Troubleshooting "SSL_accept error" that happens with only one domain , iship.com (a UPS company)

Tue, 24 Oct 2017 16:36:42 -0700 

Hello,

My office receives email from UPS, since we're a customer.

One of the domains that UPS emails from is apparently "iship.com".

We're not getting those emails.

>From the Postfix mail server's logs there's this for one of the 'misses'

  mail postfix/postscreen[4531]: PASS NEW [64.74.4.33]:56785
  mail postfix/postscreen-smtpd/smtpd[4537]: connect from 
mail3.iship.com[64.74.4.33]
  mail postfix/postscreen-smtpd/smtpd[4537]: SSL_accept error from 
mail3.iship.com[64.74.4.33]: -1
  mail postfix/postscreen-smtpd/smtpd[4537]: warning: TLS library problem: 
error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared 
cipher:ssl/statem/statem_srvr.c:1404:
  mail postfix/postscreen-smtpd/smtpd[4537]: lost connection after STARTTLS 
from mail3.iship.com[64.74.4.33]
  mail postfix/postscreen-smtpd/smtpd[4537]: disconnect from 
mail3.iship.com[64.74.4.33] ehlo=1 starttls=0/1 commands=1/2

This is the only domain that I see this error with.  I'm guessing it's some 
kind of problem with their SSL?

I tried to communicate with someone @ iship.com.  Nobody home.  Or interested 
:-(

I checked with some tools I read about online, and I get

  telnet mail3.iship.com 25
    Trying 64.74.4.33...
    Connected to mail3.iship.com.
    Escape character is '^]'.
    220 mail3.iship.com Microsoft ESMTP MAIL Service ready at Tue, 24 Oct 2017 
16:07:14 -0700
    ehlo me
    250-mail3.iship.com Hello [xx.xx.xx.xx]
    250-SIZE 16777216
    250-PIPELINING
    250-DSN
    250-ENHANCEDSTATUSCODES
    250-STARTTLS
    250-X-ANONYMOUSTLS
    250-AUTH
    250-X-EXPS NTLM
    250-8BITMIME
    250-BINARYMIME
    250-CHUNKING
    250 XEXCH50

and

  openssl s_client -connect mail3.iship.com:25 -starttls smtp
    CONNECTED(00000003)
    write:errno=0
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 350 bytes and written 209 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1508886336
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no

I'd like to get a handle on what the problem actually is here.  And if I can 
fix something on my end, maybe a workaround for this one domain.  Or better, if 
I can figure out how to get THEM to fix it, if it really is on their system.

Thanks for any help.

Dave

Reply via email to