Hi, I've turned on TLS in postfix and I've started getting an error from some mail servers
SSL_accept error from mass1a.sans.org[66.35.59.243]: -1 warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649: I've got a valid SSL certificate. The server passed checktls.com test successfully. I have no clue what is going wrong. Please find all details below I'm using Ubuntu 14.04.02 postfix 2.11.0-1ubuntu1 Debug log: < mass1a.sans.org[66.35.59.243]: EHLO mass1a.sans.org match_list_match: mass1a.sans.org: no match match_list_match: 66.35.59.243: no match > mass1a.sans.org[66.35.59.243]: 250-mail.domain.tld > mass1a.sans.org[66.35.59.243]: 250-PIPELINING > mass1a.sans.org[66.35.59.243]: 250-SIZE 10240000 > mass1a.sans.org[66.35.59.243]: 250-VRFY > mass1a.sans.org[66.35.59.243]: 250-ETRN > mass1a.sans.org[66.35.59.243]: 250-STARTTLS > mass1a.sans.org[66.35.59.243]: 250-ENHANCEDSTATUSCODES > mass1a.sans.org[66.35.59.243]: 250-8BITMIME > mass1a.sans.org[66.35.59.243]: 250 DSN watchdog_pat: 0x7f5fe36d1ec0 < mass1a.sans.org[66.35.59.243]: STARTTLS match_hostname: mass1a.sans.org ~? 127.0.0.0/8 match_hostaddr: 66.35.59.243 ~? 127.0.0.0/8 match_list_match: mass1a.sans.org: no match match_list_match: 66.35.59.243: no match send attr request = newtls_status send attr ident = smtp:66.35.59.243 private/anvil: wanted attribute: status input attribute name: status input attribute value: 0 private/anvil: wanted attribute: rate input attribute name: rate input attribute value: 0 private/anvil: wanted attribute: (list terminator) input attribute name: (end) > mass1a.sans.org[66.35.59.243]: 220 2.0.0 Ready to start TLS send attr request = seed send attr size = 32 private/tlsmgr: wanted attribute: status input attribute name: status input attribute value: 0 private/tlsmgr: wanted attribute: seed input attribute name: seed input attribute value: aVv0wBLrbK8LGhBxb6O8mQRlyPut8FHOJoRbXODv+jI= private/tlsmgr: wanted attribute: (list terminator) input attribute name: (end) SSL_accept error from mass1a.sans.org[66.35.59.243]: -1 warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649: Full log file is avalible here https://gist.github.com/hostmaster/a0e9b58a895b5437fb97 postconf -n alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix debug_peer_list = mass1a.sans.org default_transport = smtp home_mailbox = Maildir/ inet_interfaces = all inet_protocols = ipv4 mailbox_command = mailbox_size_limit = 0 milter_default_action = accept milter_protocol = 2 mydestination = $myhostname, localhost.localdomain, localhost myhostname = mail.domain.tld mynetworks = 127.0.0.0/8 myorigin = $myhostname receive_override_options = no_unknown_recipient_checks,no_header_body_checks,no_milters recipient_delimiter = + relay_transport = smtp relayhost = smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt smtp_tls_ciphers = medium smtp_tls_key_file = /etc/ssl/private/mail.domain.tld.key smtp_tls_loglevel = 0 smtp_tls_mandatory_ciphers = medium smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtp_tls_security_level = may smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_session_cache_timeout = 3600s smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_client_connection_count_limit = 2 smtpd_client_connection_rate_limit = 10 smtpd_client_event_limit_exceptions = 127.0.0.0/8 smtpd_client_message_rate_limit = 10 smtpd_client_new_tls_session_rate_limit = 10 smtpd_data_restrictions = reject_unauth_pipelining smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key smtpd_tls_loglevel = 1 smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes tls_medium_cipherlist = AES128+EECDH:AES128+EDH tls_random_source = dev:/dev/urandom virtual_alias_domains = domain.tld virtual_alias_maps = hash:/etc/postfix/virtual_aliases -- Best, Igor
