On 2023-04-11 15:49:30, Matus UHLAR - fantomas via Postfix-users wrote: >>> On Fri, Apr 07, 2023 at 11:25:33AM -0400, micah via Postfix-users wrote: >>>> 2023-04-06T07:34:42.281789+00:00 mx1 postfix/smtpd[1680368]: >>>> SSL_accept:before SSL initialization >>>> 2023-04-06T07:34:42.300347+00:00 mx1 postfix/smtpd[1680368]: >>>> SSL_accept:before SSL initialization >>>> 2023-04-06T07:34:42.300445+00:00 mx1 postfix/smtpd[1680368]: >>>> SSL_accept:SSLv3/TLS read client hello >>>> 2023-04-06T07:34:42.300492+00:00 mx1 postfix/smtpd[1680368]: >>>> SSL_accept:SSLv3/TLS write server hello >>>> 2023-04-06T07:34:42.300537+00:00 mx1 postfix/smtpd[1680368]: >>>> SSL_accept:SSLv3/TLS write certificate >>>> 2023-04-06T07:34:42.317750+00:00 mx1 postfix/smtpd[1680368]: >>>> SSL_accept:SSLv3/TLS write key exchange >>>> 2023-04-06T07:34:42.317879+00:00 mx1 postfix/smtpd[1680368]: >>>> SSL_accept:SSLv3/TLS write server done >>>> 2023-04-06T07:34:42.337252+00:00 mx1 postfix/smtpd[1680368]: >>>> SSL_accept:error in SSLv3/TLS write server done >>>> 2023-04-06T07:34:42.338243+00:00 mx1 postfix/smtpd[1680368]: SSL_accept >>>> error from mail2.wsecu.org[65.125.209.36]: Connection reset by peer > >>On 2023-04-07 13:25:42, Viktor Dukhovni via Postfix-users wrote: >>> The SMTP client closed the TCP connection at some point while receiving >>> the server TLS Hello, Certificate and Key Exchange messages. Likely >>> it took some issue with the certificate. You need to ask the client >>> MTA administrator why they hang up. >> >>Unfortunately, I do not have any way to communicate with the client MTA >>admins, so I'm shooting in the dark here. > >>Restarted postfix after these changes and triggered the remote client to >>try again, but unfortunately, the same error happens. Same thing in the >>pcap: I say Server Hello Done, and then the client sends a RST, ACK. > > On 11.04.23 08:32, micah anderson via Postfix-users wrote: >>Any other ideas of things I could try? > > It's very hard to find out a problem when client is dropping connection. > That may be even SSL scanner or similar.
Indeed. > Perhaps you could disable STARTTLS extension for this particular address by > using smtpd_discard_ehlo_keyword_address_maps: > > smtpd_discard_ehlo_keyword_address_maps=hash:/etc/postfix/smtpd_keywords > > /etc/postfix/smtpd_keywords: > > 65.125.209.36 STARTTLS > > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps This does allow them to connect and send, unfortunately it results in that connection to not be encrypted (and they are a bank!) :( I can tell, based on their certificate CN, that this is an outlook server, but I wasn't able to obtain more information than that. -- micah _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
