Thanks for the reply, and the suggestions, please see below in-line.
On 2023-04-07 13:25:42, Viktor Dukhovni via Postfix-users wrote:
> On Fri, Apr 07, 2023 at 11:25:33AM -0400, micah via Postfix-users wrote:
>
>> I have a few remote hosts who cannot send me mail, and I'm trying to
>> determine the best way to debug these SSL_accept error messages and
>> turn them into a solution so the mail can be actually sent.
>>
>> With smtpd_tls_log_level = 2, I was able to capture the information
>> about the what is happening in the transaction:
>>
>> 2023-04-06T07:34:42.281789+00:00 mx1 postfix/smtpd[1680368]:
>> SSL_accept:before SSL initialization
>> 2023-04-06T07:34:42.300347+00:00 mx1 postfix/smtpd[1680368]:
>> SSL_accept:before SSL initialization
>> 2023-04-06T07:34:42.300445+00:00 mx1 postfix/smtpd[1680368]:
>> SSL_accept:SSLv3/TLS read client hello
>> 2023-04-06T07:34:42.300492+00:00 mx1 postfix/smtpd[1680368]:
>> SSL_accept:SSLv3/TLS write server hello
>> 2023-04-06T07:34:42.300537+00:00 mx1 postfix/smtpd[1680368]:
>> SSL_accept:SSLv3/TLS write certificate
>> 2023-04-06T07:34:42.317750+00:00 mx1 postfix/smtpd[1680368]:
>> SSL_accept:SSLv3/TLS write key exchange
>> 2023-04-06T07:34:42.317879+00:00 mx1 postfix/smtpd[1680368]:
>> SSL_accept:SSLv3/TLS write server done
>> 2023-04-06T07:34:42.337252+00:00 mx1 postfix/smtpd[1680368]:
>> SSL_accept:error in SSLv3/TLS write server done
>> 2023-04-06T07:34:42.338243+00:00 mx1 postfix/smtpd[1680368]: SSL_accept
>> error from mail2.wsecu.org[65.125.209.36]: Connection reset by peer
>
> The SMTP client closed the TCP connection at some point while receiving
> the server TLS Hello, Certificate and Key Exchange messages. Likely
> it took some issue with the certificate. You need to ask the client
> MTA administrator why they hang up.
Unfortunately, I do not have any way to communicate with the client MTA
admins, so I'm shooting in the dark here.
>> The certificate that the server sends (smtpd_tls_cert_file) is [...]
>> is the client refusing my certificate at this stage?
>
> See above. Your certificate details look fine:
Good.
> However:
>
>> smtpd_tls_ask_ccert = yes
>
> You should probably NOT request client certificates on port 25.
> Some clients are likely to not be able to decline the request.
>
> This could well be the problem.
I removed that.
>> smtpd_tls_dh512_param_file = /etc/certs/dh_512.pem
>
> No longer relevant.
Removed that as well.
>> smtpd_tls_exclude_ciphers = aNULL, MD5, DES
>
> No matter what a bunch of ignorant auditors say, you should not disable
> aNULL ciphers. DES is no longer supported by OpenSSL, and almost
> surely also MD5.
Removed that as well.
Restarted postfix after these changes and triggered the remote client to
try again, but unfortunately, the same error happens. Same thing in the
pcap: I say Server Hello Done, and then the client sends a RST, ACK.
Any other ideas of things I could try?
--
micah
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
