On Thu, Mar 30, 2017 at 02:54:09PM +0200, Benny Pedersen wrote:
> Levente Birta skrev den 2017-03-30 14:27:
>
> > Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: CONNECT from
> > [98.137.64.231]:33591
> > Mar 30 13:48:16 wsrv postfix/tlsproxy[34871]: warning: TLS library
> > problem: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert
> > certificate unknown:s3_pkt.c:1275:SSL alert number 46:
A "certificate unknown" alert is unlikely to be an issue with the
SSL/TLS protocol version.
> > At the end I think the mail is received in plain text
> > Could be the problem at my side?
>
> your problem is that you miss ssl3 support with yahoo still use :(
This is not correct, many Yahoo MTAs support TLSv1.2, e.g.:
Mar 24 13:30:12 amnesiac postfix/smtpd[25034]:
Anonymous TLS connection established from
nm21-vm3.bullet.mail.ir2.yahoo.com[212.82.96.254]:
TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
However, I also have:
Feb 27 02:39:15 amnesiac postfix/smtpd[13779]: SSL_accept error from
sonic326-4.consmr.mail.ne1.yahoo.com[66.163.186.123]: 0
Feb 27 02:39:15 amnesiac postfix/smtpd[13779]: warning: TLS library
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:s3_pkt.c:1493:SSL alert number 46:
Feb 28 00:55:49 amnesiac postfix/smtpd[259]: SSL_accept error from
sonic305-54.consmr.mail.ne1.yahoo.com[66.163.185.180]: 0
Feb 28 00:55:49 amnesiac postfix/smtpd[259]: warning: TLS library problem:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:s3_pkt.c:1493:SSL alert number 46:
Mar 3 05:27:33 amnesiac postfix/smtpd[5897]: SSL_accept error from
sonic315-47.consmr.mail.bf2.yahoo.com[74.6.134.221]: 0
Mar 3 05:27:33 amnesiac postfix/smtpd[5897]: warning: TLS library problem:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:s3_pkt.c:1493:SSL alert number 46:
Mar 6 07:44:57 amnesiac postfix/smtpd[576]: SSL_accept error from
sonic313-47.consmr.mail.bf2.yahoo.com[74.6.133.221]: 0
Mar 6 07:44:57 amnesiac postfix/smtpd[576]: warning: TLS library problem:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:s3_pkt.c:1493:SSL alert number 46:
Mar 7 15:50:03 amnesiac postfix/smtpd[8740]: SSL_accept error from
sonic314-47.consmr.mail.bf2.yahoo.com[74.6.132.221]: 0
Mar 7 15:50:03 amnesiac postfix/smtpd[8740]: warning: TLS library problem:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:s3_pkt.c:1493:SSL alert number 46:
Mar 29 14:57:45 amnesiac postfix/smtpd[2319]: SSL_accept error from
sonic305-3.consmr.mail.bf2.yahoo.com[74.6.133.42]: 0
Mar 29 14:57:45 amnesiac postfix/smtpd[2319]: warning: TLS library problem:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:s3_pkt.c:1493:SSL alert number 46:
Mar 30 00:40:11 amnesiac postfix/smtpd[17880]: SSL_accept error from
sonic309-27.consmr.mail.sg3.yahoo.com[106.10.244.90]: 0
Mar 30 00:40:11 amnesiac postfix/smtpd[17880]: warning: TLS library
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:s3_pkt.c:1493:SSL alert number 46:
This suggests some ignoramus has configured the "sonic...consmr..."
systems to drop unauthenticated TLS connections and send in cleartext
instead. The same issue can be seen with mimecast:
Feb 28 20:31:31 amnesiac postfix/smtpd[13789]: SSL_accept error from
us-smtp-delivery-112.mimecast.com[216.205.24.112]: 0
Feb 28 20:31:31 amnesiac postfix/smtpd[13789]: warning: TLS library
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:s3_pkt.c:1493:SSL alert number 46:
Mar 27 03:59:06 amnesiac postfix/smtpd[27065]: SSL_accept error from
us-smtp-delivery-203.mimecast.com[216.205.24.203]: 0
Mar 27 03:59:06 amnesiac postfix/smtpd[27065]: warning: TLS library
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:s3_pkt.c:1493:SSL alert number 46:
Mar 28 15:16:14 amnesiac postfix/smtpd[24429]: SSL_accept error from
us-smtp-delivery-120.mimecast.com[216.205.24.120]: 0
Mar 28 15:16:14 amnesiac postfix/smtpd[24429]: warning: TLS library
problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate
unknown:s3_pkt.c:1493:SSL alert number 46:
Seems some folks need detention after school to copy RFC7435 in
long-hand a dozen times.
--
Viktor.
