Re: SSL3 alert read:fatal:unknown CA

Tue, 06 Sep 2016 08:11:01 -0700 

On Tue, Sep 06, 2016 at 02:30:29AM -0700, rei wrote:

> > Is the system that's logging the below sending or receiving email?
> 
> The errors below happened when the system sends mail. That system can also
> receive mail without problem.
> 
> Sep  4 14:29:00 centos-512mb-nyc3-01 postfix/smtpd[6605]: 
>     connect from xxx.com[159.203.103.xxx]

The Postfix smtpd(8) daemon *receives* mail via SMTP from remote
systems.  These are logs for inbound email.  Mail is sent to remote
systems via smtp(8).

> Sep  4 14:29:00 centos-512mb-nyc3-01 postfix/smtpd[6605]: 
>     setting up TLS connection from xxx.com[159.203.103.xxx]
> Sep  4 14:29:00 centos-512mb-nyc3-01 postfix/smtpd[6605]: 
>     xxx.com[159.203.103.xxx]: TLS cipher list
> "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
> Sep  4 14:29:00 centos-512mb-nyc3-01 postfix/smtpd[6605]: 
>     SSL_accept:before/accept initialization

There is generally no need to set the tls_loglevel > 1, just set
it to "1".  Setting it to "3" or "4" is definitely counterproductive.

> Sep  4 14:29:00 centos-512mb-nyc3-01 postfix/smtpd[6605]: 
>     SSL3 alert read:fatal:unknown CA
> Sep  4 14:29:00 centos-512mb-nyc3-01 postfix/smtpd[6605]: 
>     SSL_accept:failed in SSLv3 read client certificate A
> Sep  4 14:29:00 centos-512mb-nyc3-01 postfix/smtpd[6605]: 
>     SSL_accept error from xxx.com[159.203.103.xxx]: 0
> Sep  4 14:29:00 centos-512mb-nyc3-01 postfix/smtpd[6605]: 
>     warning: TLS library problem: 6605:error:14094418:SSL
>     routines:SSL3_READ_BYTES:tlsv1 alert unknown
>     ca:s3_pkt.c:1259:SSL alert number 48:

The connecting client "xxx.com[159.203.103.xxx]" sent you a fatal
TLS alert indicating that it does not like your self-signed
certificate.  This is a misconfigure or poorly implemented MTA and
you can ignore its attempts to use TLS to send you email.

> Sep  4 14:29:00 centos-512mb-nyc3-01 postfix/smtpd[6605]: 
>     lost connection after STARTTLS from xxx.com[159.203.103.xxx]
> Sep  4 14:29:00 centos-512mb-nyc3-01 postfix/smtpd[6605]: 
>     disconnect from xxx.com[159.203.103.xxx]
> 
> smtp_tls_security_level = may
> smtpd_tls_cert_file = /etc/pki/tls/certs/server.pem
> smtpd_tls_key_file = $smtpd_tls_cert_file
> smtpd_tls_loglevel = 3

Change this to "1".

> smtp       inet  n       -       n       -       -       smtpd
> smtp       unix  -       -       n       -       -       smtp

Take the time to understand the difference between smtpd(8) and
smtp(8).

    http://www.postfix.org/OVERVIEW.html
    http://www.postfix.org/smtp.8.html
    http://www.postfix.org/smtpd.8.html

-- 
        Viktor.

Reply via email to