Postfix: SSL Daten in mail.log

thewilli

New Member
Hi,

beim Kontrollieren meiner Logs ist mir aufgefallen, dass Postfix sämtliche SSL Daten mit in mail.log aufnimmt, wass unter Logwatch dann so aussieht (Ausschnitt):

Code:
.....
 read from 08099E58 [080A354D] (134 bytes => -1 (0xFFFFFFFF))
 SSL_accept:error in SSLv3 read client certificate A
 read from 08099E58 [080A354D] (134 bytes => 134 (0x86))
 0000 10 00 00 82 00 80 45 5a|a7 21 a7 b8 bf d7 36 cd  ......EZ .!....6.
 0010 59 30 84 1d 5a fa 5e 76|38 00 fb 41 68 d8 e2 53  Y0..Z.^v 8..Ah..S
 0020 46 01 06 7f b2 6d d0 5c|ba d1 8e 36 3c 59 79 7d  F....m.\ ...6<Yy}
 0030 b7 35 08 dc bb 65 de c2|f0 a1 79 dd db 6f ab 0f  .5...e.. ..y..o..
 0040 1a 81 b5 0e ad b0 50 82|f6 e4 99 88 0e d3 4e 84  ......P. ......N.
 0050 19 5c 4e 98 7e d4 1e 8d|a1 a3 05 1f 54 9b 16 bc  .\N.~... ....T...
 0060 86 1f 19 5d 77 26 0c 2a|5b 3f bc c2 f8 37 ba 83  ...]w&.* [?...7..
 0070 93 af 21 77 64 4b 07 66|96 22 c7 6c eb 1d 98 e5  ..!wdK.f .".l....
 0080 06 e0 27 c1 7b 5c                                ..'.{\
 SSL_accept:SSLv3 read client key exchange A
 read from 08099E58 [080A3548] (5 bytes => -1 (0xFFFFFFFF))
 SSL_accept:error in SSLv3 read certificate verify A
 read from 08099E58 [080A3548] (5 bytes => 5 (0x5))
 0000 14 03 01 00 01                                   .....
 read from 08099E58 [080A354D] (1 bytes => -1 (0xFFFFFFFF))
 SSL_accept:error in SSLv3 read certificate verify A
 read from 08099E58 [080A354D] (1 bytes => 1 (0x1))
 0000 01                                               .
 read from 08099E58 [080A3548] (5 bytes => -1 (0xFFFFFFFF))
 SSL_accept:error in SSLv3 read certificate verify A
 read from 08099E58 [080A3548] (5 bytes => 5 (0x5))
 0000 16 03 01 00 30                                   ....0
 read from 08099E58 [080A354D] (48 bytes => -1 (0xFFFFFFFF))
 SSL_accept:error in SSLv3 read certificate verify A
 read from 08099E58 [080A354D] (48 bytes => 48 (0x30))
 0000 a8 49 ca d7 19 d2 c3 58|66 4c 77 c8 97 cf 61 2d  .I.....X fLw...a-
 0010 50 2e 3e bb 48 03 68 bd|1d bf 94 fb 60 f3 52 3c  P.>.H.h. ....`.R<
 0020 69 74 a8 f0 ff ea 5d 8a|84 52 88 3e c4 68 90 33  it....]. .R.>.h.3
 SSL_accept:SSLv3 read finished A
 SSL_accept:SSLv3 write change cipher spec A
 SSL_accept:SSLv3 write finished A
 write to 08099E58 [080B1710] (59 bytes => 59 (0x3B))
 0000 14 03 01 00 01 01 16 03|01 00 30 a9 54 90 e9 75  ........ ..0.T..u
 0010 0b dc 51 70 f7 c5 30 39|82 8b bf fe a5 1d b1 fc  ..Qp..09 ........
 0020 c9 be 85 95 eb 73 d4 0a|37 7e 1b 21 35 b3 89 1d  .....s.. 7~.!5...
 0030 3a 26 0b 84 9e 75 88 df|16 37 f7                 :&...u.. .7.
 SSL_accept:SSLv3 flush data
 initializing the server-side TLS engine
 initializing the server-side TLS engine
 initializing the server-side TLS engine
 initializing the server-side TLS engine
 initializing the server-side TLS engine
 initializing the server-side TLS engine
 initializing the server-side TLS engine
 initializing the server-side TLS engine

Ich finde aber sowohl bei Postfix in der main.cf noch in der Dovecot.conf (Dovecot wird zur SMTP Authentifizierung benutzt) einen Verbose oder Debugschalter.

Habt ihr eine Idee wo ich das abstellen kann?

