3

We use Postfix 2.9.4 and OpenSSL 0.9.8j-fips 07 Jan 2009 (SLES11 SP4).

We get this error message while sending mail to a specific recipient:

error:1408D13A:SSL routines:SSL3_GET_KEY_EXCHANGE:unable to find ecdh parameters:s3_clnt.c:1336

Reading the code in s3_clnt.c for our OpenSSL version it says in a comment

For now we only support named (not generic) curve and the ECParameters in this case is just three bytes.

Analyzing the code this is either not a named curve type or the parameter is out of range.

My question is: How do I teach our SMTP client (or else the receiving server) to omit this cipher/cipher suite or parameter set?

Ronald
  • 61
  • 2
  • 4

4 Answers4

3

TLS Policy Per Domain

You can use the Postfix TLS Policy Map to create a list of domains and what TLS policies apply to them.

You can also change your global smtp and smtpd options in postfix to limit what ciphers may or must be used.

Another option in this case would be to specify what ciphers to use as seen in TLS Forward Secrecy in Postfix and perhaqps just use strong.

    smtpd_tls_eecdh_grade = strong | ultra

Here is an example /etc/postfix/tls_policy

.google.com     secure match=.google.com:.gmail.com protocols=TLSv1 ciphers=high
.paypal.com     secure match=.paypal.com protocols=TLSv1 ciphers=high
.example.tld    ciphers=medium
.blizzard.com   may

Then create the map with:

postmap tls_policy

In /etc/postfix/main.cf you would need:

smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

In /etc/postfix/main.cf you might try excluding ciphers with smtpd_tls_exclude_ciphers and smtpd_tls_mandatory_exclude_ciphers and/or set smtpd_tls_eecdh_grade = strong

If adjusting the cipher exclusions or setting a tls_policy does not help, then you may want to consider updating openssl and postfix.

Aaron
  • 2,859
  • 2
  • 12
  • 30
  • Yes, an example for individual configuration for only this reciepient would be useful. – Ronald Feb 02 '17 at 19:11
  • I already experimented with those parameters. tls_policy is a known mechanism to me. What I did not find is how to exclude discrete ciphers (e.g. ECDHE-RSA-AES256-SHA or all ECDH) from the list of allowd ciphers for a specific recipient. It only doesn't work for this one. – Ronald Feb 03 '17 at 13:59
  • Upgrading openssl is not an option, because this is a maintained distribution. Upgrading the distribution would be an option, but not very soon... – Ronald Feb 03 '17 at 14:01
2

Solution for defining a specific cipher list for only one recipient:

master.cf: smtp2 unix - - n - - smtp -o tls_high_cipherlist=!ECDH:...(some more)

transport_map: <domain> smtp2:<domain> (second domain omittable?)

tls_policy_map: <domain> verify match=hostname ciphers=high

This omitts the problematic ECDH algorithms and worked in this szenario.

Ronald
  • 61
  • 2
  • 4
0

You can use a postfix transport map to route mail for specific destinations via another service defined in master.cf. There you should be able to use the usual postfix configuration options for TLS to enable/disable ciphers.

allo
  • 1,620
  • 2
  • 22
  • 39
  • Could you give an example for this specific service (how to define in transport map and master.cf), please? – Ronald Feb 03 '17 at 13:57
  • Hi, I found it out myself ;-) – Ronald Feb 03 '17 at 14:46
  • master.cf: smtp2 unix - - n - - smtp -o tls_high_cipherlist=!ECDH:...
    transport_map: smtp2: # (second domain omittable?)
    tls_policy_map: verify match=hostname ciphers=high     – Ronald Feb 03 '17 at 14:49
  • I think the other two answers have all needed details. I currently do not have such an setup, so i would need to test more before giving a detailed answer. – allo Feb 04 '17 at 14:38
0

An easier way to solve this (instead of introducing a new master.cf entry for smtp) is to use tls_policy map and set

tls_policy:  <domain>    verify hostname=<hostname> exclude=kECDH

That's it.

If you do not have tls_policy (in an older version of postfix) you might use the parameter

-o smtp_tls_mandatory_exclude_ciphers=kECDH

in the master.cf entry for this domain.

Thanks to all contributors who led me the right way to find this out ;-)

Ronald
  • 61
  • 2
  • 4