q
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0140 2f 16 03 01 00 04 0e /......
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0147 - <SPACES/NULLS>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server done
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 25 ....%
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (37 bytes => 37 (0x25))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 10 00 00 21 20 01 8c 9c|11 84 58 2d d6 b3 77 7c ...! ... ..X-..w|
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0010 5c d0 87 bd 98 e7 0e a1|dd 10 51 c8 27 98 e9 3e \....... ..Q.'..>
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0020 cb 64 24 7a 0a .d$z.
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write server done
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 14 03 01 00 01 .....
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (1 bytes => 1 (0x1))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 01 .
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read client key exchange
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 5 (0x5))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 30 ....0
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A8] (48 bytes => 48 (0x30))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 a4 a1 7c 35 01 99 6f 54|16 81 3a 80 00 a4 2e 99 ..|5..oT ..:.....
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0010 b1 2a 95 89 f3 37 0e 96|21 25 06 cc c8 8b 57 4e .*...7.. !%....WN
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0020 16 46 5f 54 0f 77 14 59|47 30 00 9e a5 6a b9 5f .F_T.w.Y G0...j._
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read change cipher spec
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS read finished
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: unknown[62.232.130.246]: Issuing session ticket, key expiration: 1648138531
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write session ticket
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write change cipher spec
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: write to 55CE58FD8490 [55CE59019750] (250 bytes => 250 (0xFA))
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 0000 16 03 01 00 ba 04 00 00|b6 00 00 1c 20 00 b0 b0 ........ .... ...
...
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: 00f0 db fc 56 30 de fc cf b4|70 68 ..V0.... ph
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: SSL_accept:SSLv3/TLS write finished
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: Anonymous TLS connection established from unknown[62.232.130.246]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Mar 24 15:45:32 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: read from 55CE58FD8490 [55CE590115A3] (5 bytes => 0 (0x0))
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: lost connection after STARTTLS from unknown[62.232.130.246]
Mar 24 15:45:33 smtp-relay postfix/smtpd[83924]: disconnect from unknown[62.232.130.246] ehlo=1 starttls=1 commands=2
您没有说 OpenSSL 的版本和构建(它决定了可用的密码套件,以及协议,尽管协议不是您的问题)或 Ubuntu 版本(有效地决定了上述内容),但是从错误消息中的源文件中它是显然是 1.1.0 或更高版本,通常不支持 XP3 客户端提供的任何密码套件。如果客户端根据其运行的 Windows 而有所不同,则可能它使用的是 schannel,并且 XP/S03(即使使用 SP)没有做任何比 3DES 更好的密码(在您的 ClientHello 转储中确认)。
最简单的方法是客户端可以执行 clear-SMTP(无 TLS)并且您将 postfix 配置为接受它;只要该服务器仅用于那个蹩脚的客户端,安全风险就不会比该客户端已经糟糕得多。做不到这一点:
(我很确定)您可以下载(OpenSSL)源包(即已经由 Ubuntu 修补/调整的)加上 buildeps 和 buildtools,将配置步骤更改为 add
--enable-ssl-weak-ciphers,然后重新构建和安装;这应该是兼容的(现在支持 3DES,包含在 MEDIUM 中),尽管我个人不会在同一系统上运行任何重要的东西。否则,您要么必须使用它构建自己的 OpenSSL 版本和自己的后缀,要么假设您使用的是隐式(465,而不是 STARTTLS),在 bewteen 中放置一些东西(简单),比如用弱化构建的背靠背对OpenSSL 的版本,这可能更简单。或者只是使用更接近 XP 的 Ubuntu,比如 16.04——我碰巧在 WSL 上进行测试,并且有 OpenSSL 1.0.2g-plus-patches,它支持 3DES(和 TLS1.0——从以前开始的所有 OpenSSL 0.9.8 做到了)。如果您不想为此专用一个系统,请将其放在 VM 或 docker 或类似设备中。如果您的组织对过时或易受攻击的事物版本进行网络范围的扫描,这也可能有助于防止引起恐慌。