Danke im Voraus!
 
hier die master.cf
Code:
smtp      inet  n       -       -       -       -       smtpd
pickup    fifo  n       -       -       60      1       pickup
cleanup   unix  n       -       -       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       -       1000?   1       tlsmgr
rewrite   unix  -       -       -       -       -       trivial-rewrite
bounce    unix  -       -       -       -       0       bounce
defer     unix  -       -       -       -       0       bounce
trace     unix  -       -       -       -       0       bounce
verify    unix  -       -       -       -       1       verify
flush     unix  n       -       -       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
smtp      unix  -       -       -       -       -       smtp
relay     unix  -       -       -       -       -       smtp
        -o fallback_relay=
showq     unix  n       -       -       -       -       showq
error     unix  -       -       -       -       -       error
discard   unix  -       -       -       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
lmtp      unix  -       -       -       -       -       lmtp
anvil     unix  -       -       -       -       1       anvil
scache    unix  -       -       -       -       1       scache
maildrop  unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient}
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}

smtp-amavis unix -      -       n     -       2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
uucp      unix  -       n       n       -       -       pipe
  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)

ifmail    unix  -       n       n       -       -       pipe
  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
bsmtp     unix  -       n       n       -       -       pipe
  flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient
scalemail-backend unix  -       n       n       -       2       pipe
  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension}
mailman   unix  -       n       n       -       -       pipe
  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
  ${nexthop} ${user}
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${recipient}

smtp-amavis unix -      -       n     -       2  smtp
    -o smtp_data_done_timeout=1200
    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n  -       -     -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0

    -o smtp_send_xforward_command=yes
    -o disable_dns_lookups=yes
    -o max_use=20

127.0.0.1:10025 inet n  -       -     -       -  smtpd
    -o content_filter=
    -o local_recipient_maps=
    -o relay_recipient_maps=
    -o smtpd_restriction_classes=
    -o smtpd_delay_reject=no
    -o smtpd_client_restrictions=permit_mynetworks,reject
    -o smtpd_helo_restrictions=
    -o smtpd_sender_restrictions=
    -o smtpd_recipient_restrictions=permit_mynetworks,reject
    -o smtpd_data_restrictions=reject_unauth_pipelining
    -o smtpd_end_of_data_restrictions=
    -o mynetworks=127.0.0.0/8
    -o smtpd_error_sleep_time=0
    -o smtpd_soft_error_limit=1001
    -o smtpd_hard_error_limit=1000
    -o smtpd_client_connection_count_limit=0
    -o smtpd_client_connection_rate_limit=0
    -o receive_override_options=no_header_body_checks,no_unknown_recipient_checks
    -o local_header_rewrite_clients=

policy  unix  -       n       n       -       -       spawn
        user=nobody argv=/usr/bin/perl /usr/lib/postfix/policyd-spf-perl

und sicherheitshalber auch die main.cf ;)

Code:
myorigin = /etc/mailname

smtpd_banner = MY ESMTP (Debian/GNU)
biff = no

strict_rfc821_envelopes = yes

append_dot_mydomain = no

myhostname = mail.my-domain.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mail.my-domain.de, mail, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8
smtpd_tls_cert_file=/etc/lighttpd/webs/mail.my-domain.de/mail.my-domain.de.crt
smtpd_tls_key_file=/etc/lighttpd/webs/mail.my-domain.de/mail.my-domain.de.key.decrypted
smtpd_tls_CAfile=/etc/lighttpd/webs/mail.my-domain.de/mail.my-domain.de.ca
smtpd_use_tls=yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 3
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

myhostname = mail.my-domain.de
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = mail.my-domain.de, mail, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes

broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-mailbox-domains.cf
virtual_uid_maps = static:5000
virtual_gid_maps = static:5000
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-mailbox-maps.cf
virtual_alias_maps = mysql:/etc/postfix/mysql-virtual-alias-maps.cf,mysql:/etc/postfix/mysql-email2email.cf
virtual_transport = dovecot
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes


broken_sasl_auth_clients = yes

smtpd_recipient_restrictions = permit_sasl_authenticated
        permit_mynetworks
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unauth_destination
        reject_unknown_sender_domain
        check_client_access hash:/etc/postfix/ispblock
        reject_rbl_client dnsbl.ahbl.org
        reject_rbl_client dyna.spamrats.com
        reject_rbl_client spam.spamrats.com
        reject_rbl_client bl.spamcop.net
        reject_rbl_client smtp.dnsbl.sorbs.net
        reject_rbl_client cbl.abuseat.org
        reject_rbl_client sbl.spamhaus.org
        reject_rbl_client zen.spamhaus.org
        check_policy_service unix:private/policy
        permit

content_filter = smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
smtpd_recipient_restrictions = permit_sasl_authenticated
        permit_mynetworks
        reject_non_fqdn_sender
        reject_non_fqdn_recipient
        reject_unauth_destination
        reject_unknown_sender_domain
        check_client_access hash:/etc/postfix/ispblock
        reject_rbl_client dnsbl.ahbl.org
        reject_rbl_client dyna.spamrats.com
        reject_rbl_client spam.spamrats.com
        reject_rbl_client bl.spamcop.net
        reject_rbl_client smtp.dnsbl.sorbs.net
        reject_rbl_client cbl.abuseat.org
        reject_rbl_client sbl.spamhaus.org
        reject_rbl_client zen.spamhaus.org
        check_policy_service unix:private/policy
        permit
content_filter = smtp-amavis:[127.0.0.1]:10024
receive_override_options = no_address_mappings
Hast Du eine Idee, was speziell das auslösen könnte?
 
Last edited by a moderator:
Back
Top