Re: TLS library problem

Thu, 19 Feb 2015 08:26:55 -0800 

On Thu, Feb 19, 2015 at 03:53:13PM -0000, st...@thornet.co.uk wrote:

> We have lots of these in the logs
>
> warning: TLS library problem:15696:error:14094416:
>   SSL routines:SSL3_READ_BYTES:
>   sslv3 alert certificate unknown:
>   s3_pkt.c:1256:
>   SSL alert number 46:
>
> Should I be worried

You should always be worried.  Though you trimmed your log entry
to hide the name of the Postfix program logging the message, and
other generally useful information, my crystal ball says:

    * This is logged by your smtpd(8) server.

    * A small set of organizations operate remote SMTP clients that
      trigger this warning when sending email to you.  Most inbound
      mail uses TLS without generating said warning.

    * The clients in question subsequently switch to cleartext and
      deliver the email anyway.

    * The sending domain is running a small market share "email
      security appliance", whose TLS support was developed by
      programmers who understand only the TLS API, but do not
      understand how opportunistic TLS fits into SMTP transport
      security.

    * The appliance drops TLS connections when it can't validate
      the peer certificate, and instead of proceeding unauthenticated,
      (the right thing to do with opportunistic TLS), it sends a
      fatal TLS alert drops the TLS connection, and retries in the
      clear.  This is of course worthy of ridicule, but not unexpected.

    * It is perhaps possible to misconfigure some more mainstream
      MTAs to only do authenticated TLS or else drop to cleartext,
      then the fault lies with the clueless administrator, and
      not the MTA developers.

So you need to do more work (analyzing your logs):

    * Determine which client IP addresses trigger this problem.

    * Determine whether mail from these addresses is ever sent
      over TLS, or whether all TLS handshake attempts fail.

    * Determine whether they in fact shortly after such problems
      are logged deliver email in the clear.

    * Connect to the MX hosts of the sending domain and try to
      see whether the offending product is identified in the
      SMTP banner.

    * Point out the problem to the postmaster of the domain in
      question.

-- 
        Viktor.

Reply via email to