Perhaps sslv3 related. http://disablessl3.com/
Original Message From: Levente Birta Sent: Thursday, March 30, 2017 5:28 AM To: Postfix users Subject: Another yahoo problem Hi I have a problem with getting mails from yahoo, only from yahoo but now from all servers. here is the log: Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from [98.137.64.231]:33591 Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1275:SSL alert number 46: Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: DISCONNECT [98.137.64.231]:33591 Mar 30 13:48:16 wsrv postfix/postscreen[15245]: HANGUP after 0.84 from [98.137.64.231]:33591 in tests after SMTP handshake Mar 30 13:48:16 wsrv postfix/postscreen[15245]: DISCONNECT [98.137.64.231]:33591 Mar 30 13:48:16 wsrv postfix/postscreen[15245]: CONNECT from [98.137.64.231]:37770 to [176.223.199.38]:25 Mar 30 13:48:17 wsrv postfix/postscreen[15245]: NOQUEUE: reject: RCPT from [98.137.64.231]:37770: 450 4.3.2 Service currently unavailable; from=<s.e.n.d.e.r.a.d.d.r.e....@yahoo.com>, to=<r.e.c.i.p.i.e....@d.d.d.com>, proto=ESMTP, helo=<sonic303-49.consmr.mail.gq1.yahoo.com> Mar 30 13:48:17 wsrv postfix/postscreen[15245]: PASS NEW [98.137.64.231]:37770 Mar 30 13:48:17 wsrv postfix/postscreen[15245]: DISCONNECT [98.137.64.231]:37770 ... Mar 30 14:18:38 wsrv postfix/smtpd[41303]: connect from sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] Mar 30 14:18:38 wsrv postfix/smtpd[41303]: SSL_accept error from sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231]: 0 Mar 30 14:18:38 wsrv postfix/smtpd[41303]: warning: TLS library problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1275:SSL alert number 46: Mar 30 14:18:38 wsrv postfix/smtpd[41303]: lost connection after STARTTLS from sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] Mar 30 14:18:38 wsrv postfix/smtpd[41303]: disconnect from sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] ehlo=1 starttls=0/1 commands=1/2 Mar 30 14:18:39 wsrv postfix/postscreen[15245]: CONNECT from [98.137.64.231]:33638 to [my.ip.add.ress]:25 Mar 30 14:18:39 wsrv postfix/postscreen[15245]: PASS OLD [98.137.64.231]:33638 Mar 30 14:18:39 wsrv postfix/smtpd[41303]: connect from sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] Mar 30 14:18:39 wsrv policyd-spf[41310]: spfcheck: pyspf result: "['None', '', 'helo']" Mar 30 14:18:39 wsrv policyd-spf[41310]: None; identity=no SPF record; client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com; envelope-from=s.e.n.d.e.r.a.d.d.r.e....@yahoo.com; receiver=<UNKNOWN> Mar 30 14:18:39 wsrv policyd-spf[41310]: spfcheck: pyspf result: "['Pass', 'sender SPF authorized', 'mailfrom']" Mar 30 14:18:39 wsrv policyd-spf[41310]: Pass; identity=mailfrom; client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com; envelope-from=s.e.n.d.e.r.a.d.d.r.e....@yahoo.com; receiver=<UNKNOWN> Mar 30 14:18:39 wsrv policyd-spf[41310]: prepend Authentication-Results: host.server.host; spf=pass (mailfrom) smtp.mailfrom=yahoo.com (client-ip=98.137.64.231; helo=sonic303-49.consmr.mail.gq1.yahoo.com; envelope-from=s.e.n.d.e.r.a.d.d.r.e....@yahoo.com; receiver=<UNKNOWN>) Mar 30 14:18:39 wsrv postfix/smtpd[41303]: 3vv2FC6QJmz53Nc7n: client=sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] Mar 30 14:18:40 wsrv postfix/cleanup[37513]: 3vv2FC6QJmz53Nc7n: message-id=<675236413.329268.1490870647...@mail.yahoo.com> Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: sonic303-49.consmr.mail.gq1.yahoo.com [98.137.64.231] not internal Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: not authenticated Mar 30 14:18:40 wsrv opendkim[2145]: 3vv2FC6QJmz53Nc7n: DKIM verification successful Mar 30 14:18:40 wsrv opendmarc[2140]: 3vv2FC6QJmz53Nc7n: yahoo.com pass Mar 30 14:18:40 wsrv postfix/qmgr[1771]: 3vv2FC6QJmz53Nc7n: from=<s.e.n.d.e.r.a.d.d.r.e....@yahoo.com>, size=3486, nrcpt=1 (queue active) Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) ESMTP :10024 /var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ: <s.e.n.d.e.r.a.d.d.r.e....@yahoo.com> -> <r.e.c.i.p.i.e....@d.d.d.com> SIZE=3486 Received: from host.server.host ([127.0.0.1]) by localhost (host.server.host [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <r.e.c.i.p.i.e....@d.d.d.com>; Thu, 30 Mar 2017 14:18:40 +0300 (EEST) Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) Checking: OBTvTMhgT_kq [98.137.64.231] <s.e.n.d.e.r.a.d.d.r.e....@yahoo.com> -> <r.e.c.i.p.i.e....@d.d.d.com> Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p003 1 Content-Type: multipart/alternative Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p001 1/1 Content-Type: text/plain, size: 118 B, name: Mar 30 14:18:40 wsrv amavis[40598]: (40598-09) p002 1/2 Content-Type: text/html, size: 675 B, name: Mar 30 14:18:40 wsrv clamd[41770]: /var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p004: OK Mar 30 14:18:40 wsrv clamd[41770]: /var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p001: OK Mar 30 14:18:40 wsrv clamd[41770]: /var/spool/amavisd/tmp/amavis-20170330T141420-40598-z7bmC8PJ/parts/p002: OK Mar 30 14:18:40 wsrv postfix/smtpd[41303]: disconnect from sonic303-49.consmr.mail.gq1.yahoo.com[98.137.64.231] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 At the end I think the mail is received in plain text Could be the problem at my side? As I see the alert number 46 is