On Fri, Apr 07, 2023 at 11:25:33AM -0400, micah via Postfix-users wrote:
> I have a few remote hosts who cannot send me mail, and I'm trying to
> determine the best way to debug these SSL_accept error messages and
> turn them into a solution so the mail can be actually sent.
>
> With smtpd_tls_log_level = 2, I was able to capture the information
> about the what is happening in the transaction:
>
> 2023-04-06T07:34:42.281789+00:00 mx1 postfix/smtpd[1680368]:
> SSL_accept:before SSL initialization
> 2023-04-06T07:34:42.300347+00:00 mx1 postfix/smtpd[1680368]:
> SSL_accept:before SSL initialization
> 2023-04-06T07:34:42.300445+00:00 mx1 postfix/smtpd[1680368]:
> SSL_accept:SSLv3/TLS read client hello
> 2023-04-06T07:34:42.300492+00:00 mx1 postfix/smtpd[1680368]:
> SSL_accept:SSLv3/TLS write server hello
> 2023-04-06T07:34:42.300537+00:00 mx1 postfix/smtpd[1680368]:
> SSL_accept:SSLv3/TLS write certificate
> 2023-04-06T07:34:42.317750+00:00 mx1 postfix/smtpd[1680368]:
> SSL_accept:SSLv3/TLS write key exchange
> 2023-04-06T07:34:42.317879+00:00 mx1 postfix/smtpd[1680368]:
> SSL_accept:SSLv3/TLS write server done
> 2023-04-06T07:34:42.337252+00:00 mx1 postfix/smtpd[1680368]: SSL_accept:error
> in SSLv3/TLS write server done
> 2023-04-06T07:34:42.338243+00:00 mx1 postfix/smtpd[1680368]: SSL_accept error
> from mail2.wsecu.org[65.125.209.36]: Connection reset by peer
The SMTP client closed the TCP connection at some point while receiving
the server TLS Hello, Certificate and Key Exchange messages. Likely
it took some issue with the certificate. You need to ask the client
MTA administrator why they hang up.
> I thought, based on the logs, that this was the remote server trying to
> speak SSLv3, and that was the reason.
TLS 1.0 through 1.2 are basically SSL 3.0 with addons. The core record
layer and handshake structure is essentially unchanged from SSL 3.0.
The log messages are therefore about SSL 3.0 and up, even though in
practice SSL 3.0 is essentially never negotiated.
The client must have offered something better, because the server did
not abort the handshake.
> The certificate that the server sends (smtpd_tls_cert_file) is [...]
> is the client refusing my certificate at this stage?
See above. Your certificate details look fine:
riseup.net. IN MX 10 mx1.riseup.net.
mx1.riseup.net. IN A 198.252.153.129
_25._tcp.mx1.riseup.net. IN CNAME tlsa._mxdane.riseup.net.
