Hello,
I have a few remote hosts who cannot send me mail, and I'm trying to
determine the best way to debug these SSL_accept error messages and turn
them into a solution so the mail can be actually sent.
With smtpd_tls_log_level = 2, I was able to capture the information
about the what is happening in the transaction:
2023-04-06T07:34:42.280731+00:00 mx1 postfix/smtpd[1680368]: setting up TLS
connection from mail2.wsecu.org[65.125.209.36]
2023-04-06T07:34:42.280834+00:00 mx1 postfix/smtpd[1680368]:
mail2.wsecu.org[65.125.209.36]: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL:!MD5:!DES"
2023-04-06T07:34:42.281789+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:before
SSL initialization
2023-04-06T07:34:42.300347+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:before
SSL initialization
2023-04-06T07:34:42.300445+00:00 mx1 postfix/smtpd[1680368]:
SSL_accept:SSLv3/TLS read client hello
2023-04-06T07:34:42.300492+00:00 mx1 postfix/smtpd[1680368]:
SSL_accept:SSLv3/TLS write server hello
2023-04-06T07:34:42.300537+00:00 mx1 postfix/smtpd[1680368]:
SSL_accept:SSLv3/TLS write certificate
2023-04-06T07:34:42.317750+00:00 mx1 postfix/smtpd[1680368]:
SSL_accept:SSLv3/TLS write key exchange
2023-04-06T07:34:42.317879+00:00 mx1 postfix/smtpd[1680368]:
SSL_accept:SSLv3/TLS write server done
2023-04-06T07:34:42.337252+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:error
in SSLv3/TLS write server done
2023-04-06T07:34:42.338243+00:00 mx1 postfix/smtpd[1680368]: SSL_accept error
from mail2.wsecu.org[65.125.209.36]: Connection reset by peer
2023-04-06T07:34:42.338469+00:00 mx1 postfix/smtpd[1680368]: lost connection
after STARTTLS from mail2.wsecu.org[65.125.209.36]
2023-04-06T07:34:42.339314+00:00 mx1 postfix/smtpd[1680368]: disconnect from
mail2.wsecu.org[65.125.209.36] ehlo=1 starttls=0/1 commands=1/2
I have `smtpd_tls_protocols = !SSLv2, !SSLv3` set in postfix, as well as
`smtpd_tls_ciphers = medium` and `smtpd_tls_exclude_ciphers = aNULL,
MD5, DES`. The set of "medium" is defined by tls_medium_cipherlist and
is aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH.
I thought, based on the logs, that this was the remote server trying to
speak SSLv3, and that was the reason. However, tcpdump shows me that it
can do TLS1.2.
C: STARTTLS
S: 220 2.0.0 Ready to start TLS
C: ACK
C: TLSv1.2 Record Layer: Handshake Protocol: Client Hello
Cipher Suites: (20 suites) including
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
S: TLSv1.2 Record Layer: Handshake Protocol: Server Hello
Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
TLSv1.2 Record Layer: Handshake Protocol: Certificate
TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange
Included here are the Diffie-Hellman Server Params, the Pubkey,
Signature Algorithm (rsa_pkcs1_sha256) and the signature
TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done
C: RST, ACK
The certificate that the server sends (smtpd_tls_cert_file) is a chained
certificate containing: My server's valid certificate issued by
CN=R3,O=Let's Encrypt,C=US and then after that is the CN=ISRG Root
X1,O=Internet Security Research Group,C=US root certificate -- is the
client refusing my certificate at this stage?
The server's TLS settings are:
tls_preempt_cipherlist = yes
smtp_tls_security_level = dane
smtp_tls_cert_file = /etc/certs/fullchain.pem
smtp_tls_key_file = /etc/certs/key.pem
smtp_tls_CApath = /etc/ssl/certs/
smtp_tls_policy_maps = hash:$maps_dir/tls_policy
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aNULL, MD5, DES, 3DES, RC2, RC4, RC5,
aDSS, kDH, kECDH, SEED, IDEA
smtp_tls_fingerprint_digest = sha256
smtp_tls_session_cache_database =
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/certs/fullchain.pem
smtpd_tls_key_file = /etc/certs/key.pem
smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_loglevel = 1
smtpd_tls_dh1024_param_file = /etc/certs/dh_2048.pem
smtpd_tls_dh512_param_file = /etc/certs/dh_512.pem
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers = aNULL, MD5, DES
smtpd_tls_fingerprint_digest = sha256
If I run `gnutls-cli-debug 65.125.209.36 -p 25 --starttls-proto=smtp` I
can see indeed that the server does support TLS1.2 and does support the
cipher that was sent.
openssl ciphers -v aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH shows me that
DHE-RSA-AES-256-GCM-SHA384 is supported.
There is no firewall on my side that might be messing with things.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
