i have difficulty with messagelabs MTA's
below is 1 example i don't understand the strace debug log & i don't have it now regardless of the low/medium/high cipherlist in which medium is in use and low/high are inactive & irrelevant messagelabs problems prevail i use 2 certs assistance is much appreciated 18 00:21:35 postfix/smtp[23811]: initializing the client-side TLS engine 18 00:21:45 postfix/smtp[23811]: setting up TLS connection to cluster3vk.eu.messagelabs.com[85.158.137.83]:25 18 00:21:45 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: TLS cipher list "aRSA:-aRSA:aECDSA:-aECDSA:kRSA:-kRSA:kEDH:-kEDH:kEECDH:-kEECDH:AESGCM:-AESGCM:AESGCM:AES:CAMELLIA:3DES:RC4:!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!kECDH:!PSK:!LOW" 18 00:21:45 postfix/smtp[23811]: looking for session smtp&anz.com&cluster3vk.eu.messagelabs.com&85.158.137.83&&A776F43E9992EF9CB772130D7D4807F401B17A1E92E4917BD547B1EBB22F584D in smtp cache 18 00:21:45 postfix/smtp[23811]: SSL_connect:before/connect initialization 18 00:21:45 postfix/smtp[23811]: SSL_connect:SSLv2/v3 write client hello A 18 00:21:45 postfix/smtp[23811]: SSL_connect:SSLv3 read server hello A 18 00:21:46 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: depth=2 verify=0 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 18 00:21:46 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: depth=2 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 18 00:21:46 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: depth=1 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 18 00:21:46 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: depth=0 verify=1 subject=/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud/CN=mail140.messagelabs.com 18 00:21:46 postfix/smtp[23811]: SSL_connect:SSLv3 read server certificate A 18 00:21:46 postfix/smtp[23811]: SSL_connect:SSLv3 read server key exchange A 18 00:21:46 postfix/smtp[23811]: SSL_connect:SSLv3 read server certificate request A 18 00:21:46 postfix/smtp[23811]: SSL_connect:SSLv3 read server done A 18 00:21:46 postfix/smtp[23811]: SSL_connect:SSLv3 write client certificate A 18 00:21:46 postfix/smtp[23811]: SSL_connect:SSLv3 write client key exchange A 18 00:21:46 postfix/smtp[23811]: SSL_connect:SSLv3 write certificate verify A 18 00:21:46 postfix/smtp[23811]: SSL_connect:SSLv3 write change cipher spec A 18 00:21:46 postfix/smtp[23811]: SSL_connect:SSLv3 write finished A 18 00:21:46 postfix/smtp[23811]: SSL_connect:SSLv3 flush data 18 00:21:47 postfix/smtp[23811]: SSL_connect:SSLv3 read server session ticket A 18 00:21:47 postfix/smtp[23811]: SSL_connect:SSLv3 read finished A 18 00:21:47 postfix/smtp[23811]: save session smtp&anz.com&cluster3vk.eu.messagelabs.com&85.158.137.83&&A776F43E9992EF9CB772130D7D4807F401B17A1E92E4917BD547B1EBB22F584D to smtp cache 18 00:21:47 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: subject_CN=mail140.messagelabs.com, issuer_CN=VeriSign Class 3 International Server CA - G3, fingerprint=0D:A5:2A:0E:C0:99:04:DC:98:4C:57:E3:C8:C0:05:72, pkey_fingerprint=D8:66:56:75:94:50:CA:38:3E:AF:22:78:93:77:27:9F 18 00:21:47 postfix/smtp[23811]: Untrusted TLS connection established to cluster3vk.eu.messagelabs.com[85.158.137.83]:25: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) 18 00:21:47 postfix/smtp[23811]: 7C07C800084: lost connection with cluster3vk.eu.messagelabs.com[85.158.137.83] while performing the EHLO handshake 18 00:22:20 postfix/smtp[23811]: setting up TLS connection to cluster3vk.eu.messagelabs.com[85.158.139.3]:25 18 00:22:20 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.139.3]:25: TLS cipher list "aRSA:-aRSA:aECDSA:-aECDSA:kRSA:-kRSA:kEDH:-kEDH:kEECDH:-kEECDH:AESGCM:-AESGCM:AESGCM:AES:CAMELLIA:3DES:RC4:!