On Thu, May 09, 2013 at 02:03:38PM -0400, D'Arcy J.M. Cain wrote:
> On Thu, 9 May 2013 19:42:16 +0200
>
> > > > > When sending several mails in succession, failure and success
> > > > > seem to alternate (i.e. exactly one failed handshake, then a
> > > > > successful one, then a failed one again, etc.). And not using
> > > > > a TLS session cache for smtp(8)
> > > > > (smtp_tls_session_cache_database) seems to work around the
> > > > > problem.
>
> Odd. No one else has mentioned this issue. Could it be a combination
> of versions between the client and server?
No, all client versions I tried, ranging from 0.9.8j through 1.0.1e
exhibit the issue. All evidence so far points to a server bug.
The system that exhibits the bug consistently is also running NetBSD 5.1.
NetBSD often has two versions of OpenSSL installed, one as part of
the base system in /usr/bin, and another from pkgsrc in /usr/pkg/bin.
> > > > Looks like at least two servers behind a loadbalancer?
> > >
> > > No. A signle server with OpenSSL library bugs (broken support for
> > > TLSv1 session tickets).
>
> Definitely a single server. The openssl version is 1.0.1e. That's the
> latest version issued three months ago.
Are you sure that Postfix is using the 1.0.1e OpenSSL from pkgsrc?
Are you running the pkgsrc Postfix or the base system Postfix.
The latter is almost certainly linked to an older OpenSSL shipped
in the base system image.
> > > Back your original problem, do you know anyone who can report what
> > > software is running at mail.vex.net? Is this also a NetBSD
> > > 0.9.9-dev snapshot?
>
> NetBSD 5.1 stable release.
My strong suspicion is that this is NOT 1.0.1e, at least not for
Postfix. Please take a look at the other messages in this thread.
--
Viktor.
