On Wed, May 08, 2013 at 07:24:03PM +0200, Jukka Salmi wrote: > Funny, I was just going to report the probably same issue... > > I can reproduce the problem on up-to-date Linux and FreeBSD systems, but > not on a older NetBSD system: > > Linux/x86_64 Postfix 2.10.0 OpenSSL 1.0.1e > FreeBSD/amd64 Postfix 2.10.0 OpenSSL 1.0.1e > NetBSD/i386 Postfix 2.7.3 OpenSSL 0.9.9-dev > > When sending several mails in succession, failure and success seem to > alternate (i.e. exactly one failed handshake, then a successful one, > then a failed one again, etc.). And not using a TLS session cache for > smtp(8) (smtp_tls_session_cache_database) seems to work around the > problem.
Thanks, I can reproduce this also with cached sessions and OpenSSL 1.0.1e. $ posttls-finger -r 1 salmi.ch:587 posttls-finger: Connected to rho.salmi.ch[178.63.9.175]:587 posttls-finger: < 220 rho.salmi.ch ESMTP posttls-finger: > EHLO amnesiac posttls-finger: < 250-rho.salmi.ch posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 10240000 posttls-finger: < 250-ETRN posttls-finger: < 250-STARTTLS posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 DSN posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: rho.salmi.ch[178.63.9.175]:587 Matched CommonName rho.salmi.ch posttls-finger: certificate verification failed for rho.salmi.ch[178.63.9.175]:587: untrusted issuer /CN=Salmi CA/O=Salmi Certification Authority/OU=CA/emailAddress=c...@salmi.ch/C=CH/ST=BS/L=Basel posttls-finger: rho.salmi.ch[178.63.9.175]:587: subject_CN=rho.salmi.ch, issuer_CN=Salmi CA, fingerprint=FC:6B:AE:A0:AC:B5:88:9E:1F:4C:D2:3F:2B:90:BD:D6:2F:4E:81:09, pkey_fingerprint=69:9B:1D:C1:F4:CE:43:23:17:8D:09:6F:C4:4B:0D:A3:E0:A7:AF:64 posttls-finger: Untrusted TLS connection established to rho.salmi.ch[178.63.9.175]:587: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) posttls-finger: > EHLO amnesiac posttls-finger: < 250-rho.salmi.ch posttls-finger: < 250-PIPELINING posttls-finger: < 250-SIZE 10240000 posttls-finger: < 250-ETRN posttls-finger: < 250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250 DSN posttls-finger: > QUIT posttls-finger: < 221 2.0.0 Bye posttls-finger: Reconnecting after 1 seconds posttls-finger: < 220 rho.salmi.ch ESMTP posttls-finger: looking for session posttls-finger:[178.63.9.175]:587:5047F1BB983E07DEFDB7D1A973BC5FFD00A6C9735C2BB76A405107195320BB07 in memory cache posttls-finger: reloaded session posttls-finger:[178.63.9.175]:587:5047F1BB983E07DEFDB7D1A973BC5FFD00A6C9735C2BB76A405107195320BB07 from memory cache posttls-finger: SSL_connect error to rho.salmi.ch[178.63.9.175]:587: 0 posttls-finger: warning: TLS library problem: 21961:error:1408C06F:SSL routines:SSL3_GET_FINISHED:bad digest length:s3_both.c:264: posttls-finger: remove session posttls-finger:[178.63.9.175]:587:5047F1BB983E07DEFDB7D1A973BC5FFD00A6C9735C2BB76A405107195320BB07 from client cache Indeed handshakes fail for resumed sessions. What version of Postfix and OpenSSL is installed on rho.salmi.ch? -- Viktor.