<div dir="ltr">Hi,<div><br></div><div>This is getting curiouser and curiouser. I decided to outsmart things, and put a stunnel infront of SMTP listening on 465, talking to 25. Genius, huh? Yea, not totally.</div><div><br></div><div>So I configured it to forward 465 to 25, started my openssl s_client and..... EXACT SAME ISSUES!!! What the bloody heck!? I even changed out the LetsEncrypt cert for a ZeroSSL one, same issue. </div><div><br></div><div>I'm running libssl.so.1.0.2k with Amazon patches.</div><div><br></div><div>Not sure where to go at this point..</div><div><br></div><div>Tuc</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 22, 2020 at 9:39 PM Scott Ellentuch <<a href="mailto:tuctboh@gmail.com">tuctboh@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><font color="#000000" face="arial, sans-serif">Hi,</font><div><span style="background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif"><br></font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif">Thanks for the reply. These were the versions available on the OS I was using (Amazon Linux 1).</font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif"><br></font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif">I decided to move over to CentOS 7, postfix 2.10. <span style="font-variant-ligatures:no-common-ligatures">dovecot-2.2.36 and </span><span style="font-variant-ligatures:no-common-ligatures">cy</span><span style="font-variant-ligatures:no-common-ligatures">rus-sasl-lib-2.1.26 . I realize this isn't the absolute latest of everything, but again, the closest I could get with RPMs right now.</span></font></span></div><div><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif"><br></font></span></div><div><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif">And, exactly the same behaviour. 25/587 is fine. 25+STARTTLS/465 either RENEGOTIATES SSL or immediately says DONE</font></span></div><div><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif"><br></font></span></div><div><span style="background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif"><span style="font-variant-ligatures:no-common-ligatures">I also spun up Centos 8 which gave me postfix-3.3.1, </span><span style="font-variant-ligatures:no-common-ligatures">dovecot</span><span style="font-variant-ligatures:no-common-ligatures">-2.3.8 and </span><span style="font-variant-ligatures:no-common-ligatures">cyrus</span><span style="font-variant-ligatures:no-common-ligatures">-sasl-lib-2.1.27.</span></font></span></div><div><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif"><br></font></span></div><div><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif"><div><span>And, exactly the same behaviour. 25/587 is fine. 25+STARTTLS/465 either RENEGOTIATES SSL or immediately says DONE</span></div><div></div></font></span></div>
<div><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><font color="#000000" face="arial, sans-serif"><br></font></span></div><div><font color="#000000" face="arial, sans-serif"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)">I really need to get this going, any thoughts?</span></font></div><div><font color="#000000" face="arial, sans-serif"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)"><br></span></font></div><div><font color="#000000" face="arial, sans-serif"><span style="font-variant-ligatures:no-common-ligatures;background-color:rgb(255,255,255)">Tnx, Tuc</span></font></div><div><font color="#000000" face="Menlo"><span style="font-size:18px;font-variant-ligatures:no-common-ligatures"><br></span></font></div>
</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Sep 22, 2020 at 12:12 AM Quanah Gibson-Mount <<a href="mailto:quanah@symas.com" target="_blank">quanah@symas.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
--On Monday, September 21, 2020 2:40 PM -0400 Scott Ellentuch <br>
<<a href="mailto:tuctboh@gmail.com" target="_blank">tuctboh@gmail.com</a>> wrote:<br>
<br>
> I'm using sendmail 8.14.4 and Sasl 2.1.23 . Config info<br>
<br>
Cyrus-SASL 2.1.23 released on 4/27/2009, over 11 years ago.<br>
<br>
You may want to see if the behavior your describing is addressed by any of <br>
the years of fixes since then as noted in <br>
<<a href="https://raw.githubusercontent.com/cyrusimap/cyrus-sasl/master/ChangeLog" rel="noreferrer" target="_blank">https://raw.githubusercontent.com/cyrusimap/cyrus-sasl/master/ChangeLog</a>><br>
<br>
Regards,<br>
Quanah<br>
<br>
--<br>
<br>
Quanah Gibson-Mount<br>
Product Architect<br>
Symas Corporation<br>
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:<br>
<<a href="http://www.symas.com" rel="noreferrer" target="_blank">http://www.symas.com</a>><br>
</blockquote></div>
</blockquote></div>