On Tue, Jul 09, 2013 at 04:10:31PM +0200, Stefan Jakobs wrote:
> postfix/smtp[8106]: setting up TLS connection to
> server.example.com[a.b.c.d]:25
> postfix/smtp[8106]: SSL_connect error to server.example.com[a.b.c.d]:25: -1
> postfix/smtp[8106]: warning: TLS library problem: 8106:error:1408E0F4:SSL
> routines:SSL3_GET_MESSAGE:unexpected message:s3_both.c:463:
If this server is on the public Internet and if at all possible,
please post its IP address. Otherwise you'll have to do most of
the sleuthing on your own.
The client received an unexpected handshake message. You need to
obtain a full packet PCAP capture of the session, and decode it
as SSL via wireshark or similar. That may tell you what's unusual
about the server's response.
OpenSSL on your client seems to be 0.9.8, can you report which
version?
> But there are also logs which say that it works:
>
> postfix/smtp[4527]: setting up TLS connection to
> server.example.com[a.b.c.d]:25
> postfix/smtp[4527]: Untrusted TLS connection established to
> server.example.com[a.b.c.d]:25: TLSv1 with cipher ADH-CAMELLIA256-SHA
> (256/256
> bits)
Rather odd that CAMELLIA got chosen over AES.
> Connecting with s_client results in the following:
> # openssl s_client -starttls smtp -verify 10 -connect server.example.com:25
> SSL-Session:
> Protocol : TLSv1
> Cipher : DHE-RSA-AES256-SHA
> Session-ID: ...
> Session-ID-ctx:
> Master-Key: ...
> Key-Arg : None
> Start Time: 1373378631
> Timeout : 300 (sec)
> Verify return code: 18 (self signed certificate)
What happens when you use the Postfix client cipherlist?
ALL:+RC4:@STRENGTH
# openssl s_client -state -cipher "ALL:+RC4:@STRENGTH" \
-starttls smtp -connect server.example.com:25
Try it a few times, ... add "-msg" if the failure is observed, but the
reason is not more apparent.
--
Viktor.