tlsa._mxdane.riseup.net. IN TLSA 2 1 1
276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10
tlsa._mxdane.riseup.net. IN TLSA 2 1 1
8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
tlsa._mxdane.riseup.net. IN TLSA 2 1 1
9253b6de74f67a11435c27f1dde1d30d1112333ddab23d66b8efb86887638ae6
tlsa._mxdane.riseup.net. IN TLSA 2 1 1
bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270
tlsa._mxdane.riseup.net. IN TLSA 2 1 1
e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03
tlsa._mxdane.riseup.net. IN TLSA 3 1 1
dff6c2683211d0712a5d5c5eff753dfbb2fcd446728154ebc5448440e7d97fe5
mx1.riseup.net[198.252.153.129]: pass: TLSA match: depth = 0, name =
mx1.riseup.net
TLS = TLS13 with AES256GCM-SHA384,X25519,PubKeyALG_RSA
name = mx1.riseup.net
depth = 0
Issuer CommonName = R3
Issuer Organization = Let's Encrypt
notBefore = 2023-03-09T13:33:22Z
notAfter = 2023-06-07T13:33:21Z
Subject CommonName = mx1.riseup.net
pkey sha256 [matched] <- 3 1 1
dff6c2683211d0712a5d5c5eff753dfbb2fcd446728154ebc5448440e7d97fe5
depth = 1
Issuer CommonName = ISRG Root X1
Issuer Organization = Internet Security Research Group
notBefore = 2020-09-04T00:00:00Z
notAfter = 2025-09-15T16:00:00Z
Subject CommonName = R3
Subject Organization = Let's Encrypt
pkey sha256 [matched] <- 2 1 1
8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d
$ posttls-finger -cC mx1.riseup.net |
openssl crl2pkcs7 -nocrl -certfile /dev/stdin |
openssl pkcs7 -print_certs -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:f4:b4:b8:a2:1d:7d:a3:a8:30:34:47:0a:6a:3d:7f:d1:5e
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R3
Validity
Not Before: Mar 9 13:33:22 2023 GMT
Not After : Jun 7 13:33:21 2023 GMT
Subject: CN=mx1.riseup.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:cc:96:5f:7f:5d:9f:0a:10:e3:c2:c0:ff:d9:5b:
3d:16:26:d7:23:3c:7f:cb:a0:df:75:66:92:8c:72:
b3:91:da:6b:bf:c5:e0:a0:a1:b3:51:b8:4b:b6:22:
71:fb:31:16:f5:95:3b:10:a8:cd:1a:4f:84:93:39:
d0:ee:ae:71:04:1a:36:f1:a3:e1:be:52:f6:63:15:
55:a5:bb:36:07:0e:4e:5f:32:fd:f7:b1:e4:1b:5d:
f8:02:f7:29:8c:60:fd:b1:64:a4:0e:5a:f1:85:c4:
e2:10:65:ee:56:c4:8e:53:58:86:b3:2b:d1:bd:cd:
10:5a:fa:0c:ef:b3:82:52:7f:58:71:05:1b:ec:be:
32:b8:fc:18:d3:77:ff:32:1f:45:49:21:9e:71:fa:
92:e9:6b:61:ba:01:c5:29:7c:21:65:56:0c:f5:64:
86:e7:97:e4:cf:57:ce:22:65:d4:03:1e:43:61:3f:
42:a9:bf:61:dd:6b:40:96:4f:5e:d8:5d:e8:7c:00:
89:ea:f7:50:ed:5a:1c:8c:0d:09:54:20:68:11:52:
c4:3f:19:36:d9:8d:1a:b3:9e:ce:5e:5d:51:c6:f9:
7b:f5:3d:48:c6:8d:9f:9c:63:da:eb:c1:7f:c4:3b:
16:d6:79:4e:d3:f0:25:af:4f:1c:e7:bf:c2:34:93:
81:e1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
B0:86:CB:C2:F4:E2:CF:A5:0C:1F:39:3D:1A:12:7E:E8:BC:AF:84:7E
