SSL3_GET_MESSAGE:unexpected message

Tue, 09 Jul 2013 07:13:39 -0700 

Hi list,

Postfix logs the following in my logs:

postfix/smtp[8106]: setting up TLS connection to 
server.example.com[a.b.c.d]:25
postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25: -1
postfix/smtp[8106]: warning: TLS library problem: 8106:error:1408E0F4:SSL 
routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:

But there are also logs which say that it works:

postfix/smtp[4527]: setting up TLS connection to 
server.example.com[a.b.c.d]:25
postfix/smtp[4527]: Untrusted TLS connection established to 
server.example.com[a.b.c.d]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 
bits)
postfix/smtp[4527]: 874F037EA0: to=<u...@server.example.com>, 
relay=server.example.com[a.b.c.d]:25, delay=0.17, delays=0.04/0/0.08/0.06, 
dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as A56C5A458F)
postfix/qmgr[31620]: 874F037EA0: removed

I'm wondering what's wrong. And what does this error mean: 
SSL3_GET_MESSAGE:unexpected message?

I'm using postfix-2.5.13 with the following configuration:
# postconf -n | grep tls
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:
${data_directory}/smtp_tls_session_cache
smtpd_tls_CAfile = /etc/postfix/CA-chain.pem
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/cert-private.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:
${data_directory}/smtpd_tls_session_cache

Connecting with s_client results in the following:
# openssl s_client -starttls smtp -verify 10 -connect server.example.com:25
verify depth is 10
CONNECTED(00000003)
depth=0 /CN=server.example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 /CN=server.example.com
verify return:1
---
Certificate chain
 0 s:/CN=server.example.com
   i:/CN=server.example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=server.example.com
issuer=/CN=server.example.com
---
No client certificate CA names sent
---
SSL handshake has read 1259 bytes and written 372 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: ...
    Session-ID-ctx: 
    Master-Key: ...
    Key-Arg   : None
    Start Time: 1373378631
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 DSN


Any help and hints how to debug this further are well appreciated.
Best regards
Stefan

Reply via email to