[pfx] Re: Postfix site via HTTPS

Mon, 20 Apr 2026 11:45:30 -0700 

Hello,
I am not sure this is roscomnadzor's fault because it happens from different networks in different countries. And Postfix is the only site where it happens, among the ones I accessed in recent weeks. 

From tcpdump, looks like no reply to TLS Client Hello is received


No.    Time    Source    Destination Protocol    Length    Info    
srcport    dstport
22    20.373087    5.x.x.x    95.216.145.1    TCP    74    30569 → 443 
[SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 SACK_PERM TSval=1130704237 
TSecr=0    30569    443
23    20.428994    95.216.145.1    5.x.x.x    TCP    74    443 → 30569 
[SYN, ACK] Seq=0 Ack=1 Win=65160 Len=0 MSS=1460 SACK_PERM 
TSval=2990867572 TSecr=1130704237 WS=512    443    30569
24    20.429058    5.x.x.x    95.216.145.1    TCP    66    30569 → 443 
[ACK] Seq=1 Ack=1 Win=65728 Len=0 TSval=1130704295 TSecr=2990867572    
30569    443
25    20.432861    5.x.x.x    95.216.145.1    TLSv1    583 Client 
Hello (SNI=www.postfix.org)    30569    443
26    20.835416    5.x.x.x    95.216.145.1    TCP    583    [TCP 
Retransmission] 30569 → 443 [PSH, ACK] Seq=1 Ack=1 Win=65728 Len=517 
TSval=1130704697 TSecr=2990867572    30569    443
27    21.397558    5.x.x.x    95.216.145.1    TCP    583    [TCP 
Retransmission] 30569 → 443 [PSH, ACK] Seq=1 Ack=1 Win=65728 Len=517 
TSval=1130705257 TSecr=2990867572    30569    443
28    22.311764    5.x.x.x    95.216.145.1    TCP    583    [TCP 
Retransmission] 30569 → 443 [PSH, ACK] Seq=1 Ack=1 Win=65728 Len=517 
TSval=1130706177 TSecr=2990867572    30569    443
29    23.951837    5.x.x.x    95.216.145.1    TCP    583    [TCP 
Retransmission] 30569 → 443 [PSH, ACK] Seq=1 Ack=1 Win=65728 Len=517 
TSval=1130707817 TSecr=2990867572    30569    443
30    27.031803    5.x.x.x    95.216.145.1    TCP    583    [TCP 
Retransmission] 30569 → 443 [PSH, ACK] Seq=1 Ack=1 Win=65728 Len=517 
TSval=1130710897 TSecr=2990867572    30569    443
31    32.991729    5.x.x.x    95.216.145.1    TCP    583    [TCP 
Retransmission] 30569 → 443 [PSH, ACK] Seq=1 Ack=1 Win=65728 Len=517 
TSval=1130716857 TSecr=2990867572    30569    443
32    44.711680    5.x.x.x    95.216.145.1    TCP    583    [TCP 
Retransmission] 30569 → 443 [PSH, ACK] Seq=1 Ack=1 Win=65728 Len=517 
TSval=1130728577 TSecr=2990867572    30569    443
33    67.951636    5.x.x.x    95.216.145.1    TCP    583    [TCP 
Retransmission] 30569 → 443 [PSH, ACK] Seq=1 Ack=1 Win=65728 Len=517 
TSval=1130751817 TSecr=2990867572    30569    443
34    80.493489    95.216.145.1    5.x.x.x    TCP    66    443 → 30569 
[FIN, ACK] Seq=1 Ack=1 Win=65536 Len=0 TSval=2990927636 
TSecr=1130704295    443    30569
35    80.493539    5.x.x.x    95.216.145.1    TCP    66    30569 → 443 
[ACK] Seq=518 Ack=2 Win=65728 Len=0 TSval=1130764357 
TSecr=2990927636    30569    443
36    80.494532    5.x.x.x    95.216.145.1    TLSv1    73 Alert 
(Level: Fatal, Description: Decode Error)    30569    443


For comparison, this is Telegram (t.me) accessed from the same system


No.    Time    Source    Destination Protocol    Length    Info    
srcport    dstport
1    0.000000    5.x.x.x    149.154.167.99    TCP    74    44337 → 443 
[SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=64 SACK_PERM TSval=3555323993 
TSecr=0    44337    443
2    0.001345    149.154.167.99    5.x.x.x    TCP    74    443 → 44337 
[SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1240 SACK_PERM 
TSval=593343437 TSecr=3555323993 WS=1024    443    44337
3    0.001625    5.x.x.x    149.154.167.99    TCP    66    44337 → 443 
[ACK] Seq=1 Ack=1 Win=65728 Len=0 TSval=3555323993 TSecr=593343437    
44337    443
4    0.005288    5.x.x.x    149.154.167.99    TLSv1.3    583 Client 
Hello (SNI=t.me)    44337    443
5    0.006236    149.154.167.99    5.x.x.x    TCP    66    443 → 44337 
[ACK] Seq=1 Ack=518 Win=67584 Len=0 TSval=593343442 
TSecr=3555323993    443    44337
6    0.006643    149.154.167.99    5.x.x.x    TLSv1.3    1294 Server 
Hello, Change Cipher Spec, Application Data    443 44337
7    0.006651    149.154.167.99    5.x.x.x    TCP    1294    443 → 
44337 [ACK] Seq=1229 Ack=518 Win=67584 Len=1228 TSval=593343443 
TSecr=3555323993 [TCP PDU reassembled in 10] 443    44337
8    0.006659    5.x.x.x    149.154.167.99    TCP    66    44337 → 443 
[ACK] Seq=518 Ack=2457 Win=63296 Len=0 TSval=3555323993 
TSecr=593343443    44337    443
9    0.006666    149.154.167.99    5.x.x.x    TCP    1294    443 → 
44337 [ACK] Seq=2457 Ack=518 Win=67584 Len=1228 TSval=593343443 
TSecr=3555323993 [TCP PDU reassembled in 10] 443    44337
10    0.006685    149.154.167.99    5.x.x.x    TLSv1.3    478 
Application Data    443    44337


Eugene

On 20.04.2026 14:10, Michael Tokarev via Postfix-users wrote:

On 19.04.2026 16:00, Eugene R via Postfix-users wrote:

Hello,


Me and some other people have problems with accessing www.postfix.org 
in normal (HTTPS) way. Non-HTTPS version http://www.postfix.org works 
fine while https fails to connect and timeouts.


What might be wrong?



This is roskomnadzor's censorship and ruining the internet in a single
country.  They block certain https patterns in a hope to block telegram
and vpns which tries to act "like" regular https, and they block certain
protocols for certain addresses completely.

It's rather interesting you haven't faced this earlier.  A lot of places
doesn't work from ru netspace even if the resource itself isn't/shouldn't
be blocked directly.  For example, wget https doesn't work in many places
because it "looks like" telegram mtproxy (or, rather, it does not look
like a regular well-known "whitelisted" browser), I can't git push to
gitlab (for the same reason), etc.

Thanks,

/mjt

_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]






















					Reply via email to