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!kECDH:!PSK:!LOW" 18 00:22:20 postfix/smtp[23811]: looking for session smtp&anz.com&cluster3vk.eu.messagelabs.com&85.158.139.3&&D2903596AFC817BDF98DA58A8B9D0D2D81DF2FB786103A3AD6AF5E00A4A0CF61 in smtp cache 18 00:22:20 postfix/smtp[23811]: SSL_connect:before/connect initialization 18 00:22:20 postfix/smtp[23811]: SSL_connect:SSLv2/v3 write client hello A 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 read server hello A 18 00:22:21 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.139.3]:25: depth=2 verify=0 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 18 00:22:21 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.139.3]:25: depth=2 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 18 00:22:21 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.139.3]:25: depth=1 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 18 00:22:21 postfix/smtp[23811]: cluster3vk.eu.messagelabs.com[85.158.139.3]:25: depth=0 verify=1 subject=/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud/CN=mail90.messagelabs.com 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 read server certificate A 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 read server key exchange A 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 read server certificate request A 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 read server done A 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 write client certificate A 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 write client key exchange A 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 write certificate verify A 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 write change cipher spec A 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 write finished A 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 flush data 18 00:22:22 postfix/smtp[23811]: SSL3 alert write:fatal:protocol version 18 00:22:22 postfix/smtp[23811]: SSL_connect:error in SSLv3 read server session ticket A 18 00:22:22 postfix/smtp[23811]: SSL_connect error to cluster3vk.eu.messagelabs.com[85.158.139.3]:25: -1 18 00:22:22 postfix/smtp[23811]: warning: TLS library problem: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:338: 18 00:22:22 postfix/smtp[23811]: remove session smtp&anz.com&cluster3vk.eu.messagelabs.com&85.158.139.3&&D2903596AFC817BDF98DA58A8B9D0D2D81DF2FB786103A3AD6AF5E00A4A0CF61 from client cache 18 00:22:22 postfix/smtp[23811]: 7C07C800084: Cannot start TLS: handshake failure 18 00:22:22 postfix/smtp[23811]: connect to cluster3vk.eu.messagelabs.com[85.158.139.3]:25: Connection refused 18 00:22:22 postfix/smtp[23811]: 7C07C800084: to=<>, relay=none, delay=54, delays=6.6/0.03/47/0, dsn=4.4.1, status=deferred (connect to cluster3vk.eu.messagelabs.com[85.158.139.3]:25: Connection refused) 18 00:22:22 postfix/smtp[23811]: 7C07C800084: to=<>, relay=none, delay=54, delays=6.6/0.03/47/0, dsn=4.4.1, status=deferred (connect to cluster3vk.eu.messagelabs.com[85.158.139.3]:25: Connection refused) 18 00:28:51 postfix/smtp[23821]: initializing the client-side TLS engine 18 00:28:53 postfix/smtp[23821]: setting up TLS connection to cluster3vk.eu.messagelabs.com[85.158.137.83]:25 18 00:28:53 postfix/smtp[23821]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: TLS cipher list "aRSA:-aRSA:aECDSA:-aECDSA:kRSA:-kRSA:kEDH:-kEDH:kEECDH:-kEECDH:AESGCM:-AESGCM:AESGCM:AES:CAMELLIA:3DES:RC4:!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!kECDH:!PSK:!LOW" 18 00:28:53 postfix/smtp[23821]: looking for session smtp&anz.com&cluster3vk.eu.messagelabs.com&85.158.137.83&&614B580BE44108A9FBFDFDF968D37D857BB360BC6DC7138793C77EF15DF93DEA in smtp cache 18 00:28:53 postfix/smtp[23821]: SSL_connect:before/connect initialization 18 00:28:53 postfix/smtp[23821]: SSL_connect:SSLv2/v3 write client hello A 18 00:28:53 postfix/smtp[23821]: SSL_connect:SSLv3 read server hello A 18 00:28:53 postfix/smtp[23821]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: depth=2 verify=0 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 18 00:28:53 postfix/smtp[23821]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: depth=2 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 18 00:28:53 postfix/smtp[23821]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: depth=1 verify=1 subject=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 18 00:28:53 postfix/smtp[23821]: cluster3vk.eu.messagelabs.com[85.158.137.83]:25: depth=0 verify=1 