On Wed, Dec 12, 2018 at 10:16:14PM +0100, Benny Pedersen wrote:
> postfix/smtpd[24986]: connect from rs241.mailgun.us[209.61.151.241]
> postfix/smtpd[24986]: SSL_accept error from rs241.mailgun.us[209.61.151.241]: > 0
> postfix/smtpd[24986]: lost connection after STARTTLS from
> rs241.mailgun.us[209.61.151.241]
> postfix/smtpd[24986]: disconnect from rs241.mailgun.us[209.61.151.241] ehlo=1
> starttls=0/1 commands=1/2
As expected this is a handshake problem, but I would expect to see
additional log messages showing more detailed SSL library error
details. For example, my logs have:
postfix/smtpd[72804]: connect from
sonic315-20.consmr.mail.ne1.yahoo.com[66.163.190.146]
postfix/smtpd[72804]: SSL_accept error from
sonic315-20.consmr.mail.ne1.yahoo.com[66.163.190.146]: -1
postfix/smtpd[72804]: warning: TLS library problem:
error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:
ssl/record/rec_layer_s3.c:1528:SSL alert number 46:
postfix/smtpd[72804]: lost connection after STARTTLS from
sonic315-20.consmr.mail.ne1.yahoo.com[66.163.190.146]
Which was supposed to have been fixed some time back, but Yahoo
have never quite gotten around to actually doing it. Anyway, where's
your "TLS library problem" log message? Perhaps this is a case
where the handshake fails at the TCP layer (the remote end simply
hangs up), in which case Postfix logging may not be as detailed as
it could be. Here's a patch for 3.3.2, that may show more detail.
diff --git a/src/tls/tls_bio_ops.c b/src/tls/tls_bio_ops.c
index 1f4ec41f..c427a646 100644
--- a/src/tls/tls_bio_ops.c
+++ b/src/tls/tls_bio_ops.c
@@ -279,8 +279,10 @@ int tls_bio(int fd, int timeout, TLS_SESS_STATE
*TLScontext,
case SSL_ERROR_ZERO_RETURN:
case SSL_ERROR_NONE:
errno = 0; /* avoid bogus warnings */
- /* FALLTHROUGH */
+ return (status);
case SSL_ERROR_SYSCALL:
+ if (hsfunc && errno != 0)
+ msg_warn("SSL handshake I/O error: %m");
return (status);
}
}
--
Viktor.
