From owner-freebsd-isp@FreeBSD.ORG Sun Aug 13 14:21:30 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7990716A4DF for ; Sun, 13 Aug 2006 14:21:30 +0000 (UTC) (envelope-from troy@psknet.com) Received: from psknet.com (dns1.psknet.com [12.196.144.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 256B043D45 for ; Sun, 13 Aug 2006 14:21:29 +0000 (GMT) (envelope-from troy@psknet.com) Received: from pool-72-66-182-181.ronkva.east.verizon.net ([72.66.182.181] helo=[192.168.1.100]) by psknet.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.62 (FreeBSD)) (envelope-from ) id 1GCGqG-0007Fd-MG for freebsd-isp@freebsd.org; Sun, 13 Aug 2006 10:21:28 -0400 Message-ID: <44DF3565.1060506@psknet.com> Date: Sun, 13 Aug 2006 10:21:25 -0400 From: Troy Settle User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scan: Clear (ClamAV 0.88.2/1654/Sun Aug 13 07:42:22 2006) Subject: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Aug 2006 14:21:30 -0000 Probably not the best list to ask this on, but it's the closest that I'm subscribed to... I have several customers who use VPN (Windows PPTP) to connect to their Corporate networks. The first was sitting behind NAT on a FreeBSD router. The PPTP did not work. I moved them out of NAT and onto a regular IP, and it worked fine. I then swapped out the FreeBSD box with a Cisco 2620 and again tried the PPTP via NAT, but still it wouldn't work. Another customer is behind a Cisco 804 and his PPTP also did not work when his network was behind NAT, so I have to assign a static subnet for him. From home, sitting behind NAT on my Netgear router, I can turn up PPTP connections all day long. What gives with FreeBSD and Cisco's implementation of NAT that PPTP doesn't want to work? Thanks, -- -- Troy Settle Pulaski Networks http://www.psknet.com 866.477.5638 From owner-freebsd-isp@FreeBSD.ORG Sun Aug 13 18:14:38 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1BAB16A4DD for ; Sun, 13 Aug 2006 18:14:38 +0000 (UTC) (envelope-from anderson@centtech.com) Received: from mh1.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B2DB43D45 for ; Sun, 13 Aug 2006 18:14:37 +0000 (GMT) (envelope-from anderson@centtech.com) Received: from [192.168.42.24] (andersonbox4.centtech.com [192.168.42.24]) by mh1.centtech.com (8.13.1/8.13.1) with ESMTP id k7DIEZws002857; Sun, 13 Aug 2006 13:14:36 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <44DF6C21.7080302@centtech.com> Date: Sun, 13 Aug 2006 13:14:57 -0500 From: Eric Anderson User-Agent: Thunderbird 1.5.0.5 (X11/20060802) MIME-Version: 1.0 To: Troy Settle References: <44DF3565.1060506@psknet.com> In-Reply-To: <44DF3565.1060506@psknet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87.1/1654/Sun Aug 13 06:42:22 2006 on mh1.centtech.com X-Virus-Status: Clean Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Aug 2006 18:14:38 -0000 On 08/13/06 09:21, Troy Settle wrote: > Probably not the best list to ask this on, but it's the closest that I'm > subscribed to... > > I have several customers who use VPN (Windows PPTP) to connect to their > Corporate networks. The first was sitting behind NAT on a FreeBSD > router. The PPTP did not work. I moved them out of NAT and onto a > regular IP, and it worked fine. I then swapped out the FreeBSD box with > a Cisco 2620 and again tried the PPTP via NAT, but still it wouldn't work. > > Another customer is behind a Cisco 804 and his PPTP also did not work > when his network was behind NAT, so I have to assign a static subnet for > him. > > From home, sitting behind NAT on my Netgear router, I can turn up PPTP > connections all day long. What gives with FreeBSD and Cisco's > implementation of NAT that PPTP doesn't want to work? > > Thanks, > I'm no expert on the subject, but I recall hitting this in the past and reading about passing GRE packets through, along with a couple of ports to forward to the VPN endpoint. Eric -- ------------------------------------------------------------------------ Eric Anderson Sr. Systems Administrator Centaur Technology Anything that works is better than anything that doesn't. ------------------------------------------------------------------------ From owner-freebsd-isp@FreeBSD.ORG Mon Aug 14 00:28:37 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4723A16A4DA for ; Mon, 14 Aug 2006 00:28:37 +0000 (UTC) (envelope-from jeff@norristechs.net) Received: from scooby.norristechs.net (scooby.norristechs.net [71.36.89.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D4A143D49 for ; Mon, 14 Aug 2006 00:28:36 +0000 (GMT) (envelope-from jeff@norristechs.net) Received: from [192.168.69.49] [71.36.89.205] by scooby.norristechs.net with ESMTP (SMTPD-8.21) id A3B30198; Sun, 13 Aug 2006 18:28:35 -0600 Message-ID: <44DFC3B1.6010901@norristechs.net> Date: Sun, 13 Aug 2006 18:28:33 -0600 From: Jeff at NorrisTechs Organization: NorrisTechs.NET.COM User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Troy Settle References: <44DF3565.1060506@psknet.com> In-Reply-To: <44DF3565.1060506@psknet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 00:28:37 -0000 hmm, I assume you have TCP port 1723 forwarding from the internet/dmz to the PPTP host?. That should be enough for most PPTP based VPN clients. It's can be difficult with IPSEC as you have to forward UDP 500, Protocol 50 and Protocol 51 to / from the VPN client from your NAT router. ------------------------------------------------------------------------ */Jeff Norris/* /~ Web Hosting ~ VPN Solutions ~ Network Management ~ Design, deploy, kick ass. / *N*orris*Techs* dot net http://www.norristechs.net *AOL IM or Yahoo IM: _ ntshelper _* Troy Settle wrote: > Probably not the best list to ask this on, but it's the closest that > I'm subscribed to... > > I have several customers who use VPN (Windows PPTP) to connect to > their Corporate networks. The first was sitting behind NAT on a > FreeBSD router. The PPTP did not work. I moved them out of NAT and > onto a regular IP, and it worked fine. I then swapped out the FreeBSD > box with a Cisco 2620 and again tried the PPTP via NAT, but still it > wouldn't work. > > Another customer is behind a Cisco 804 and his PPTP also did not work > when his network was behind NAT, so I have to assign a static subnet > for him. > > From home, sitting behind NAT on my Netgear router, I can turn up PPTP > connections all day long. What gives with FreeBSD and Cisco's > implementation of NAT that PPTP doesn't want to work? > > Thanks, > From owner-freebsd-isp@FreeBSD.ORG Mon Aug 14 00:31:01 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B48716A4DD for ; Mon, 14 Aug 2006 00:31:01 +0000 (UTC) (envelope-from jeff@norristechs.net) Received: from scooby.norristechs.net (scooby.norristechs.net [71.36.89.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EDF443D53 for ; Mon, 14 Aug 2006 00:30:59 +0000 (GMT) (envelope-from jeff@norristechs.net) Received: from [192.168.69.49] [71.36.89.205] by scooby.norristechs.net with ESMTP (SMTPD-8.21) id A44301A0; Sun, 13 Aug 2006 18:30:59 -0600 Message-ID: <44DFC441.8090905@norristechs.net> Date: Sun, 13 Aug 2006 18:30:57 -0600 From: Jeff at NorrisTechs Organization: NorrisTechs.NET.COM User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Troy Settle References: <44DF3565.1060506@psknet.com> In-Reply-To: <44DF3565.1060506@psknet.