thank you sir, Viktor Dukhovni wrote: > On Fri, Sep 19, 2014 at 01:40:34AM +1000, shm...@riseup.net wrote: > >> I have difficulty with messagelabs MTA's >> >> below is 1 example >> >> i don't understand the strace debug log & i don't have it now > > Disable verbose TLS logging, it is not required. A log level of > "1" is enough.
done > >> 18 00:21:35 postfix/smtp[23811]: initializing the client-side TLS engine > > Was anything else done in the 12 seconds between these two messages? > Perhaps the verbose logging is making your system too slow? Is > logging configured to be synchronous? only my mail client disconnect 18 00:21:37 postfix/smtpd[23799]: disconnect from [...] default in rsyslog.conf debian jessie was mail.info -/var/log/mail.info mail.warn -/var/log/mail.warn mail.err /var/log/mail.err i updated .err with - however i see what you mean each time i send emails i wait about 30s for completion i see the same postgrey log taking up 30s for MTA->MTA and MUA->MTA however in general, aside from messagelabs, i dont have any issues (that im currently aware of) receiving email from MTA's to my MTA even with the 30s delay 18 16:21:10 postfix/smtpd[5031]: initializing the server-side TLS engine 18 16:21:10 postfix/tlsmgr[5033]: open smtpd TLS cache btree:/var/lib/postfix/smtpd_scache 18 16:21:10 postfix/tlsmgr[5033]: open smtp TLS cache btree:/var/lib/postfix/smtp_scache 18 16:21:10 postfix/tlsmgr[5033]: tlsmgr_cache_run_event: start TLS smtpd session cache cleanup 18 16:21:10 postfix/tlsmgr[5033]: tlsmgr_cache_run_event: start TLS smtp session cache cleanup 18 16:21:14 postfix/smtpd[5031]: connect from [...] 18 16:21:45 postfix/smtpd[5031]: warning: milter inet:127.0.0.1:10023: can't read SMFIC_OPTNEG reply packet header: Connection timed out 18 16:21:45 postfix/smtpd[5031]: warning: milter inet:127.0.0.1:10023: read error in initial handshake 18 16:21:46 postfix/smtpd[5031]: setting up TLS connection from [...] 18 16:21:46 postfix/smtpd[5031]: [...]: TLS cipher list "aRSA:-aRSA:aECDSA:-aECDSA:kRSA:-kRSA:kEDH:-kEDH:kEECD$ 18 16:21:46 postfix/smtpd[5031]: SSL_accept:before/accept initialization 18 16:21:49 postfix/smtpd[5031]: Anonymous TLS connection established from [...]: TLSv1.2 with cipher ECDHE-EC$ 18 16:21:55 postfix/smtpd[5031]: : client=[...], sasl_method=PLAIN, sasl_username= 18 16:21:57 postfix/cleanup[5039]: : message-id=<> >> 18 00:21:45 postfix/smtp[23811]: setting up TLS connection to >> cluster3vk.eu.messagelabs.com[85.158.137.83]:25 >> [...] >> 18 00:21:47 postfix/smtp[23811]: Untrusted TLS connection established >> to cluster3vk.eu.messagelabs.com[85.158.137.83]:25: TLSv1 with cipher >> DHE-RSA-AES256-SHA (256/256 bits) >> 18 00:21:47 postfix/smtp[23811]: 7C07C800084: lost connection with >> cluster3vk.eu.messagelabs.com[85.158.137.83] while performing the EHLO >> handshake > > The other end hung up. If no TLS errors are reported, perhaps your > client took too long, or they are rate limiting your server by > selectively dropping connections. > >> 18 00:22:20 postfix/smtp[23811]: setting up TLS connection to >> cluster3vk.eu.messagelabs.com[85.158.139.3]:25 >> 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 read server >> certificate request A >> 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 read server done A >> 18 00:22:21 postfix/smtp[23811]: SSL_connect:SSLv3 write client >> certificate A > > Why have you configured a client certificate? Generally, you should > not. It may work better if you don't. ok, done >> 18 00:22:22 postfix/smtp[23811]: SSL_connect error to >> cluster3vk.eu.messagelabs.com[85.158.139.3]:25: -1 >> 18 00:22:22 postfix/smtp[23811]: warning: TLS library problem: >> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version >> number:s3_pkt.c:338: > > This requires a PCAP capture file to see what the server sent. may take a while... >> 18 00:22:22 postfix/smtp[23811]: 7C07C800084: to=<>, relay=none, >> delay=54, delays=6.6/0.03/47/0, dsn=4.4.1, status=deferred (connect to >> cluster3vk.eu.messagelabs.com[85.158.139.3]:25: Connection refused) > > They definitely have connection rate limiters in place. > > Nothing other than your IP reputation and OpenSSL library version > number matters here. Disable verbose TLS logging, disable client > certs: > > smtp_tls_cert_file = > smtp_tls_key_file = > smtp_tls_eccert_file = > smtp_tls_eckey_file = > > make sure logging is not synchronous (syslog.conf) and post a PCAP > file of a failed session (perhaps one of the "wrong version" ones). > > Because the message content is not sent, and in any case you're > negotiating TLS, the PCAP file only discloses your IP address and > SMTP client HELO name. all done minus PCAP see how we go in the meantime...