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:mx1.riseup.net
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
B7:3E:FB:24:DF:9C:4D:BA:75:F2:39:C5:BA:58:F4:6C:
5D:FC:42:CF:7A:9F:35:C4:9E:1D:09:81:25:ED:B4:99
Timestamp : Mar 9 14:33:22.652 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:3F:85:00:49:EA:0D:C5:0E:F8:BB:FA:F6:
2A:58:A3:1F:43:4A:4A:A0:86:CB:E6:51:3F:B1:30:BC:
04:78:2A:50:02:21:00:A6:9B:85:1B:27:E3:FC:8C:22:
E5:11:E6:6B:FD:99:CD:2E:3F:F2:88:68:D9:0A:E0:2A:
5B:66:F3:94:67:45:29
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID :
AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A:
B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A
Timestamp : Mar 9 14:33:22.691 2023 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:8B:74:C4:BC:BE:78:97:CA:24:B7:41:
CB:B1:C3:77:BD:9E:23:11:56:32:C1:E3:C9:1A:CA:F5:
B4:9C:11:57:26:02:20:18:36:79:CD:DE:15:FF:36:BB:
D1:DE:48:DC:63:A9:93:43:78:4C:E3:A9:66:38:F8:61:
4D:26:83:0A:C8:01:AF
Signature Algorithm: sha256WithRSAEncryption
8d:ea:44:b3:6a:7e:b3:88:9e:8a:2e:0b:9c:1a:9a:1f:b3:e5:
b3:b7:ed:a7:29:bd:64:1a:a0:fc:74:e9:f0:d2:7d:8b:13:00:
29:91:7c:cd:5f:1c:08:33:bf:a8:b2:f9:10:d5:13:a9:f2:79:
88:dd:c8:9c:47:76:cd:ac:40:7c:ac:da:23:0c:1f:48:79:c0:
fc:af:3a:9d:b8:f2:57:4b:92:8a:04:1c:2e:4a:68:67:b5:0e:
7c:41:3f:fc:a6:1f:63:a4:18:c8:ba:c6:f5:32:b0:28:ed:0c:
a0:b7:c3:34:d2:fc:4d:ef:1c:69:de:00:41:98:da:da:dd:4a:
d9:c1:f8:05:84:9c:71:ec:c1:89:0a:c4:6c:3b:9d:1f:ed:3c:
84:2c:07:b2:4c:6d:b0:25:4a:e8:52:f9:e8:b0:84:89:16:d9:
82:cb:9f:11:7c:70:69:55:80:55:9f:38:7d:40:d5:54:b0:51:
cb:ee:69:50:78:60:8d:6a:72:60:b4:4b:48:37:f0:60:2e:09:
d7:7b:ec:09:5d:01:39:60:1c:36:61:c8:0c:d5:9c:bc:e1:20:
b7:8a:c5:87:f9:37:65:6c:b9:e2:bc:ce:7a:08:c8:0d:ee:44:
c5:97:66:f6:9e:fc:4e:ac:8e:7a:90:d7:9d:a7:59:d0:62:07:
41:63:fc:50
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
91:2b:08:4a:cf:0c:18:a7:53:f6:d6:2e:25:a7:5f:5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Validity
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C=US, O=Let's Encrypt, CN=R3
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bb:02:15:28:cc:f6:a0:94:d3:0f:12:ec:8d:55:
92:c3:f8:82:f1:99:a6:7a:42:88:a7:5d:26:aa:b5:
2b:b9:c5:4c:b1:af:8e:6b:f9:75:c8:a3:d7:0f:47:
94:14:55:35:57:8c:9e:a8:a2:39:19:f5:82:3c:42:
a9:4e:6e:f5:3b:c3:2e:db:8d:c0:b0:5c:f3:59:38:
e7:ed:cf:69:f0:5a:0b:1b:be:c0:94:24:25:87:fa:
37:71:b3:13:e7:1c:ac:e1:9b:ef:db:e4:3b:45:52:
45:96:a9:c1:53:ce:34:c8:52:ee:b5:ae:ed:8f:de:
60:70:e2:a5:54:ab:b6:6d:0e:97:a5:40:34:6b:2b:
d3:bc:66:eb:66:34:7c:fa:6b:8b:8f:57:29:99:f8:
30:17:5d:ba:72:6f:fb:81:c5:ad:d2:86:58:3d:17:
c7:e7:09:bb:f1:2b:f7:86:dc:c1:da:71:5d:d4:46:
e3:cc:ad:25:c1:88:bc:60:67:75:66:b3:f1:18:f7:
