Ralf Hildebrandt --> postfix-users (2013-05-08 09:28:11 +0200): > Anybody seen this one before? > > May 8 00:30:04 albatross postfix/smtp[29327]: SSL_connect error to > mail.vex.net[98.158.139.68]:25: 0 > May 8 00:30:04 albatross postfix/smtp[29327]: warning: TLS library problem: > 29327:error:1408C06F:SSL routines:SSL3_GET_FINISHED:bad digest > length:s3_both.c:239: > May 8 00:30:04 albatross postfix/smtp[29327]: 3b4wVg5fKkz7LkB: Cannot start > TLS: handshake failure > > Eventually the mail goes through without SSL: > > May 8 00:30:05 albatross postfix/smtp[29327]: 3b4wVg5fKkz7LkB: > to=<mcxx...@vrplumber.com>, relay=mail.vex.net[98.158.139.68]:25, > delay=1.6, delays=0.09/0/0.71/0.79, dsn=2.0.0, status=sent (250 2.0.0 Ok: > queued as F3D5B4A457FD)
Funny, I was just going to report the probably same issue... I can reproduce the problem on up-to-date Linux and FreeBSD systems, but not on a older NetBSD system: Linux/x86_64 Postfix 2.10.0 OpenSSL 1.0.1e FreeBSD/amd64 Postfix 2.10.0 OpenSSL 1.0.1e NetBSD/i386 Postfix 2.7.3 OpenSSL 0.9.9-dev When sending several mails in succession, failure and success seem to alternate (i.e. exactly one failed handshake, then a successful one, then a failed one again, etc.). And not using a TLS session cache for smtp(8) (smtp_tls_session_cache_database) seems to work around the problem. I set smtp_tls_loglevel=2 and tried to reproduce the problem: [1]first (successful) and [2]second (unsuccessful) attempt on the Linux system; [3]first (successful) and [4]second (successful) attempt on the NetBSD system. Some more detailed information about OpenSSL versions used is also [5]available. It ssems to me that if the TLS session cache lookup succeeds, the TLS handshake fails, and vice versa. And for some reason, on the NetBSD system where I never see the handshake failure the TLS session cache lookup never succeeds. Any hints? Cheers, Jukka [1] http://salmi.ch/~jukka/postfix/postfix_2.10.0_tls_init [2] http://salmi.ch/~jukka/postfix/postfix_2.10.0_tls [3] http://salmi.ch/~jukka/postfix/postfix_2.7.3_tls_init [4] http://salmi.ch/~jukka/postfix/postfix_2.7.3_tls [5] http://salmi.ch/~jukka/postfix/postfix_tls_infos -- This email fills a much-needed gap in the archives.