Hi, We recently upgraded from Postfix 2.5.5 to 2.8.17 and OpenSSL 0.9.8k to 1.0.1h (both compiled from source). A number of domains that we normally send to are now not working. The log is showing the following typical entries:
Aug 22 23:51:37 ssng0016xmh postfix-internal/smtp[6284]: [ID 197553 mail.info] SSL_connect error to ssc-dc2-mx02.chainiq.com[193.169.186.213]:25: -1 Aug 22 23:51:37 ssng0016xmh postfix-internal/smtp[6284]: [ID 947731 mail.warning] warning: TLS library problem: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762: Aug 22 23:51:37 ssng0016xmh postfix-internal/smtp[6284]: [ID 197553 mail.info] CE20F1099F: Cannot start TLS: handshake failure Aug 22 23:51:38 ssng0016xmh postfix-internal/smtp[6284]: [ID 197553 mail.info] SSL_connect error to ssc-dc1-mx02.chainiq.com[193.169.186.212]:25: -1 Aug 22 23:51:38 ssng0016xmh postfix-internal/smtp[6284]: [ID 947731 mail.warning] warning: TLS library problem: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762: Aug 22 23:51:38 ssng0016xmh postfix-internal/smtp[6284]: [ID 197553 mail.info] CE20F1099F: to=<a...@chainiq.com>, relay=ssc-dc1-mx02.chainiq.com[193.169.186.212]:25, delay=3, delays=0.01/0.03/3/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure) I have tried restricting smtp_tls_protocols to sslv3, and excluding tlsv1.1 and tlsv1.2, but am seeing the same result. If I try and test the connection using: openssl s_client -connect ssc-dc1-mx02.chainiq.com:25 -starttls smtp I see no error, and I get presented with the 250 STARTTLS prompt. Any thoughts on next steps without having to contact the target domains? I have read about disabling TLSEXT_TYPE_PADDING when compiling OpenSSL - would this be my next step, or was this somehow fixed in the releases we are using? Any other way I could simulate this problem, as we have had to regress the versions until this is resolved? Any help would be appreciated. Regards, Robin