a2:5c:e6:53:ff:3a:88:b6:47:a5:ff:13:18:ea:98:
09:77:3f:9d:53:f9:cf:01:e5:f5:a6:70:17:14:af:
63:a4:ff:99:b3:93:9d:dc:53:a7:06:fe:48:85:1d:
a1:69:ae:25:75:bb:13:cc:52:03:f5:ed:51:a1:8b:
db:15
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
X509v3 Authority Key Identifier:
keyid:79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
Authority Information Access:
CA Issuers - URI:http://x1.i.lencr.org/
X509v3 CRL Distribution Points:
Full Name:
URI:http://x1.c.lencr.org/
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
Signature Algorithm: sha256WithRSAEncryption
85:ca:4e:47:3e:a3:f7:85:44:85:bc:d5:67:78:b2:98:63:ad:
75:4d:1e:96:3d:33:65:72:54:2d:81:a0:ea:c3:ed:f8:20:bf:
5f:cc:b7:70:00:b7:6e:3b:f6:5e:94:de:e4:20:9f:a6:ef:8b:
b2:03:e7:a2:b5:16:3c:91:ce:b4:ed:39:02:e7:7c:25:8a:47:
e6:65:6e:3f:46:f4:d9:f0:ce:94:2b:ee:54:ce:12:bc:8c:27:
4b:b8:c1:98:2f:a2:af:cd:71:91:4a:08:b7:c8:b8:23:7b:04:
2d:08:f9:08:57:3e:83:d9:04:33:0a:47:21:78:09:82:27:c3:
2a:c8:9b:b9:ce:5c:f2:64:c8:c0:be:79:c0:4f:8e:6d:44:0c:
5e:92:bb:2e:f7:8b:10:e1:e8:1d:44:29:db:59:20:ed:63:b9:
21:f8:12:26:94:93:57:a0:1d:65:04:c1:0a:22:ae:10:0d:43:
97:a1:18:1f:7e:e0:e0:86:37:b5:5a:b1:bd:30:bf:87:6e:2b:
2a:ff:21:4e:1b:05:c3:f5:18:97:f0:5e:ac:c3:a5:b8:6a:f0:
2e:bc:3b:33:b9:ee:4b:de:cc:fc:e4:af:84:0b:86:3f:c0:55:
43:36:f6:68:e1:36:17:6a:8e:99:d1:ff:a5:40:a7:34:b7:c0:
d0:63:39:35:39:75:6e:f2:ba:76:c8:93:02:e9:a9:4b:6c:17:
ce:0c:02:d9:bd:81:fb:9f:b7:68:d4:06:65:b3:82:3d:77:53:
f8:8e:79:03:ad:0a:31:07:75:2a:43:d8:55:97:72:c4:29:0e:
f7:c4:5d:4e:c8:ae:46:84:30:d7:f2:85:5f:18:a1:79:bb:e7:
5e:70:8b:07:e1:86:93:c3:b9:8f:dc:61:71:25:2a:af:df:ed:
25:50:52:68:8b:92:dc:e5:d6:b5:e3:da:7d:d0:87:6c:84:21:
31:ae:82:f5:fb:b9:ab:c8:89:17:3d:e1:4c:e5:38:0e:f6:bd:
2b:bd:96:81:14:eb:d5:db:3d:20:a7:7e:59:d3:e2:f8:58:f9:
5b:b8:48:cd:fe:5c:4f:16:29:fe:1e:55:23:af:c8:11:b0:8d:
ea:7c:93:90:17:2f:fd:ac:a2:09:47:46:3f:f0:e9:b0:b7:ff:
28:4d:68:32:d6:67:5e:1e:69:a3:93:b8:f5:9d:8b:2f:0b:d2:
52:43:a6:6f:32:57:65:4d:32:81:df:38:53:85:5d:7e:5d:66:
29:ea:b8:dd:e4:95:b5:cd:b5:56:12:42:cd:c4:4e:c6:25:38:
44:50:6d:ec:ce:00:55:18:fe:e9:49:64:d4:4e:ca:97:9c:b4:
5b:c0:73:a8:ab:b8:47:c2
However:
> smtpd_tls_ask_ccert = yes
You should probably NOT request client certificates on port 25.
Some clients are likely to not be able to decline the request.
This could well be the problem.
> smtpd_tls_dh512_param_file = /etc/certs/dh_512.pem
No longer relevant.
> smtpd_tls_exclude_ciphers = aNULL, MD5, DES
No matter what a bunch of ignorant auditors say, you should not disable
aNULL ciphers. DES is no longer supported by OpenSSL, and almost
surely also MD5.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
