On Thu, Jul 11, 2013 at 05:18:09PM +0200, Stefan Jakobs wrote:
> Now I get it. Thank you Viktor for walking me through this.
Note that if you disable "SSLv2" as recommended for a long time
time now:
smtp_tls_protocols = !SSLv2
smtp_tls_mandatory_protocols = !SSLv2
you may well find that the problem goes away because the client
will obtain a session ticket during the initial handshake, so the
server won't offer a new ticket with session resumption.
The reason you have a problem is that the server is offering a ticket
for a resumed session, because no ticket was sent with the original
session. And that is because the original session used an SSLv2
client hello (to support SSLv2 which should no longer be used).
Therefore, disable SSLv2 in the Postfix client, and you'll almost
never see this issue. (You could run into it if a server decided
to renew a ticket, but this is rather unlikely, almost certainly
no SMTP servers have code for this).
This assumes your Postfix client version is at least 2.6. If not,
upgrade!
--
Viktor.