unacceptable certificate .. so the problem is at the sender side? Can I apply a workaround at my side? Thanks Levi postfix version 3.2-20170122 #postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases, hash:/etc/mailman/aliases append_at_myorigin = no append_dot_mydomain = no body_checks = regexp:/etc/postfix/body_checks broken_sasl_auth_clients = yes command_directory = /usr/sbin compatibility_level = 2 content_filter = amavis:[127.0.0.1]:10024 daemon_directory = /usr/libexec/postfix data_directory = /var/lib/postfix debug_peer_level = 2 debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 default_destination_recipient_limit = 30 dk_milter = inet:localhost:8892 dkim_milter = inet:localhost:8891 dmarc_milter = inet:localhost:8893 dovecot_destination_recipient_limit = 1 enable_long_queue_ids = yes header_checks = regexp:/etc/postfix/header_checks html_directory = no inet_interfaces = all inet_protocols = ipv4 mail_owner = postfix mailbox_size_limit = 0 mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man maximal_backoff_time = 8000s message_size_limit = 0 meta_directory = /etc/postfix milter_default_action = accept milter_protocol = 6 mime_header_checks = regexp:/etc/postfix/mime_header_checks minimal_backoff_time = 1800s mydestination = localhost, $myhostname, localhost.$mydomain mydomain = d.d.d.com myhostname = wsrv.d.d.d.com mynetworks = 127.0.0.0/8 myorigin = $mydomain nested_header_checks = regexp:/etc/postfix/nested_header_checks newaliases_path = /usr/bin/newaliases.postfix non_smtpd_milters = $dk_milter,$dkim_milter,$dmarc_milter policy-spf_time_limit = 3600s postscreen_access_list = permit_mynetworks, cidr:/etc/postfix/postscreen_access.cidr, cidr:/etc/postfix/postscreen_spamhaus.cidr postscreen_bare_newline_action = ignore postscreen_bare_newline_enable = yes postscreen_blacklist_action = drop postscreen_cache_retention_time = 14d postscreen_dnsbl_action = enforce postscreen_dnsbl_sites = rbl.abuse.ro*2 zen.spamhaus.org*3 b.barracudacentral.org*3 bl.spameatingmonkey.net*2 bl.mailspike.net*1 bl.spamcop.net*1 swl.spamhaus.org*-4 list.dnswl.org=127.[0..255].[0..255].0*-2 list.dnswl.org=127.[0..255].[0..255].1*-3 list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 postscreen_dnsbl_threshold = 3 postscreen_dnsbl_whitelist_threshold = -1 postscreen_greet_action = enforce postscreen_greet_banner = $smtpd_banner/Postscreen enabled postscreen_non_smtp_command_action = ignore postscreen_non_smtp_command_enable = yes postscreen_pipelining_action = ignore postscreen_pipelining_enable = yes proxy_read_maps = $local_recipient_maps, $mydestination, $virtual_alias_maps, $virtual_alias_domains, $sender_bcc_maps, $virtual_mailbox_maps, $virtual_mailbox_domains, $relay_recipient_maps $relay_domains, $canonical_maps, $sender_canonical_maps, $recipient_canonical_maps, $relocated_maps, $transport_maps, $mynetworks, $smtpd_sender_login_maps queue_directory = /var/spool/postfix queue_run_delay = 1200s readme_directory = no receive_override_options = no_address_mappings relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf relay_recipient_maps = mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf sample_directory = /etc/postfix sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop shlib_directory = no smtp_sasl_tls_security_options = noanonymous smtp_tls_ciphers = medium smtp_tls_exclude_ciphers = RC4, aNULL smtp_tls_loglevel = 1 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_note_starttls_offer = yes smtp_tls_protocols = !SSLv2,!SSLv3 smtp_tls_security_level = may smtp_use_tls = yes smtpd_client_message_rate_limit = 100 smtpd_client_restrictions = check_client_access mysql:/etc/postfix/mysql-virtual_client.cf smtpd_data_restrictions = smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, reject_invalid_hostname, reject_non_fqdn_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo smtpd_milters = $dkim_milter,$dmarc_milter smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policy-spf, check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_unauth_pipelining, reject_unlisted_sender, reject_rbl_client zen.spamhaus.org, check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre smtpd_restriction_classes = smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf smtpd_sender_restrictions = permit_mynetworks, check_sender_access mysql:/etc/postfix/mysql-virtual_sender.cf smtpd_tls_cert_file = /etc/letsencrypt/live/d.d.d.com/fullchain.pem smtpd_tls_ciphers = medium smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem smtpd_tls_exclude_ciphers = RC4, aNULL smtpd_tls_key_file = /etc/letsencrypt/live/d.d.d.com/privkey.pem smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_security_level = may smtpd_use_tls = yes smtputf8_enable = no transport_maps = hash:/etc/postfix/transport, hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf undisclosed_recipients_header = To: undisclosed-recipients:; unknown_local_recipient_reject_code = 550 virtual_alias_domains = virtual_alias_maps = hash:/etc/mailman/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf virtual_gid_maps = mysql:/etc/postfix/mysql-virtual_gids.cf virtual_mailbox_base = /var/vmail virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf virtual_transport = dovecot virtual_uid_maps = mysql:/etc/postfix/mysql-virtual_uids.cf -- Levi
