On Fri, Feb 10, 2023 at 09:22:57AM +0000, Marko ANGELSKI wrote:
> I'm having trouble with one client (iot) not able to send emails via
> postfix. This is the log:
>
> postfix/smtps/smtpd[4420]: initializing the server-side TLS engine
> postfix/smtps/smtpd[4420]: connect from unknown[xxx.xxx.xxx.xxx]
This is the implicit TLS "wrapper mode" TLS service. The client is
expected to send first, starting with a TLS handshake.
> postfix/smtps/smtpd[4420]: SSL3 alert write:fatal:decode error
The server cannot decode the client's initial message. The
client sent garbage.
> postfix/smtps/smtpd[4420]: SSL_accept:error in error
Sending the fatal alert also fails. The client already hung up.
> postfix/smtps/smtpd[4420]: disconnect from unknown[xxx.xxx.xxx.xxx]
> commands=0/0
Not surprising.
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
This client might ultimately want to use TLS 1.0, which you've disabled,
but I'd expect that to be an unsupported protocol version, not a decode
error, so that's a possible issue for later...
> Wireshark is showing:
That alert packet is too late. You're showing the symptom, not the
cause. By the time server is sending a fatal alert, all the interesting
traffic has gone by.
Capture a PCAP file with a single connection from that client, then use
"tshark" not wireshark, and (after installing "jq" if need be) report
the output of:
$ tshark -nr /tmp/pkts.pcap -T ek -J "tcp tls" |
jq -c '
.layers
| { tcp, tls }
| select(.tcp and .tcp.tcp_tcp_len != "0")
| { ports:.tcp.tcp_tcp_port
, len:.tcp.tcp_tcp_len
, tls:( .tls
| { ct:.tls_tls_record_content_type
, rv:.tls_tls_record_version
, rl:.tls_tls_record_length
, ht:.tls_tls_handshake_type
, hv:.tls_tls_handshake_version
, sv:.tls_tls_handshake_extensions_supported_version
}
)
}'
Example (Working TLS 1.3 session):
{"ports":["50948","465"],"len":"295","tls":{"ct":"22","rv":"0x0301","rl":"290","ht":"1","hv":"0x0303","sv":["0x0304","0x0303","0x0302","0x0301","0x0300"]}}
{"ports":["465","50948"],"len":"4096","tls":{"ct":["22","20"],"rv":["0x0303","0x0303","0x0303"],"rl":["122","1","23"],"ht":"2","hv":"0x0303","sv":"0x0304"}}
{"ports":["50948","465"],"len":"80","tls":{"ct":"20","rv":["0x0303","0x0303"],"rl":["1","69"],"ht":null,"hv":null,"sv":null}}
{"ports":["465","50948"],"len":"255","tls":{"ct":null,"rv":"0x0303","rl":"250","ht":null,"hv":null,"sv":null}}
{"ports":["465","50948"],"len":"61","tls":{"ct":null,"rv":"0x0303","rl":"56","ht":null,"hv":null,"sv":null}}
{"ports":["50948","465"],"len":"27","tls":{"ct":null,"rv":"0x0303","rl":"22","ht":null,"hv":null,"sv":null}}
{"ports":["465","50948"],"len":"37","tls":{"ct":null,"rv":"0x0303","rl":"32","ht":null,"hv":null,"sv":null}}
{"ports":["465","50948"],"len":"24","tls":{"ct":null,"rv":"0x0303","rl":"19","ht":null,"hv":null,"sv":null}}
{"ports":["50948","465"],"len":"24","tls":{"ct":null,"rv":"0x0303","rl":"19","ht":null,"hv":null,"sv":null}}
Your client is probably not sending a TLS Client Hello.
--
Viktor.
