On 27 April 2018 at 17:17, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
>
>
>> On Apr 27, 2018, at 2:22 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote:
>>
>> $ grep -a "warning: TLS library problem" /var/log/mail.log.1
>> /var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr
>> 12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>> number:s3_pkt.c:362:
>> 11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
>> version number:s3_srvr.c:960:
>> 10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
>> protocol:s23_srvr.c:640:
>> 2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse
>> tlsext:s3_srvr.c:1239:
>>
>> Should I be concerned about these messages?
>
> To know the answer you need to consider which clients are running into
> this, and whether:
>
> * These clients are just network scanners and never send email
> * Are spammers and would send email if they could, but you're happy for
> them to fail
> * Are legitimate email senders, and fall back to cleartext. In which case
> you're perhaps rather they use TLS, and should investigate further.
> * Are legitimate email senders, and don't fall back to cleartext (you don't
> see a message in the clear from them shortly after each TLS failure).
> In which case you're losing some email and really should investigate.
>
> The errors broadly suggest use of unsupported TLS protocol versions or
> unsupported TLS features, or simply malformed handshake messages. That
> would be expected from scanners, but can also happen if you're configured
> too strictly, for example, to exclude everything below TLSv1.2.
>
> So if you want to be sure, you'll need to do some further log analysis,
> and perhaps collect some PCAP files with full packet captures for any
> clients or netblocks that exhibit the symptoms repeatedly.
Thanks Viktor for that very clear explanation. I will start using
(something like) this for monitoring my logs:
sed -n '/SSL_accept error/{N;/warning: TLS library problem/{s/.* from
\([^:]*\).*/\1/;/unknown\[/d;/shodan\.io\[/d;p}}' /var/log/mail.log
So far I have one genuine sender that is failing TLS, but upon
checking I see that it falls back to cleartext.
