Re: 3x lost connection while performing the EHLO handshake -> Connection refused -> clear text delivery ok -> automated reply ESMTPS ok

Thu, 18 Sep 2014 09:36:13 -0700 

On Fri, Sep 19, 2014 at 01:40:34AM +1000, shm...@riseup.net wrote:

> I have difficulty with messagelabs MTA's
> 
> below is 1 example
> 
> i don't understand the strace debug log & i don't have it now

Disable verbose TLS logging, it is not required.  A log level of
"1" is enough.

>  18 00:21:35  postfix/smtp[23811]: initializing the client-side TLS engine

Was anything else done in the 12 seconds between these two messages?
Perhaps the verbose logging is making your system too slow?  Is
logging configured to be synchronous?

>  18 00:21:45  postfix/smtp[23811]: setting up TLS connection to
> cluster3vk.eu.messagelabs.com[85.158.137.83]:25
>  [...]
>  18 00:21:47  postfix/smtp[23811]: Untrusted TLS connection established
> to cluster3vk.eu.messagelabs.com[85.158.137.83]:25: TLSv1 with cipher
> DHE-RSA-AES256-SHA (256/256 bits)
>  18 00:21:47  postfix/smtp[23811]: 7C07C800084: lost connection with
> cluster3vk.eu.messagelabs.com[85.158.137.83] while performing the EHLO
> handshake

The other end hung up.  If no TLS errors are reported, perhaps your
client took too long, or they are rate limiting your server by
selectively dropping connections.

>  18 00:22:20  postfix/smtp[23811]: setting up TLS connection to
> cluster3vk.eu.messagelabs.com[85.158.139.3]:25
>  18 00:22:21  postfix/smtp[23811]: SSL_connect:SSLv3 read server
> certificate request A
>  18 00:22:21  postfix/smtp[23811]: SSL_connect:SSLv3 read server done A
>  18 00:22:21  postfix/smtp[23811]: SSL_connect:SSLv3 write client
> certificate A

Why have you configured a client certificate?  Generally, you should
not.  It may work better if you don't.

>  18 00:22:22  postfix/smtp[23811]: SSL_connect error to
> cluster3vk.eu.messagelabs.com[85.158.139.3]:25: -1
>  18 00:22:22  postfix/smtp[23811]: warning: TLS library problem:
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:338:

This requires a PCAP capture file to see what the server sent.

>  18 00:22:22  postfix/smtp[23811]: 7C07C800084: to=<>, relay=none,
> delay=54, delays=6.6/0.03/47/0, dsn=4.4.1, status=deferred (connect to
> cluster3vk.eu.messagelabs.com[85.158.139.3]:25: Connection refused)

They definitely have connection rate limiters in place.

Nothing other than your IP reputation and OpenSSL library version
number matters here.  Disable verbose TLS logging, disable client
certs:

        smtp_tls_cert_file =
        smtp_tls_key_file =
        smtp_tls_eccert_file =
        smtp_tls_eckey_file =

make sure logging is not synchronous (syslog.conf) and post a PCAP
file of a failed session (perhaps one of the "wrong version" ones).

Because the message content is not sent, and in any case you're
negotiating TLS, the PCAP file only discloses your IP address and
SMTP client HELO name.

-- 
        VIktor.

Reply via email to