On Mon, Dec 21, 2020 at 12:30:57PM -0500, James B. Byrne wrote:

> Dec 21 12:25:21 mx32 postfix-p25/smtpd[62565]: warning:
>  TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:
>  sslv3 alert certificate unknown:
>  /usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1544:
>  SSL alert number 46:
> Dec 21 12:25:21 mx32 postfix-p25/smtpd[62565]:
>  lost connection after STARTTLS
>  from accounting-2.internal.harte-lyne.ca[192.168.216.88]
> 
> I believe that this is telling me that the application is attempting to
> establish an SSL connection using STARTTLS.

Yes, the application and the Postfix server are attempting to complete
a TLS handshake, indeed after STARTTLS.

> However, the error referencing the
> certificate is mystifying to me.
> 
> Can someone explain to me what this error means?

- The Postfix SMTP server is reporting an error from the underlying
  OpenSSL library.
- That error is receipt of a fatal "SSL alert", i.e. a courtesy message
  from the *client* that it cannot complete the handshake, and is giving up.
- Instead of just disconnecting, the client indicates the reason why it
  can't go on.
- The specific reason is that the clien is unhappy with the server's
  certificate.

SSLv3 is a red herring, the TLS protocol (1.0 through 1.2) evolved from
of SSLv3 and shares much code with the original (now deprecated) SSLv3.
While TLS 1.3 is a significant departure, it too still shares some of
the underpinnings, so you'll see "sslv3" in error messages for all
protocol versions from SSLv3 through TLS 1.3.

-- 
    Viktor.

Reply via email to