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 00:31:01 -0000 more. Also with a netgear router that have whats called VPN pass through, they see VPN traffic and pass it though to the host. Where as cisco or other high-end routers and FreeBSD based routers, you get to deal with port translation so you have to create the rule to pass TCP port 1723, and if GRE is needed its protocol 47. Cheers ------------------------------------------------------------------------ */Jeff Norris/* /~ Web Hosting ~ VPN Solutions ~ Network Management ~ Design, deploy, kick ass. / *N*orris*Techs* dot net http://www.norristechs.net *AOL IM or Yahoo IM: _ ntshelper _* Troy Settle wrote: > Probably not the best list to ask this on, but it's the closest that > I'm subscribed to... > > I have several customers who use VPN (Windows PPTP) to connect to > their Corporate networks. The first was sitting behind NAT on a > FreeBSD router. The PPTP did not work. I moved them out of NAT and > onto a regular IP, and it worked fine. I then swapped out the FreeBSD > box with a Cisco 2620 and again tried the PPTP via NAT, but still it > wouldn't work. > > Another customer is behind a Cisco 804 and his PPTP also did not work > when his network was behind NAT, so I have to assign a static subnet > for him. > > From home, sitting behind NAT on my Netgear router, I can turn up PPTP > connections all day long. What gives with FreeBSD and Cisco's > implementation of NAT that PPTP doesn't want to work? > > Thanks, > From owner-freebsd-isp@FreeBSD.ORG Mon Aug 14 12:30:28 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9385916A4DA for ; Mon, 14 Aug 2006 12:30:28 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9687643D6D for ; Mon, 14 Aug 2006 12:30:22 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 2D2893B5A0; Mon, 14 Aug 2006 08:30:43 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id D1F7563BCF; Mon, 14 Aug 2006 08:30:40 -0400 (EDT) Received: from lists by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1GCbaD-000MIR-1d; Mon, 14 Aug 2006 13:30:17 +0100 Date: Mon, 14 Aug 2006 13:30:17 +0100 From: Brian Candler To: Jeff at NorrisTechs Message-ID: <20060814123016.GA85695@uk.tiscali.com> References: <44DF3565.1060506@psknet.com> <44DFC3B1.6010901@norristechs.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44DFC3B1.6010901@norristechs.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 12:30:28 -0000 On Sun, Aug 13, 2006 at 06:28:33PM -0600, Jeff at NorrisTechs wrote: > I assume you have TCP port 1723 forwarding from the internet/dmz to the > PPTP host?. That should be enough for most PPTP based VPN clients. > > It's can be difficult with IPSEC as you have to forward UDP 500, > Protocol 50 and Protocol 51 to / from the VPN client from your NAT router. If the *clients* are behind NAT, when running IPSEC there should be nothing to do. IPSEC uses UDP 500 (outbound) to start the key exchange, detects NAT, and then switches to UDP 4500 for IPSEC NAT traversal. It also sends NAT keepalive packets every 20 seconds by default. So if you have a NAT-aware IPSEC client, it should work with any old NAT firewall without any config changes on that firewall, as long as it allows outbound connections. It was designed to work in hotels etc. Microsoft's L2TP over IPSEC works just fine for this (with Win2K you need to install a NAT traversal patch). I've no idea about PPTP though. I don't use it, as it's generally considered insecure compared with IPSEC. I believe some routers have a "PPTP passthrough" mode, which you could try turning on (or off) to see if it fixes the problem. Regards, Brian. From owner-freebsd-isp@FreeBSD.ORG Mon Aug 14 12:16:33 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2BD6E16A4DF for ; Mon, 14 Aug 2006 12:16:33 +0000 (UTC) (envelope-from nadia@iaxcess.net) Received: from host10.apollohosting.com (host10.apollohosting.com [209.239.40.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D72843D67 for ; Mon, 14 Aug 2006 12:16:28 +0000 (GMT) (envelope-from nadia@iaxcess.net) Received: from compaqhp ([217.144.15.51]) by host10.apollohosting.com (8.12.11.20060614/8.13.6) with SMTP id k7ECGPdg026416 for ; Mon, 14 Aug 2006 08:16:26 -0400 Message-ID: <00a201c6bf9b$78113eb0$0d00a8c0@compaqhp> From: "Nadia" To: Date: Mon, 14 Aug 2006 15:16:25 +0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 X-Mailman-Approved-At: Mon, 14 Aug 2006 13:04:41 +0000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: modem pool X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 12:16:33 -0000 Dear Sir, Greetings to your available science you provide by your web page i have a questions about modem pool. what does it mean exactly " Modem Pool " ? Is it a collections of modems accessed by several users? and what the relation between Modem Pool and Network Access Server(NAS)? Best regards Eng.nadia From owner-freebsd-isp@FreeBSD.ORG Mon Aug 14 18:19:43 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 091F316A4DD for ; Mon, 14 Aug 2006 18:19:43 +0000 (UTC) (envelope-from jeff@norristechs.net) Received: from mail.norristechs.net (scooby.norristechs.net [71.36.89.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 852A143D5E for ; Mon, 14 Aug 2006 18:19:33 +0000 (GMT) (envelope-from jeff@norristechs.net) Received: from 63.71.72.19 with HTTP by webserver mail.norristechs.net ($virtual001) ; Mon, 14 Aug 2006 12:19:30 MDT Date: Mon, 14 Aug 2006 12:19:30 -0600 Message-Id: <200608141219.AA2031742@mail.norristechs.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jeff Norris" X-Sender: To: Jeff at NorrisTechs , Brian Candler X-Mailer: Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: jeff@norristechs.net List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 18:19:43 -0000 Brian, IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco, Nortel, BSD? I belive 4500 is Cisco's way of doing it, but not all IPSEC vpn clients are the same. I use one that uses UDP port 10000 for nat traversal. Cheers ---------- Original Message ---------------------------------- From: Brian Candler Date: Mon, 14 Aug 2006 13:30:17 +0100 >On Sun, Aug 13, 2006 at 06:28:33PM -0600, Jeff at NorrisTechs wrote: >> I assume you have TCP port 1723 forwarding from the internet/dmz to the >> PPTP host?. That should be enough for most PPTP based VPN clients. >> >> It's can be difficult with IPSEC as you have to forward UDP 500, >> Protocol 50 and Protocol 51 to / from the VPN client from your NAT router. > >If the *clients* are behind NAT, when running IPSEC there should be nothing >to do. > >IPSEC uses UDP 500 (outbound) to start the key exchange, detects NAT, and >then switches to UDP 4500 for IPSEC NAT traversal. It also sends NAT >keepalive packets every 20 seconds by default. > >So if you have a NAT-aware IPSEC client, it should work with any old NAT >firewall without any config changes on that firewall, as long as it allows >outbound connections. It was designed to work in hotels etc. > >Microsoft's L2TP over IPSEC works just fine for this (with Win2K you need to >install a NAT traversal patch). I've no idea about PPTP though. I don't use >it, as it's generally considered insecure compared with IPSEC. > >I believe some routers have a "PPTP passthrough" mode, which you could try >turning on (or off) to see if it fixes the problem. > >Regards, > >Brian. >_______________________________________________ >freebsd-isp@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-isp >To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" > ________________________________________________________________ Sent via the WebMail system at mail.norristechs.net From owner-freebsd-isp@FreeBSD.ORG Mon Aug 14 18:53:51 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F04316A4DA for ; Mon, 14 Aug 2006 18:53:51 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id AABB743DE4 for ; Mon, 14 Aug 2006 18:53:11 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin08-en2 [10.13.10.153]) by smtpout.mac.com (Xserve/8.12.11/smtpout15/MantshX 4.0) with ESMTP id k7EIrASY023486; Mon, 14 Aug 2006 11:53:11 -0700 (PDT) Received: from [17.214.14.142] (a17-214-14-142.apple.com [17.214.14.142]) (authenticated bits=0) by mac.com (Xserve/smtpin08/MantshX 4.0) with ESMTP id k7EIr50u027067; Mon, 14 Aug 2006 11:53:09 -0700 (PDT) In-Reply-To: <200608141219.AA2031742@mail.norristechs.net> References: <200608141219.AA2031742@mail.norristechs.