> On Jan 14, 2017, at 8:51 AM, Admin Beckspaced <ad...@beckspaced.com> wrote:
>
> 2017-01-14T14:41:43.183704+01:00 cx20 postfix/smtpd[25337]: initializing the
> server-side TLS engine
> 2017-01-14T14:41:43.195287+01:00 cx20 postfix/smtpd[25337]: connect from
> mail.kommunalunternehmen.de[217.6.53.146]
> 2017-01-14T14:41:43.254888+01:00 cx20 postfix/smtpd[25337]: setting up TLS
> connection from mail.kommunalunternehmen.de[217.6.53.146]
> 2017-01-14T14:41:43.255444+01:00 cx20 postfix/smtpd[25337]:
> mail.kommunalunternehmen.de[217.6.53.146]: TLS cipher list
> "aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
> 2017-01-14T14:41:43.257024+01:00 cx20 postfix/smtpd[25337]:
> SSL_accept:before/accept initialization
> 2017-01-14T14:41:43.277843+01:00 cx20 postfix/smtpd[25337]: SSL_accept:SSLv3
> read client hello A
> 2017-01-14T14:41:43.278453+01:00 cx20 postfix/smtpd[25337]: SSL_accept:SSLv3
> write server hello A
> 2017-01-14T14:41:43.278829+01:00 cx20 postfix/smtpd[25337]: SSL_accept:SSLv3
> write certificate A
> 2017-01-14T14:41:43.296343+01:00 cx20 postfix/smtpd[25337]: SSL_accept:SSLv3
> write key exchange A
> 2017-01-14T14:41:43.297537+01:00 cx20 postfix/smtpd[25337]: SSL_accept:SSLv3
> write server done A
> 2017-01-14T14:41:43.298112+01:00 cx20 postfix/smtpd[25337]: SSL_accept:SSLv3
> flush data
> 2017-01-14T14:41:43.313040+01:00 cx20 postfix/smtpd[25337]: SSL_accept:error
> in SSLv3 read client certificate A
> 2017-01-14T14:41:43.313611+01:00 cx20 postfix/smtpd[25337]: SSL_accept error
> from mail.kommunalunternehmen.de[217.6.53.146]: Connection reset by peer
> 2017-01-14T14:41:43.313970+01:00 cx20 postfix/smtpd[25337]: lost connection
> after STARTTLS from mail.kommunalunternehmen.de[217.6.53.146]
> 2017-01-14T14:41:43.314315+01:00 cx20 postfix/smtpd[25337]: disconnect from
> mail.kommunalunternehmen.de[217.6.53.146]
>
> I see: SSL_accept:error in SSLv3 read client certificate A
>
> so does this mean that the other exchange server has a problem with their
> certificate?
No, if your reported "postconf -n" output matches reality, then your server
does not
solicit client certificates. The "read client certificate A" state is
misleading,
the server actually expects a client key exchange at that point. A complete
handshake
log without any client certs looks like:
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:before/accept
initialization
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 read client
hello A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 write server
hello A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 write
certificate A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 write key
exchange A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 write server
done A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 flush data
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 read client
certificate A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 read client
key exchange A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 read
certificate verify A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 read finished
A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 write session
ticket A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 write change
cipher spec A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 write
finished A
Jan 14 19:21:48 mournblade postfix/smtpd[12682]: SSL_accept:SSLv3 flush data
> Is the problem on the exchange server site? or is it my postfix server?
Perhaps your 4096-bit RSA certificate signed with SHA2-256 is too modern
for the client software in question. With a PCAP file of a session, we
could see more data from the TLS server HELLO, perhaps that could yield
a clue, but logs from the sending client would be much more useful, since
it is the one deciding to not continue.
--
Viktor.
