On Sun, Nov 30, 2014 at 09:32:43AM -0700, Steffan A. Cline wrote:
> I have a web app trying to connect to postfix to send mail via TLS. It
> fails right after authentication.
Actually, no, it (what you show from the logs) fails during the
TLS handshake, which should precede authentication.
> I find a BUNCH of these in the log:
>
> Nov 30 10:10:32 hosting1 postfix/smtpd[11990]: connect from xxxxx[x.x.x.x]
> Nov 30 10:10:33 hosting1 postfix/smtpd[11990]: warning: TLS library
> problem: 11990:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:337:
> Nov 30 10:10:33 hosting1 postfix/smtpd[11990]: lost connection after
> STARTTLS from xxxxx[x.x.x.x]
> Nov 30 10:10:33 hosting1 postfix/smtpd[11990]: disconnect from
> xxxxx[x.x.x.x]
The client software is buggy. Perhaps it continues to send cleartext
after sending "STARTTLS", or sends "QUIT\r\n" in the clear after
giving up the incomplete TLS handshake.
> I'm not sure if it's an SSL cert related issue or not. I am using a UCC
> cert from GoDaddy and the first name in the list matches the mail server
> name.
There is no mention of certificates anywhere above. The problem
has nothing to do with certificates. The Postfix SMTP server
receives a TLS record with a bad version number.
> Suggestions where to go with this?
Tcpdump (without packet truncation) and wireshark. Extract from
the raw capture a single TCP stream (match on client port) with a
session of interest, and post (the raw PCAP file of) that if you
don't understand what wireshark tells you.
Either your OpenSSL is not adequately patched to resolve all known
interoperability issues, or your web app STARTTLS implementation
is buggy.
--
Viktor.