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Mon, 14 Aug 2006 11:53:04 -0700 To: jeff@norristechs.net X-Mailer: Apple Mail (2.752.2) Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 18:53:51 -0000 On Aug 14, 2006, at 11:19 AM, Jeff Norris wrote: > IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco, > Nortel, BSD? I belive 4500 is Cisco's way of doing it, but not all > IPSEC vpn clients are the same. I use one that uses UDP port 10000 > for nat traversal. Cisco will use either 4500/udp or 10000/tcp; the former is supposed to be more friendly for NAT traversal. It also seems to want to use a high port in the 6xxxx range for a debug channel if you use the "connection diagnostics" via SDM on a Cisco VPN router. I've done a fair amount of debugging this from both the client and the server side; you pretty much need to have the VPN endpoint (whether client or server) assigned a static IP for GRE protocol redirection to work, so if you are dealing with clients using dynamic IPs, you'll want to set up a static IP assignment via your DHCP server. Place the following into /etc/natd.conf (if using IPFW+natd): redirect_proto gre A.B.C.D redirect_port tcp A.B.C.D:isakmp isakmp # port 500 redirect_port udp A.B.C.D:isakmp isakmp # port 500 redirect_port tcp A.B.C.D:pptp pptp # port 1723 redirect_port udp A.B.C.D:4500 4500 redirect_port tcp A.B.C.D:10000 10000 redirect_port udp A.B.C.D:62515 62515 ...where, obviously, you would use the local IP address of the client or server instead of A.B.C.D. The above also seems to work OK with the Sonicwall VPN client and Microsoft's VPN remote access ("terminal services"? or whatever it's called). If you have multiple clients trying to use the VPN from behind NAT, note that you can only have one VPN endpoint per externally routable IP, so you will have to configure separate natd's for each one. You'd probably be better off terminating the VPNs on the NAT machine if that is the case... -- -Chuck From owner-freebsd-isp@FreeBSD.ORG Mon Aug 14 20:14:07 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A54A116A4DA for ; Mon, 14 Aug 2006 20:14:07 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from proof.pobox.com (proof.pobox.com [207.106.133.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48A9443D49 for ; Mon, 14 Aug 2006 20:14:07 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from proof (localhost [127.0.0.1]) by proof.pobox.com (Postfix) with ESMTP id 9CE1328D87; Mon, 14 Aug 2006 16:14:27 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by proof.sasl.smtp.pobox.com (Postfix) with ESMTP id 59FD161925; Mon, 14 Aug 2006 16:14:26 -0400 (EDT) Received: from brian by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1GCip0-000Mbh-Bz; Mon, 14 Aug 2006 21:14:02 +0100 Date: Mon, 14 Aug 2006 21:14:02 +0100 From: Brian Candler To: Jeff Norris Message-ID: <20060814201402.GA86851@uk.tiscali.com> References: <200608141219.AA2031742@mail.norristechs.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200608141219.AA2031742@mail.norristechs.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Aug 2006 20:14:07 -0000 On Mon, Aug 14, 2006 at 12:19:30PM -0600, Jeff Norris wrote: > > Brian, > > IPSEC NAT traversal uses UDP 4500? Who implementation? Cisco, Nortel, > BSD? Everybody, because it's the standard. See RFC 3947 and 3948 "Take the common case of the initiator behind the NAT. The initiator must quickly change to port 4500 once the NAT has been detected to minimize the window of IPsec-aware NAT problems. In Main Mode, the initiator MUST change ports when sending the ID payload if there is NAT between the hosts. The initiator MUST set both UDP source and destination ports to 4500. All subsequent packets sent to this peer (including informational notifications) MUST be sent on port 4500." > I belive 4500 is Cisco's way of doing it, but not all IPSEC vpn > clients are the same. I use one that uses UDP port 10000 for nat > traversal. There are many proprietary VPN solutions out there, of course, so it sounds like you have one of these. I've tested many standard solutions (Microsoft's IPSEC stack, FreeBSD with ipsec-tools, Linux with ipsec-tools, Cisco IOS, Cisco PIX, Juniper Netscreen, Juniper ERX, and some smaller vendors). All implement NAT-T according to the standard. They mostly even interoperate :-) Regards, Brian. From owner-freebsd-isp@FreeBSD.ORG Tue Aug 15 12:19:50 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAE8716A4DF for ; Tue, 15 Aug 2006 12:19:50 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from rune.pobox.com (rune.pobox.com [208.210.124.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F60743D6E for ; Tue, 15 Aug 2006 12:19:17 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id 9CDA67C3B4; Tue, 15 Aug 2006 08:19:38 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 3A3887C255; Tue, 15 Aug 2006 08:19:36 -0400 (EDT) Received: from lists by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1GCxt2-000NNN-JR; Tue, 15 Aug 2006 13:19:12 +0100 Date: Tue, 15 Aug 2006 13:19:12 +0100 From: Brian Candler To: Chuck Swiger Message-ID: <20060815121912.GA89848@uk.tiscali.com> References: <200608141219.AA2031742@mail.norristechs.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i Cc: jeff@norristechs.net, freebsd-isp@freebsd.org Subject: Re: VPN through NAT? X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Aug 2006 12:19:51 -0000 On Mon, Aug 14, 2006 at 11:53:04AM -0700, Chuck Swiger wrote: > If you have multiple clients trying to use the VPN from behind NAT, > note that you can only have one VPN endpoint per externally routable > IP This depends on the implementation of your IPSEC termination device. The tests I've done are using L2TP over IPSEC transport mode as the VPN access method. The following termination devices work properly, even with multiple clients behind the same NAT firewall, or multiple clients using the same local IP address (e.g. 192.168.1.1) but behind different NAT firewalls. * Cisco IOS (you need a recent version and "set nat demux") * Juniper ERX310 However, the following do not: * Juniper Netscreen * Linux (l2tpd) * FreeBSD (sl2tps) There's no fundamental reason why it can't work - the firewall simply NATs each stream to a different UDP source port. It's just that many IPSEC implementations don't take NAT-T into account when looking up SPIs in their SADB. Regards, Brian. From owner-freebsd-isp@FreeBSD.ORG Thu Aug 17 07:15:12 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C0A4816A4DA for ; Thu, 17 Aug 2006 07:15:12 +0000 (UTC) (envelope-from "") Received: from viefep20-int.chello.at (viefep13-int.chello.at [213.46.255.