subject=/C=US/ST=California/L=Mountain View/O=Symantec Corporation/OU=Symantec.cloud/CN=mail140.messagelabs.com 18 00:28:53 postfix/smtp[23821]: SSL_connect:SSLv3 read server certificate A 18 00:28:53 postfix/smtp[23821]: SSL_connect:SSLv3 read server key exchange A 18 00:28:54 postfix/smtp[23821]: SSL_connect:SSLv3 read server certificate request A 18 00:28:54 postfix/smtp[23821]: SSL_connect:SSLv3 read server done A 18 00:28:54 postfix/smtp[23821]: SSL_connect:SSLv3 write client certificate A 18 00:28:54 postfix/smtp[23821]: SSL_connect:SSLv3 write client key exchange A 18 00:28:54 postfix/smtp[23821]: SSL_connect:SSLv3 write certificate verify A 18 00:28:54 postfix/smtp[23821]: SSL_connect:SSLv3 write change cipher spec A 18 00:28:54 postfix/smtp[23821]: SSL_connect:SSLv3 write finished A 18 00:28:54 postfix/smtp[23821]: SSL_connect:SSLv3 flush data 18 00:28:55 postfix/smtp[23821]: SSL3 alert write:fatal:protocol version 18 00:28:55 postfix/smtp[23821]: SSL_connect:error in SSLv3 read server session ticket A 18 00:28:55 postfix/smtp[23821]: SSL_connect error to cluster3vk.eu.messagelabs.com[85.158.137.83]:25: -1 18 00:28:55 postfix/smtp[23821]: warning: TLS library problem: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:338: 18 00:28:55 postfix/smtp[23821]: remove session smtp&anz.com&cluster3vk.eu.messagelabs.com&85.158.137.83&&614B580BE44108A9FBFDFDF968D37D857BB360BC6DC7138793C77EF15DF93DEA from client cache 18 00:28:55 postfix/smtp[23821]: 7C07C800084: Cannot start TLS: handshake failure 18 00:28:56 postfix/smtp[23821]: Host offered STARTTLS: [cluster3vk.eu.messagelabs.com] 18 00:28:58 postfix/smtp[23821]: 7C07C800084: to=<>, relay=cluster3vk.eu.messagelabs.com[85.158.137.83]:25, delay=450, delays=443/0.04/4.7/2.3, dsn=2.0.0, status=sent (250 ok 1410964193 qp 4869 server-10.tower-140.messagelabs.com!1410964191!31040971!1) 18 00:28:58 postfix/smtp[23821]: 7C07C800084: to=<>, relay=cluster3vk.eu.messagelabs.com[85.158.137.83]:25, delay=450, delays=443/0.04/4.7/2.3, dsn=2.0.0, status=sent (250 ok 1410964193 qp 4869 server-10.tower-140.messagelabs.com!1410964191!31040971!1) 18 00:29:59 ns1 postfix/smtpd[23817]: Anonymous TLS connection established from mail1.bemta3.messagelabs.com[195.245.230.163]: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits) 18 00:30:02 ns1 postfix/smtpd[23817]: C4E12800084: client=mail1.bemta3.messagelabs.com[195.245.230.163] 18 00:30:04 ns1 postfix/smtpd[23817]: disconnect from mail1.bemta3.messagelabs.com[195.245.230.163] version: 1.30 Warning: postfinger output may show private configuration information, such as ip addresses and/or domain names which you do not want to show to the public. If this is the case it is your responsibility to modify the output to hide this private information. [Remove this warning with the --nowarn option.] --System Parameters-- mail_version = 2.11.1 hostname = ns1 uname = Linux ns1 3.13-1-amd64 #1 SMP Debian 3.13.10-1 (2014-04-15) x86_64 GNU/Linux --Packaging information-- looks like this postfix comes from deb package: postfix-2.11.1-1 --main.cf non-default parameters-- alias_maps = hash:/etc/aliases allow_percent_hack = no append_dot_mydomain = no best_mx_transport = local biff = no broken_sasl_auth_clients = yes debugger_command = PATH=/bin:/usr/bin:/usr/local/bin; (strace -tt -f -S time -o /etc/postfix/postfix.debug -p $process_id 2>&1 | logger -p mail.info) & sleep 5 disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks.pcre home_mailbox = mail/ inet_protocols = ipv4 mailbox_size_limit = 0 milter_default_action = accept mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain non_smtpd_milters = inet:127.0.0.1:10023, inet:127.0.0.1:12301, inet:127.0.0.1:10002, inet:127.0.0.1:8893 policy-spf_time_limit = 3600s readme_directory = no recipient_delimiter = + show_user_unknown_table_name = no smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, check_client_access hash:/etc/postfix/client_checks, reject_unknown_client_hostname, reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org, reject_rbl_client dnsbl.sorbs.net, permit smtpd_data_restrictions = reject_unauth_pipelining, reject_multi_recipient_bounce, permit smtpd_error_sleep_time = 20 smtpd_etrn_restrictions = permit_mynetworks, reject smtpd_hard_error_limit = 3 smtpd_helo_required = yes smtpd_junk_command_limit = 2 smtpd_milters = inet:127.0.0.1:10023, inet:127.0.0.1:12301, inet:127.0.0.1:10002, inet:127.0.0.1:8893 smtp_dns_support_level = dnssec smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_destination, reject_unlisted_recipient, reject_unverified_recipient, reject_unauth_pipelining, check_policy_service unix:private/policy-spf, check_policy_service inet:127.0.0.1:10023, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org, reject_rhsbl_client dbl.spamhaus.org, permit smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = private/auth smtpd_sasl_tls_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_checks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_address, reject_rhsbl_reverse_client dbl.spamhaus.org, permit smtpd_soft_error_limit = 1 smtpd_starttls_timeout = 30s smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/example.com-RSA.chained.pem smtpd_tls_ciphers = medium smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem smtpd_tls_eccert_file = /etc/postfix/example.com-ECC.chained.pem smtpd_tls_eckey_file = /etc/postfix/example.com-ECC.key smtpd_tls_eecdh_grade = ultra smtpd_tls_key_file = /etc/postfix/example.com-RSA.key smtpd_tls_loglevel = 2 smtpd_tls_protocols = !SSLv2 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes smtp_header_checks = pcre:/etc/postfix/header_checks.pcre smtp_sender_dependent_authentication = yes smtp_starttls_timeout = 30s smtp_tls_block_early_mail_reply = yes smtp_tls_cert_file = /etc/postfix/example.com-RSA.chained.pem smtp_tls_ciphers = medium smtp_tls_eccert_file = /etc/postfix/example.com-ECC.chained.pem smtp_tls_eckey_file = /etc/postfix/example.com-ECC.key smtp_tls_key_file = /etc/postfix/example.com-RSA.key smtp_tls_loglevel = 2 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = dane smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_use_tls = yes strict_rfc821_envelopes = yes swap_bangpath = no tls_high_cipherlist = aRSA:-aRSA:aECDSA:-aECDSA:kRSA:-kRSA:kEDH:-kEDH:kEECDH:-kEECDH:AESGCM:-AESGCM:AESGCM:AES:CAMELLIA:3DES:RC4:!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!kECDH:!PSK:!LOW tls_low_cipherlist = aRSA:-aRSA:aECDSA:-aECDSA:kRSA:-kRSA:kEDH:-kEDH:kEECDH:-kEECDH:AESGCM:-AESGCM:AESGCM:AES:CAMELLIA:3DES:RC4:!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!kECDH:!PSK:!LOW tls_medium_cipherlist = aRSA:-aRSA:aECDSA:-aECDSA:kRSA:-kRSA:kEDH:-kEDH:kEECDH:-kEECDH:AESGCM:-AESGCM:AESGCM:AES:CAMELLIA:3DES:RC4:!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!kECDH:!PSK:!LOW tls_preempt_cipherlist = yes tls_ssl_options = NO_COMPRESSION --master.cf-- smtp inet n - - - - smtpd -D submission inet n - - - - smtpd pickup unix n - - 60 1 pickup cleanup unix n - - - 0 cleanup qmgr unix n - n 300 1 qmgr tlsmgr unix - - - 1000? 1 tlsmgr rewrite unix - - - - - trivial-rewrite bounce unix - - - - 0 bounce defer unix - - - - 0 bounce trace unix - - - - 0 bounce verify unix - - - - 1 verify flush unix n - - 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - - - - smtp relay unix - - - - - smtp showq unix n - - - - showq error unix - - - - - error retry unix - - - - - error discard unix - - - - - discard local unix - n n - - local virtual unix - n n - - virtual lmtp unix - - - - - lmtp anvil unix - - - - 1 anvil scache unix - - - - 1 scache maildrop unix - n n - - pipe flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} uucp unix - n n - - pipe flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) ifmail unix - n n - - pipe flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) bsmtp unix - n n - - pipe flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient scalemail-backend unix - n n - 2 pipe flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} mailman unix - n n - - pipe flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py ${nexthop} ${user} policy-spf unix - n n - - spawn user=nobody argv=/usr/bin/policyd-spf -- end of postfinger output --