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B2B143D64 for ; Thu, 17 Aug 2006 07:15:11 +0000 (GMT) (envelope-from "") To: freebsd-isp@freebsd.org From: "Auto-reply from galeriekrinzinger@chello.at" In-Reply-To: <20060817071502.TAYO14536.viefep31-int.chello.at@chello.at> Precedence: bulk Date: Thu, 17 Aug 2006 09:15:10 +0200 Message-ID: <20060817071510.OUZM24106.viefep20-int.chello.at@viefep20-int> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: Mail Delivery (failure galeriekrinzinger@chello.at) X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2006 07:15:12 -0000 Die Galerie Krinzinger ist bis 28. August 2006 geschlossen. Galerie Krinzinger is closed until August 28th 2006. From owner-freebsd-isp@FreeBSD.ORG Thu Aug 17 07:20:41 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7055B16A4DD for ; Thu, 17 Aug 2006 07:20:41 +0000 (UTC) (envelope-from "") Received: from mail26.messagelabs.com (mail26.messagelabs.com [193.109.254.131]) by mx1.FreeBSD.org (Postfix) with SMTP id 1BC4B43D70 for ; Thu, 17 Aug 2006 07:20:35 +0000 (GMT) (envelope-from "") X-VirusChecked: Checked X-Msg-Ref: server-18.tower-26.messagelabs.com!1155799234!27106861!1 X-StarScan-Version: 5.5.10.7; banners=wled.org.uk,-,- X-Originating-IP: [193.63.61.201] Received: (qmail 7405 invoked from network); 17 Aug 2006 07:20:34 -0000 Received: from arwen.westlothian.org.uk (HELO ?wled.org.uk?) (193.63.61.201) by server-18.tower-26.messagelabs.com with SMTP; 17 Aug 2006 07:20:34 -0000 Received: from gimli (gimli [10.1.0.19]) by arwen.westlothian.org.uk (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) with ESMTP id <0J4400HL0SE1NO@arwen.westlothian.org.uk> for freebsd-isp@freebsd.org; Thu, 17 Aug 2006 08:20:25 +0100 (BST) Received: from autoreply-daemon.gimli.westlothian.org.uk by gimli.westlothian.org.uk (iPlanet Messaging Server 5.2 HotFix 1.18 (built Jul 28 2003)) id <0J4400L02SE9BW@gimli.westlothian.org.uk> for freebsd-isp@freebsd.org; Thu, 17 Aug 2006 08:20:33 +0100 (BST) Date: Thu, 17 Aug 2006 08:20:33 +0100 (BST) Date-warning: Invalid date header replaced by gimli.westlothian.org.uk; original content: From: ian.singer@wled.org.uk In-reply-to: <0J4400K81SE9LJ@gimli.westlothian.org.uk> To: freebsd-isp@freebsd.org Message-id: <0J4400L03SE9BW@gimli.westlothian.org.uk> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT Subject: On Holiday X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2006 07:20:41 -0000 This is an automatic reply. I will read your message when I return on the 21st of August 2006. Thank you. West Lothian is the UK Council of the Year 2006 ________________________________________________________________________ This message, together with any attachments, is sent subject to the following statements: 1. It is sent in confidence for the addressee only. It may contain legally privileged information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise the sender immediately. 2. It does not constitute a representation which is legally binding on the Council or which is capable of constituting a contract and may not be founded upon in any proceedings following hereon unless specifically indicated otherwise. http://www.westlothian.gov.uk ________________________________________________________________________ This email has been scanned for all viruses by the MessageLabs SkyScan service on behalf of West Lothian Council. For more information on a proactive anti-virus service working around the clock, around the globe, visit http://www.messagelabs.com ________________________________________________________________________ From owner-freebsd-isp@FreeBSD.ORG Thu Aug 17 20:52:00 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1E0816A4DA for ; Thu, 17 Aug 2006 20:52:00 +0000 (UTC) (envelope-from adrianbsd@globalpc.net) Received: from cube.globalpc.net (cube.globalpc.net [207.193.249.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36B8343D45 for ; Thu, 17 Aug 2006 20:52:00 +0000 (GMT) (envelope-from adrianbsd@globalpc.net) Received: from [192.168.0.211] (unknown [216.60.63.113]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by cube.globalpc.net (Postfix) with ESMTP id 1E5F09B425 for ; Thu, 17 Aug 2006 15:52:45 -0500 (CDT) Message-ID: <44E4D6F2.60305@globalpc.net> Date: Thu, 17 Aug 2006 15:52:02 -0500 From: Adrian Gonzalez User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: freebsd-isp@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Postfix + AUTH/TLS + Outlook/OE problem X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Aug 2006 20:52:00 -0000 Hello I'm seeing some very strange behavior with Outlook 2003 and Outlook Express trying to send mail using TLS/SMTP Auth with Postfix 2.3 and FreeBSD 6.1-STABLE It seems like Outlook/OE don't like the SSL handshake for some reason. They connect to the server, issue STARTTLS, and disconnect during the handshake, giving an "Error Number: 0x800CCC0B". I've tried both STARTTLS and using 'wrapper mode' on port 465 with the same results. Other clients like Thunderbird are able to send just fine using the same server w/STARTTLS, so I'm assuming it's not a configuration/authentication issue. I thought it could be related to the chained SSL certificate we're using (GoDaddy), but the results were the same with a self-signed cert. I also tried updating OpenSSL to the latest 'stable' release (0.9.7j), same results. I've been banging my head against the wall with this one, and I'm running out of options, so I thought I'd ask in here and see if this has happened to anybody else. To make matters even stranger, in Outlook Express, when you create the message and click send, you get the error message and the email stays in the outbox. After that if you do a Send/Receive, OE is able to negotiate TLS properly and sends the message just fine. Any ideas welcome... -Adrian p.s. Here's the output generated by postfix using the self-signed cert and Outlook 2003 as the client (smtpd_tls_loglevel = 3) Aug 17 13:59:50 cube postfix/smtpd[70309]: connect from unknown[xx.xx.xx.xx] Aug 17 13:59:50 cube postfix/smtpd[70309]: setting up TLS connection from unknown[xx.xx.xx.xx] Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept:before/accept initialization Aug 17 13:59:50 cube postfix/smtpd[70309]: read from 080A2C40 [080CE000] (11 bytes => -1 (0xFFFFFFFF)) Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept:error in SSLv2/v3 read client hello A Aug 17 13:59:50 cube postfix/smtpd[70309]: read from 080A2C40 [080CE000] (11 bytes => 11 (0xB)) Aug 17 13:59:50 cube postfix/smtpd[70309]: 0000 16 03 01 00 61 01 00 00|5d 03 01 ....a... ].. Aug 17 13:59:50 cube postfix/smtpd[70309]: read from 080A2C40 [080CE00B] (91 bytes => -1 (0xFFFFFFFF)) Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept:error in SSLv3 read client hello B Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept:error in SSLv3 read client hello B Aug 17 13:59:50 cube postfix/smtpd[70309]: read from 080A2C40 [080CE00B] (91 bytes => 91 (0x5B)) Aug 17 13:59:50 cube postfix/smtpd[70309]: 0000 44 e4 bc 7c a8 1d f1 52|3f 89 d0 b7 5d 86 5c 14 D..|...R ?...].\. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0010 4a 4f 34 7e e5 4a 6c 14|3f 6d d0 c9 00 03 77 aa JO4~.Jl. ?m....w. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0020 20 6c 33 a0 d8 cd 48 0e|68 ba df c8 8f be 0c 2f l3...H. h....../ Aug 17 13:59:50 cube postfix/smtpd[70309]: 0030 49 e2 48 98 9d 5f 35 29|ba 05 5b 50 05 59 a5 8a I.H.._5) ..[P.Y.. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0040 08 00 16 00 04 00 05 00|0a 00 09 00 64 00 62 00 ........ ....d.b. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0050 03 00 06 00 13 00 12 00|63 01 ........ c. Aug 17 13:59:50 cube postfix/smtpd[70309]: 005a - Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept:SSLv3 read client hello B Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept:SSLv3 write server hello A Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept:SSLv3 write certificate A Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept:SSLv3 write server done A Aug 17 13:59:50 cube postfix/smtpd[70309]: write to 080A2C40 [080D7000] (957 bytes => 957 (0x3BD)) Aug 17 13:59:50 cube postfix/smtpd[70309]: 0000 16 03 01 00 2a 02 00 00|26 03 01 44 e4 bc a6 49 ....*... &..D...I Aug 17 13:59:50 cube postfix/smtpd[70309]: 0010 4a 1a 5d b1 25 7d bb 4b|0c ae c7 59 d2 3f 1f 80 J.].%}.K ...Y.?.. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0020 52 63 19 72 2a 9a df 8c|a2 13 10 00 00 04 00 16 Rc.r*... ........ Aug 17 13:59:50 cube postfix/smtpd[70309]: 0030 03 01 03 80 0b 00 03 7c|00 03 79 00 03 76 30 82 .......| ..y..v0. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0040 03 72 30 82 02 db a0 03|02 01 02 02 09 00 d0 12 .r0..... ........ Aug 17 13:59:50 cube postfix/smtpd[70309]: 0050 84 7d fd fc 68 f8 30 0d|06 09 2a 86 48 86 f7 0d .}..h.0. ..*.H... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0060 01 01 04 05 00 30 81 83|31 0b 30 09 06 03 55 04 .....0.. 1.0...U. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0070 06 13 02 55 53 31 0e 30|0c 06 03 55 04 08 13 05 ...US1.0 ...U.... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0080 54 65 78 61 73 31 0f 30|0d 06 03 55 04 07 13 06 Texas1.0 ...U.... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0090 4c 61 72 65 64 6f 31 15|30 13 06 03 55 04 0a 13 Laredo1. 0...U... Aug 17 13:59:50 cube postfix/smtpd[70309]: 00a0 0c 47 6c 6f 62 61 6c 20|50 43 4e 65 74 31 1a 30 .Global PCNet1.0 Aug 17 13:59:50 cube postfix/smtpd[70309]: 00b0 18 06 03 55 04 03 13 11|63 75 62 65 2e 67 6c 6f ...U.... cube.glo Aug 17 13:59:50 cube postfix/smtpd[70309]: 00c0 62 61 6c 70 63 2e 6e 65|74 31 20 30 1e 06 09 2a balpc.ne t1 0...* Aug 17 13:59:50 cube postfix/smtpd[70309]: 00d0 86 48 86 f7 0d 01 09 01|16 11 69 6e 66 6f 40 67 .H...... ..info@g Aug 17 13:59:50 cube postfix/smtpd[70309]: 00e0 6c 6f 62 61 6c 70 63 2e|6e 65 74 30 1e 17 0d 30 lobalpc. net0...0 Aug 17 13:59:50 cube postfix/smtpd[70309]: 00f0 36 30 38 31 37 31 36 32|37 35 39 5a 17 0d 31 36 60817162 759Z..16 Aug 17 13:59:50 cube postfix/smtpd[70309]: 0100 30 38 31 34 31 36 32 37|35 39 5a 30 81 83 31 0b 08141627 59Z0..1. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0110 30 09 06 03 55 04 06 13|02 55 53 31 0e 30 0c 06 0...U... .US1.0.. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0120 03 55 04 08 13 05 54 65|78 61 73 31 0f 30 0d 06 .U....Te xas1.0.. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0130 03 55 04 07 13 06 4c 61|72 65 64 6f 31 15 30 13 .U....La redo1.0. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0140 06 03 55 04 0a 13 0c 47|6c 6f 62 61 6c 20 50 43 ..U....G lobal PC Aug 17 13:59:50 cube postfix/smtpd[70309]: 0150 4e 65 74 31 1a 30 18 06|03 55 04 03 13 11 63 75 Net1.0.. .U....cu Aug 17 13:59:50 cube postfix/smtpd[70309]: 0160 62 65 2e 67 6c 6f 62 61|6c 70 63 2e 6e 65 74 31 be.globa lpc.net1 Aug 17 13:59:50 cube postfix/smtpd[70309]: 0170 20 30 1e 06 09 2a 86 48|86 f7 0d 01 09 01 16 11 0...*.H ........ Aug 17 13:59:50 cube postfix/smtpd[70309]: 0180 69 6e 66 6f 40 67 6c 6f|62 61 6c 70 63 2e 6e 65 info@glo balpc.ne Aug 17 13:59:50 cube postfix/smtpd[70309]: 0190 74 30 81 9f 30 0d 06 09|2a 86 48 86 f7 0d 01 01 t0..0... *.H..... Aug 17 13:59:50 cube postfix/smtpd[70309]: 01a0 01 05 00 03 81 8d 00 30|81 89 02 81 81 00 c8 6f .......0 .......o Aug 17 13:59:50 cube postfix/smtpd[70309]: 01b0 7e 75 72 4c 2b 63 f3 47|f9 85 e3 de 86 29 a9 92 ~urL+c.G .....).. Aug 17 13:59:50 cube postfix/smtpd[70309]: 01c0 9b 95 c4 5b ec 2b fe d7|41 71 2f d8 c2 99 7d 56 ...[.+.. Aq/...}V Aug 17 13:59:50 cube postfix/smtpd[70309]: 01d0 c8 8f e4 ff 11 02 90 76|3c f2 b2 87 90 d0 1a f2 .......v <....... Aug 17 13:59:50 cube postfix/smtpd[70309]: 01e0 cf f0 f7 c4 fc f5 4b 26|86 94 d7 8a 4d f2 4b 96 ......K& ....M.K. Aug 17 13:59:50 cube postfix/smtpd[70309]: 01f0 8a 7b 31 21 c2 31 de d1|2b 4e 3e 66 4a b2 e9 ff .{1!.1.. +N>fJ... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0200 3e 8d 99 d7 3d 57 9a b8|3e e8 98 64 20 5e 29 90 >...=W.. >..d ^). Aug 17 13:59:50 cube postfix/smtpd[70309]: 0210 6b f7 13 1e 9c 58 b4 cf|50 36 c8 b4 2e 79 15 9c k....X.. P6...y.. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0220 6b ba 39 30 12 c3 fe 80|c5 9e 2c b2 ff 37 02 03 k.90.... ..,..7.. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0230 01 00 01 a3 81 eb 30 81|e8 30 1d 06 03 55 1d 0e ......0. .0...U.. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0240 04 16 04 14 4f 13 d7 ee|c1 d0 1b 1d 1b 58 d9 5d ....O... .....X.] Aug 17 13:59:50 cube postfix/smtpd[70309]: 0250 a9 4f 8e c3 d0 6a 7b ca|30 81 b8 06 03 55 1d 23 .O...j{. 0....U.# Aug 17 13:59:50 cube postfix/smtpd[70309]: 0260 04 81 b0 30 81 ad 80 14|4f 13 d7 ee c1 d0 1b 1d ...0.... O....... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0270 1b 58 d9 5d a9 4f 8e c3|d0 6a 7b ca a1 81 89 a4 .X.].O.. .j{..... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0280 81 86 30 81 83 31 0b 30|09 06 03 55 04 06 13 02 ..0..1.0 ...U.... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0290 55 53 31 0e 30 0c 06 03|55 04 08 13 05 54 65 78 US1.0... U....Tex Aug 17 13:59:50 cube postfix/smtpd[70309]: 02a0 61 73 31 0f 30 0d 06 03|55 04 07 13 06 4c 61 72 as1.0... U....Lar Aug 17 13:59:50 cube postfix/smtpd[70309]: 02b0 65 64 6f 31 15 30 13 06|03 55 04 0a 13 0c 47 6c edo1.0.. .U....Gl Aug 17 13:59:50 cube postfix/smtpd[70309]: 02c0 6f 62 61 6c 20 50 43 4e|65 74 31 1a 30 18 06 03 obal PCN et1.0... Aug 17 13:59:50 cube postfix/smtpd[70309]: 02d0 55 04 03 13 11 63 75 62|65 2e 67 6c 6f 62 61 6c U....cub e.global Aug 17 13:59:50 cube postfix/smtpd[70309]: 02e0 70 63 2e 6e 65 74 31 20|30 1e 06 09 2a 86 48 86 pc.net1 0...*.H. Aug 17 13:59:50 cube postfix/smtpd[70309]: 02f0 f7 0d 01 09 01 16 11 69|6e 66 6f 40 67 6c 6f 62 .......i nfo@glob Aug 17 13:59:50 cube postfix/smtpd[70309]: 0300 61 6c 70 63 2e 6e 65 74|82 09 00 d0 12 84 7d fd alpc.net ......}. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0310 fc 68 f8 30 0c 06 03 55|1d 13 04 05 30 03 01 01 .h.0...U ....0... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0320 ff 30 0d 06 09 2a 86 48|86 f7 0d 01 01 04 05 00 .0...*.H ........ Aug 17 13:59:50 cube postfix/smtpd[70309]: 0330 03 81 81 00 91 b9 2d cf|33 b3 5d 17 af 03 1c fd ......-. 3.]..... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0340 bd cd 6a a1 3c b1 89 34|d6 84 bd 24 cb 1f d7 e4 ..j.<..4 ...$.... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0350 3b ef 82 ec 25 b0 3d cf|a0 d7 ac bf 37 79 cf c3 ;...%.=. ....7y.. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0360 64 43 c8 71 bf 5f 35 9a|6c 64 63 e9 43 99 42 d1 dC.q._5. ldc.C.B. Aug 17 13:59:50 cube postfix/smtpd[70309]: 0370 dc 7f 2b 2e 03 40 f7 58|9c 3d d7 57 d8 d8 0d 02 ..+..@.X .=.W.... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0380 9f 0c b1 00 9b 37 12 a8|dd 88 97 29 a7 08 1f b6 .....7.. ...).... Aug 17 13:59:50 cube postfix/smtpd[70309]: 0390 f4 b7 e4 cf 97 3b c8 8c|42 e8 ed 4b 34 9a 3e aa .....;.. B..K4.>. Aug 17 13:59:50 cube postfix/smtpd[70309]: 03a0 f6 f7 ef 19 96 91 f7 87|41 03 ad 97 62 b5 a6 96 ........ A...b... Aug 17 13:59:50 cube postfix/smtpd[70309]: 03b0 d9 fa 76 06 16 03 01 00|04 0e ..v..... .. Aug 17 13:59:50 cube postfix/smtpd[70309]: 03ba - Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept:SSLv3 flush data Aug 17 13:59:50 cube postfix/smtpd[70309]: read from 080A2C40 [080CE000] (5 bytes => -1 (0xFFFFFFFF)) Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept:error in SSLv3 read client certificate A Aug 17 13:59:50 cube postfix/smtpd[70309]: SSL_accept error from unknown[xx.xx.xx.xx]: -1 Aug 17 13:59:50 cube postfix/smtpd[70309]: lost connection after STARTTLS from unknown[xx.xx.xx.xx] Aug 17 13:59:50 cube postfix/smtpd[70309]: disconnect from unknown[xx.xx.xx.xx] Here's the output of an successful handshake with Thunderbird, same server, same cert: Aug 17 15:10:57 cube postfix/smtpd[70628]: initializing the server-side TLS engine Aug 17 15:10:57 cube postfix/smtpd[70628]: connect from unknown[xx.xx.xx.xx] Aug 17 15:10:57 cube postfix/smtpd[70628]: setting up TLS connection from unknown[xx.xx.xx.xx] Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:before/accept initialization Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC000] (11 bytes => -1 (0xFFFFFFFF)) Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:error in SSLv2/v3 read client hello A Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC000] (11 bytes => 11 (0xB)) Aug 17 15:10:57 cube postfix/smtpd[70628]: 0000 16 03 01 00 53 01 00 00|4f 03 01 ....S... O.. Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC00B] (77 bytes => -1 (0xFFFFFFFF)) Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:error in SSLv3 read client hello B Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:error in SSLv3 read client hello B Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC00B] (77 bytes => 77 (0x4D)) Aug 17 15:10:57 cube postfix/smtpd[70628]: 0000 00 09 50 45 87 f0 4d 15|9b ae 4b d2 80 86 c2 d3 ..PE..M. ..K..... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0010 c3 87 49 d1 9e c9 f9 d3|56 7d fd 2f ad 77 63 3d ..I..... V}./.wc= Aug 17 15:10:57 cube postfix/smtpd[70628]: 0020 00 00 28 00 39 00 38 00|35 00 33 00 32 00 04 00 ..(.9.8. 5.3.2... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0030 05 00 2f 00 16 00 13 fe|ff 00 0a 00 15 00 12 fe ../..... ........ Aug 17 15:10:57 cube postfix/smtpd[70628]: 0040 fe 00 09 00 64 00 62 00|03 00 06 01 ....d.b. .... Aug 17 15:10:57 cube postfix/smtpd[70628]: 004c - Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 read client hello B Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 write server hello A Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 write certificate A Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 write key exchange A Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 write server done A Aug 17 15:10:57 cube postfix/smtpd[70628]: write to 080A2D00 [080B7000] (1359 bytes => 1359 (0x54F)) Aug 17 15:10:57 cube postfix/smtpd[70628]: 0000 16 03 01 00 2a 02 00 00|26 03 01 44 e4 cd 51 2f ....*... &..D..Q/ Aug 17 15:10:57 cube postfix/smtpd[70628]: 0010 e5 99 d2 23 bb 45 54 47|6e 5e 59 ec 6f 2c 6a 76 ...#.ETG n^Y.o,jv Aug 17 15:10:57 cube postfix/smtpd[70628]: 0020 3c 55 36 e7 af ee 92 80|3d 51 7d 00 00 39 00 16 fJ... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0200 3e 8d 99 d7 3d 57 9a b8|3e e8 98 64 20 5e 29 90 >...=W.. >..d ^). Aug 17 15:10:57 cube postfix/smtpd[70628]: 0210 6b f7 13 1e 9c 58 b4 cf|50 36 c8 b4 2e 79 15 9c k....X.. P6...y.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0220 6b ba 39 30 12 c3 fe 80|c5 9e 2c b2 ff 37 02 03 k.90.... ..,..7.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0230 01 00 01 a3 81 eb 30 81|e8 30 1d 06 03 55 1d 0e ......0. .0...U.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0240 04 16 04 14 4f 13 d7 ee|c1 d0 1b 1d 1b 58 d9 5d ....O... .....X.] Aug 17 15:10:57 cube postfix/smtpd[70628]: 0250 a9 4f 8e c3 d0 6a 7b ca|30 81 b8 06 03 55 1d 23 .O...j{. 0....U.# Aug 17 15:10:57 cube postfix/smtpd[70628]: 0260 04 81 b0 30 81 ad 80 14|4f 13 d7 ee c1 d0 1b 1d ...0.... O....... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0270 1b 58 d9 5d a9 4f 8e c3|d0 6a 7b ca a1 81 89 a4 .X.].O.. .j{..... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0280 81 86 30 81 83 31 0b 30|09 06 03 55 04 06 13 02 ..0..1.0 ...U.... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0290 55 53 31 0e 30 0c 06 03|55 04 08 13 05 54 65 78 US1.0... U....Tex Aug 17 15:10:57 cube postfix/smtpd[70628]: 02a0 61 73 31 0f 30 0d 06 03|55 04 07 13 06 4c 61 72 as1.0... U....Lar Aug 17 15:10:57 cube postfix/smtpd[70628]: 02b0 65 64 6f 31 15 30 13 06|03 55 04 0a 13 0c 47 6c edo1.0.. .U....Gl Aug 17 15:10:57 cube postfix/smtpd[70628]: 02c0 6f 62 61 6c 20 50 43 4e|65 74 31 1a 30 18 06 03 obal PCN et1.0... Aug 17 15:10:57 cube postfix/smtpd[70628]: 02d0 55 04 03 13 11 63 75 62|65 2e 67 6c 6f 62 61 6c U....cub e.global Aug 17 15:10:57 cube postfix/smtpd[70628]: 02e0 70 63 2e 6e 65 74 31 20|30 1e 06 09 2a 86 48 86 pc.net1 0...*.H. Aug 17 15:10:57 cube postfix/smtpd[70628]: 02f0 f7 0d 01 09 01 16 11 69|6e 66 6f 40 67 6c 6f 62 .......i nfo@glob Aug 17 15:10:57 cube postfix/smtpd[70628]: 0300 61 6c 70 63 2e 6e 65 74|82 09 00 d0 12 84 7d fd alpc.net ......}. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0310 fc 68 f8 30 0c 06 03 55|1d 13 04 05 30 03 01 01 .h.0...U ....0... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0320 ff 30 0d 06 09 2a 86 48|86 f7 0d 01 01 04 05 00 .0...*.H ........ Aug 17 15:10:57 cube postfix/smtpd[70628]: 0330 03 81 81 00 91 b9 2d cf|33 b3 5d 17 af 03 1c fd ......-. 3.]..... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0340 bd cd 6a a1 3c b1 89 34|d6 84 bd 24 cb 1f d7 e4 ..j.<..4 ...$.... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0350 3b ef 82 ec 25 b0 3d cf|a0 d7 ac bf 37 79 cf c3 ;...%.=. ....7y.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0360 64 43 c8 71 bf 5f 35 9a|6c 64 63 e9 43 99 42 d1 dC.q._5. ldc.C.B. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0370 dc 7f 2b 2e 03 40 f7 58|9c 3d d7 57 d8 d8 0d 02 ..+..@.X .=.W.... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0380 9f 0c b1 00 9b 37 12 a8|dd 88 97 29 a7 08 1f b6 .....7.. ...).... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0390 f4 b7 e4 cf 97 3b c8 8c|42 e8 ed 4b 34 9a 3e aa .....;.. B..K4.>. Aug 17 15:10:57 cube postfix/smtpd[70628]: 03a0 f6 f7 ef 19 96 91 f7 87|41 03 ad 97 62 b5 a6 96 ........ A...b... Aug 17 15:10:57 cube postfix/smtpd[70628]: 03b0 d9 fa 76 06 16 03 01 01|8d 0c 00 01 89 00 80 b0 ..v..... ........ Aug 17 15:10:57 cube postfix/smtpd[70628]: 03c0 fe b4 cf d4 55 07 e7 cc|88 59 0d 17 26 c5 0c a5 ....U... .Y..&... Aug 17 15:10:57 cube postfix/smtpd[70628]: 03d0 4a 92 23 81 78 da 88 aa|4c 13 06 bf 5d 2f 9e bc J.#.x... L...]/.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 03e0 96 b8 51 00 9d 0c 0d 75|ad fd 3b b1 7e 71 4f 3f ..Q....u ..;.~qO? Aug 17 15:10:57 cube postfix/smtpd[70628]: 03f0 91 54 14 44 b8 30 25 1c|eb df 72 9c 4c f1 89 0d .T.D.0%. ..r.L... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0400 68 3f 94 8e a4 fb 76 89|18 b2 91 16 90 01 99 66 h?....v. .......f Aug 17 15:10:57 cube postfix/smtpd[70628]: 0410 8c 53 81 4e 27 3d 99 e7|5a 7a af d5 ec e2 7e fa .S.N'=.. Zz....~. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0420 ed 01 18 c2 78 25 59 06|5c 39 f6 cd 49 54 af c1 ....x%Y. \9..IT.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0430 b1 ea 4a f9 53 d0 df 6d|af d4 93 e7 ba ae 9b 00 ..J.S..m ........ Aug 17 15:10:57 cube postfix/smtpd[70628]: 0440 01 02 00 80 0b 39 55 0a|1d d0 5e ef ab fa b3 65 .....9U. ..^....e Aug 17 15:10:57 cube postfix/smtpd[70628]: 0450 f4 8b ec e3 e5 03 b9 d8|f1 35 4c f9 79 37 ef bc ........ .5L.y7.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0460 16 9a d3 b0 8c f4 cd 82|c4 8f 29 70 02 f4 32 90 ........ ..)p..2. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0470 0c 88 ed 9d 3e 5c b6 3f|f8 bf 91 58 36 6c ae 1d ....>\.? ...X6l.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0480 0f 4f 40 f6 d1 c7 42 c5|a0 51 c5 6e 24 08 45 b1 .O@...B. .Q.n$.E. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0490 98 f7 db 89 e0 28 ce 6b|45 5d 17 6d 37 0d 01 52 .....(.k E].m7..R Aug 17 15:10:57 cube postfix/smtpd[70628]: 04a0 c6 06 53 9c 66 44 8e b9|02 48 43 07 59 be c4 66 ..S.fD.. .HC.Y..f Aug 17 15:10:57 cube postfix/smtpd[70628]: 04b0 b7 80 0c 8f d4 f5 64 67|a2 40 2f c6 83 29 f5 79 ......dg .@/..).y Aug 17 15:10:57 cube postfix/smtpd[70628]: 04c0 66 5e b1 f9 00 80 08 34|f7 9f ec 21 b3 72 51 f6 f^.....4 ...!.rQ. Aug 17 15:10:57 cube postfix/smtpd[70628]: 04d0 54 ef 76 47 0c c7 fe 48|36 cf b1 0f 79 60 f2 91 T.vG...H 6...y`.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 04e0 cd f4 05 67 b6 f0 72 1f|ee 05 0d 3e f9 02 86 5c ...g..r. ...>...\ Aug 17 15:10:57 cube postfix/smtpd[70628]: 04f0 17 82 95 41 77 d7 34 78|5a 24 24 45 d1 79 15 13 ...Aw.4x Z$$E.y.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0500 fb 75 c7 e9 e0 03 48 77|30 2b f1 39 15 64 f8 b6 .u....Hw 0+.9.d.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0510 92 76 b8 32 6e 2b 65 6a|f6 bc e7 ba 72 f2 b0 c1 .v.2n+ej ....r... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0520 38 26 dd aa 7e b5 27 0e|11 89 3c 95 3b 35 e9 a7 8&..~.'. ..<.;5.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0530 c2 b4 6c ed 00 e7 8b 94|30 ac 0a 2f 52 59 bb e1 ..l..... 0../RY.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0540 58 35 bf 34 07 b4 16 03|01 00 04 0e X5.4.... .... Aug 17 15:10:57 cube postfix/smtpd[70628]: 054c - Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 flush data Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC000] (5 bytes => -1 (0xFFFFFFFF)) Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:error in SSLv3 read client certificate A Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC000] (5 bytes => 5 (0x5)) Aug 17 15:10:57 cube postfix/smtpd[70628]: 0000 16 03 01 00 86 ..... Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC005] (134 bytes => -1 (0xFFFFFFFF)) Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:error in SSLv3 read client certificate A Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC005] (134 bytes => 134 (0x86)) Aug 17 15:10:57 cube postfix/smtpd[70628]: 0000 10 00 00 82 00 80 59 1d|ee af 39 68 d8 fe cc 57 ......Y. ..9h...W Aug 17 15:10:57 cube postfix/smtpd[70628]: 0010 c3 49 92 1e c8 f9 d9 ac|59 1c ab 89 b5 0f f8 7e .I...... Y......~ Aug 17 15:10:57 cube postfix/smtpd[70628]: 0020 22 d9 26 c8 16 db 3f af|f0 c0 d0 d1 7b 58 e7 af ".&...?. ....{X.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0030 18 b4 5e c3 66 8a 23 d6|a0 17 9e a3 b7 a1 0f ed ..^.f.#. ........ Aug 17 15:10:57 cube postfix/smtpd[70628]: 0040 b9 6d 14 d6 2e d9 fc 74|86 b6 a5 83 f0 6e 6b 74 .m.....t .....nkt Aug 17 15:10:57 cube postfix/smtpd[70628]: 0050 17 5e 6f 39 09 eb 1a d5|d4 89 07 fd 95 30 6f 39 .^o9.... .....0o9 Aug 17 15:10:57 cube postfix/smtpd[70628]: 0060 11 be c7 1e 23 69 31 e0|f4 e2 c6 94 cf b7 da b6 ....#i1. ........ Aug 17 15:10:57 cube postfix/smtpd[70628]: 0070 e1 6e ec 30 10 f8 08 a4|44 e8 f7 6b 6e 4c b8 61 .n.0.... D..knL.a Aug 17 15:10:57 cube postfix/smtpd[70628]: 0080 f2 5a 40 04 d3 46 .Z@..F Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 read client key exchange A Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC000] (5 bytes => -1 (0xFFFFFFFF)) Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:error in SSLv3 read certificate verify A Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC000] (5 bytes => 5 (0x5)) Aug 17 15:10:57 cube postfix/smtpd[70628]: 0000 14 03 01 00 01 ..... Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC005] (1 bytes => -1 (0xFFFFFFFF)) Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:error in SSLv3 read certificate verify A Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC005] (1 bytes => 1 (0x1)) Aug 17 15:10:57 cube postfix/smtpd[70628]: 0000 01 . Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC000] (5 bytes => -1 (0xFFFFFFFF)) Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:error in SSLv3 read certificate verify A Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC000] (5 bytes => 5 (0x5)) Aug 17 15:10:57 cube postfix/smtpd[70628]: 0000 16 03 01 00 30 ....0 Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC005] (48 bytes => -1 (0xFFFFFFFF)) Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:error in SSLv3 read certificate verify A Aug 17 15:10:57 cube postfix/smtpd[70628]: read from 080A2D00 [080CC005] (48 bytes => 48 (0x30)) Aug 17 15:10:57 cube postfix/smtpd[70628]: 0000 18 ed 40 ce 69 10 57 c2|57 1e 5c 9b ac 2f 09 d2 ..@.i.W. W.\../.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0010 ae 53 69 da bf e7 a7 b0|76 bf 5b 26 00 93 bf 93 .Si..... v.[&.... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0020 21 5b 56 52 02 13 5a 0e|ba 76 6c e7 81 da 6e 41 ![VR..Z. .vl...nA Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 read finished A Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 write change cipher spec A Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 write finished A Aug 17 15:10:57 cube postfix/smtpd[70628]: write to 080A2D00 [080B7000] (59 bytes => 59 (0x3B)) Aug 17 15:10:57 cube postfix/smtpd[70628]: 0000 14 03 01 00 01 01 16 03|01 00 30 ce bd 50 2c 69 ........ ..0..P,i Aug 17 15:10:57 cube postfix/smtpd[70628]: 0010 b6 57 a3 2c 94 0f e9 9c|bb 0a aa db 1c 40 f4 04 .W.,.... .....@.. Aug 17 15:10:57 cube postfix/smtpd[70628]: 0020 11 67 0a 22 12 01 58 e1|e7 31 2b 07 44 8e a8 a7 .g."..X. .1+.D... Aug 17 15:10:57 cube postfix/smtpd[70628]: 0030 55 e0 01 63 80 ba 97 24|93 4f 63 U..c...$ .Oc Aug 17 15:10:57 cube postfix/smtpd[70628]: SSL_accept:SSLv3 flush data Aug 17 15:10:57 cube postfix/smtpd[70628]: TLS connection established from unknown[xx.xx.xx.xx]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) From owner-freebsd-isp@FreeBSD.ORG Fri Aug 18 08:29:02 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F80F16A4DE for ; Fri, 18 Aug 2006 08:29:02 +0000 (UTC) (envelope-from darren.pilgrim@bitfreak.org) Received: from mail.twinthornes.com (mail.twinthornes.com [65.75.198.147]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F6F643D53 for ; Fri, 18 Aug 2006 08:29:01 +0000 (GMT) (envelope-from darren.pilgrim@bitfreak.org) Received: from [10.242.169.24] (c-67-171-135-169.hsd1.or.comcast.net [67.171.135.169]) by mail.twinthornes.com (Postfix) with ESMTP id E98361332; Fri, 18 Aug 2006 01:29:00 -0700 (PDT) Message-ID: <44E57966.6050100@bitfreak.org> Date: Fri, 18 Aug 2006 01:25:10 -0700 From: Darren Pilgrim User-Agent: Thunderbird 1.5.0.5 (Windows/20060719) MIME-Version: 1.0 To: Adrian Gonzalez References: <44E4D6F2.60305@globalpc.net> In-Reply-To: <44E4D6F2.60305@globalpc.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org Subject: Re: Postfix + AUTH/TLS + Outlook/OE problem X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 08:29:02 -0000 Adrian Gonzalez wrote: > Hello > > I'm seeing some very strange behavior with Outlook 2003 and Outlook > Express trying to send mail using TLS/SMTP Auth with Postfix 2.3 and > FreeBSD 6.1-STABLE > > It seems like Outlook/OE don't like the SSL handshake for some > reason. They connect to the server, issue STARTTLS, and disconnect > during the handshake, giving an "Error Number: 0x800CCC0B". I've > tried both STARTTLS and using 'wrapper mode' on port 465 with the > same results. Which version of Outlook Express were you using? Outlook Express 6 doesn't support STARTTLS, only wrapper-mode. OE6 also also has a broken SASL implementation (set broken_sasl_auth_clients=yes). Yay for Microsoft! Have you modified your cipher settings in postfix? FYR, Outlook XP/2003 and Outlook Express 6 prefer 128-bit RC4-MD5 and do not support AES, whereas Thunderbird supports and prefers AES256-SHA. On my own mail server, I can send email using all four clients through STARTTLS+SASL (Outlook and Thunderbird) or SMTPS+SASL (OE). The server is FreeBSD RELENG_6_1 with the stock OpenSSL and postfix 2.3.1 with default tls_*_cipherlist settings. Be happy to compare configs off-list, postconf -n and the like. P.S. You may want to retry this question on postfix-users. You'll have better luck if you're willing to wade through the usual "ditch MS" rude commentary. P.P.S. Please configure your mail client to wrap lines. -- Darren Pilgrim From owner-freebsd-isp@FreeBSD.ORG Fri Aug 18 10:53:30 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AEBE16A4E8 for ; Fri, 18 Aug 2006 10:53:30 +0000 (UTC) (envelope-from tonyabm@ntlworld.com) Received: from mtaout02-winn.ispmail.ntl.com (mtaout02-winn.ispmail.ntl.com [81.103.221.48]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BF9343D5C for ; Fri, 18 Aug 2006 10:53:29 +0000 (GMT) (envelope-from tonyabm@ntlworld.com) Received: from aamtaout04-winn.ispmail.ntl.com ([81.103.221.35]) by mtaout02-winn.ispmail.ntl.com with ESMTP id <20060818105328.KPQT27023.mtaout02-winn.ispmail.ntl.com@aamtaout04-winn.ispmail.ntl.com> for ; Fri, 18 Aug 2006 11:53:28 +0100 Received: from [192.168.0.4] (really [81.111.26.134]) by aamtaout04-winn.ispmail.ntl.com with ESMTP id <20060818105328.DNPQ15733.aamtaout04-winn.ispmail.ntl.com@[192.168.0.4]> for ; Fri, 18 Aug 2006 11:53:28 +0100 Received: from 127.0.0.1 (AVG SMTP 7.1.405 [268.11.2/422]); Fri, 18 Aug 2006 11:53:12 +0100 Message-ID: <003601c6c2b4$8028fef0$0400a8c0@bartleysbjatty> From: "Tony.Bartley" To: Date: Fri, 18 Aug 2006 11:53:12 +0100 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; format=flowed; charset=iso-8859-1; reply-type=original Subject: Please reactivate your Yahoo! Groups account X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 10:53:30 -0000 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.405 / Virus Database: 268.11.2/422 - Release Date: 17/08/2006 From owner-freebsd-isp@FreeBSD.ORG Fri Aug 18 17:57:04 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2B8A16A4E0 for ; Fri, 18 Aug 2006 17:57:04 +0000 (UTC) (envelope-from b.candler@pobox.com) Received: from rune.pobox.com (rune.pobox.com [208.210.124.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECCBF43D55 for ; Fri, 18 Aug 2006 17:57:03 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from rune (localhost [127.0.0.1]) by rune.pobox.com (Postfix) with ESMTP id CB7B37B8D9; Fri, 18 Aug 2006 13:57:24 -0400 (EDT) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by rune.sasl.smtp.pobox.com (Postfix) with ESMTP id 83F2511F4D; Fri, 18 Aug 2006 13:57:23 -0400 (EDT) Received: from lists by mappit.local.linnet.org with local (Exim 4.61 (FreeBSD)) (envelope-from ) id 1GE8aZ-0000FU-Gr; Fri, 18 Aug 2006 18:56:59 +0100 Date: Fri, 18 Aug 2006 18:56:59 +0100 From: Brian Candler To: Adrian Gonzalez Message-ID: <20060818175659.GA931@uk.tiscali.com> References: <44E4D6F2.60305@globalpc.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44E4D6F2.60305@globalpc.net> User-Agent: Mutt/1.4.2.1i Cc: freebsd-isp@freebsd.org Subject: Re: Postfix + AUTH/TLS + Outlook/OE problem X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 17:57:04 -0000 On Thu, Aug 17, 2006 at 03:52:02PM -0500, Adrian Gonzalez wrote: > I'm seeing some very strange behavior with Outlook 2003 and Outlook Express > trying to send mail using TLS/SMTP Auth with Postfix 2.3 and FreeBSD > 6.1-STABLE > > It seems like Outlook/OE don't like the SSL handshake for some reason. > They connect to the server, issue STARTTLS, and disconnect during the > handshake, giving an "Error Number: 0x800CCC0B". I've tried both STARTTLS > and using 'wrapper mode' on port 465 with the same results. Other clients > like Thunderbird are able to send just fine using the same server > w/STARTTLS, so I'm assuming it's not a configuration/authentication issue. > > I thought it could be related to the chained SSL certificate we're using > (GoDaddy), but the results were the same with a self-signed cert. > > I also tried updating OpenSSL to the latest 'stable' release (0.9.7j), same > results. > > I've been banging my head against the wall with this one You don't seem to have considered the possibility that Microsoft software is simply broken. When another client connects without any problem at all, this would seem to be a pretty fair conclusion. You could always go and ask Microsoft what "Error 0x800CCC0B" means though. > To make matters even stranger, in Outlook Express, when you create the > message and click send, you get the error message and the email stays in > the outbox. After that if you do a Send/Receive, OE is able to negotiate > TLS properly and sends the message just fine. So the client fails first time, and works correctly the second. Sounds like a client bug to me. From owner-freebsd-isp@FreeBSD.ORG Fri Aug 18 23:59:24 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9D78D16A4DF for ; Fri, 18 Aug 2006 23:59:24 +0000 (UTC) (envelope-from adrianbsd@globalpc.net) Received: from cube.globalpc.net (cube.globalpc.net [207.193.249.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5278743D45 for ; Fri, 18 Aug 2006 23:59:24 +0000 (GMT) (envelope-from adrianbsd@globalpc.net) Received: from [192.168.0.211] (unknown [216.60.63.113]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by cube.globalpc.net (Postfix) with ESMTP id 929B09B427; Fri, 18 Aug 2006 19:00:08 -0500 (CDT) Message-ID: <44E65460.5030101@globalpc.net> Date: Fri, 18 Aug 2006 18:59:28 -0500 From: Adrian Gonzalez User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: Darren Pilgrim References: <44E4D6F2.60305@globalpc.net> <44E57966.6050100@bitfreak.org> In-Reply-To: <44E57966.6050100@bitfreak.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-isp@freebsd.org Subject: Re: Postfix + AUTH/TLS + Outlook/OE problem X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Aug 2006 23:59:24 -0000 Hi Darren Comments below... Darren Pilgrim wrote: > Adrian Gonzalez wrote: > > Hello > > > > I'm seeing some very strange behavior with Outlook 2003 and Outlook > > Express trying to send mail using TLS/SMTP Auth with Postfix 2.3 and > > FreeBSD 6.1-STABLE > > > > It seems like Outlook/OE don't like the SSL handshake for some > > reason. They connect to the server, issue STARTTLS, and disconnect > > during the handshake, giving an "Error Number: 0x800CCC0B". I've > > tried both STARTTLS and using 'wrapper mode' on port 465 with the > > same results. > > Which version of Outlook Express were you using? Outlook Express 6 > doesn't support STARTTLS, only wrapper-mode. OE6 also also has a broken > SASL implementation (set broken_sasl_auth_clients=yes). Yay for Microsoft! Outlook Express 6 (6.00.2900.2180 according to the 'about' window). Basically, the one that comes with Windows XP Pro + All current updates/service packs. It does seem to be trying STARTTLS though. I did have the broken_sasl_auth_clients option enabled, I believe it just causes postfix to 'advertise' AUTH in the usual way along with outlook's broken way. > Have you modified your cipher settings in postfix? FYR, Outlook XP/2003 > and Outlook Express 6 prefer 128-bit RC4-MD5 and do not support AES, > whereas Thunderbird supports and prefers AES256-SHA. I suspect OE might not like what the server is offering, but I'm not qute sure what to change. The postfix manual strongly advises against excluding ciphers. Any suggestions? > On my own mail server, I can send email using all four clients through > STARTTLS+SASL (Outlook and Thunderbird) or SMTPS+SASL (OE). The server > is FreeBSD RELENG_6_1 with the stock OpenSSL and postfix 2.3.1 with > default tls_*_cipherlist settings. I'm using 2.3.0,1 with the updated stable OpenSSL. I'll try updating my ports tree and rebuilding the latest stable postfix and see what happens. > Be happy to compare configs off-list, postconf -n and the like. Thanks! > > P.S. You may want to retry this question on postfix-users. You'll have > better luck if you're willing to wade through the usual "ditch MS" rude > commentary. > > P.P.S. Please configure your mail client to wrap lines. I normally do, but the postfix logs looked really bad with wrapping :)