On Sun, Nov 17, 2024 at 04:47:17PM -0800, Randy Bush via Postfix-users wrote:
> 2024-11-18T00:03:12.077805+00:00 m0 postfix/smtpd[1756]: warning:
> TLS library problem: error:0A000102:SSL routines:
> :unsupported protocol
-
> :../ssl/statem/statem_
Thanks. Was just confirming , Yes self signed. I broke certbot
> On May 12, 2024, at 4:55 AM, Viktor Dukhovni via Postfix-users
> wrote:
>
> On Sat, May 11, 2024 at 11:55:14PM -0400, Jason Hirsh via Postfix-users
> wrote:
>
>> I have they error message
>>
>> postfix/smtps/smtpd[39559]: w
On Sat, May 11, 2024 at 11:55:14PM -0400, Jason Hirsh via Postfix-users wrote:
> I have they error message
>
> postfix/smtps/smtpd[39559]: warning: TLS library problem:
> error:14094416:SSL routines:ssl3_read_bytes:
> sslv3 alert certificate unknown:
> /usr/src/crypto/openssl/ssl/record/rec_layer
On 11.05.24 23:55, Jason Hirsh via Postfix-users wrote:
Still chasing ssl/tls issue
I have they error message
postfix/smtps/smtpd[39559]: warning: TLS library problem: error:14094416:SSL
routines:ssl3_read_bytes:sslv3 alert certificate
unknown:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c
On Mon, May 08, 2023 at 04:22:29PM -0500, E R via Postfix-users wrote:
> Thank you so much for the suggestion to review the crypto setting as this
> indeed a RedHat based distribution. I confirmed it is set to "default"
> which means “The default system-wide cryptographic policy level offers
> s
The /usr/share/crypto-policies/DEFAULT/opensslcnf.txt on RHEL 9 looks
identical to what you posted for Fedora.
I am not a RHEL expert but I have not see any references to opt out of the
crypto policy on a per application basis. You can customize an existing
crypto policy or create your own. I t
Thank you so much for the suggestion to review the crypto setting as this
indeed a RedHat based distribution. I confirmed it is set to "default"
which means “The default system-wide cryptographic policy level offers
secure settings for current threat models. It allows the TLS 1.2 and 1.3
protocol
I don't even know whether RedHat exposes any mechanisms for applications> to opt-out
of crypto policy and use only application-driven OpenSSL> configuration. This is
should perhaps be looked into in the Postfix 3.9> timeframe.
from my notes dealing with new Fedora crypto-policies on a number o
On Fri, May 05, 2023 at 08:28:48PM -0400, Viktor Dukhovni via Postfix-users
wrote:
> You should of course also share
> (https://www.postfix.org/DEBUG_README.html#mail)
>
> $ postconf -nf
> $ postconf -Mf
>
> without any changes in whitespace, including line breaks. Attaching
> these a
> >
>
> Because TLS/SSL things are very complex, you have to show us real
> settings all. Like me: (yw-0919: inbound, yw-1204: outbound)
> [1] https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/smtp-conf.yw-0919
> [2] https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/smtp-conf.yw-1204
>
And P
On Fri, May 05, 2023 at 06:55:23PM -0500, E R via Postfix-users wrote:
> I have setup Postfix so that internally I offer TLS to systems but do not
> require it since I have no control over their configuration. I did
> extensive testing to ensure that the mail gateway supports TLS and accepts
> ema
On Fri, May 05, 2023 at 06:55:23PM -0500, E R via Postfix-users wrote:
> postfix/smtpd[1234567]: SSL_accept error from xxx.xxx.xxx[yyy.yyy.yyy.yyy]: -1
> postfix/smtpd[1234567]: warning: TLS library problem:
> error:0398:digital envelope routines::invalid
> digest:crypto/evp/m_sigver.c:343:
On Thu, Jun 09, 2022 at 10:55:50PM +0200, Steffen Nurpmeso wrote:
> # That one is for client certificates!
> #smtpd_tls_CAfile = /etc/dovecot/cert.pem
The "smtpd_tls_CAfile" is unused bloat unless you solicit client
certificates, and even/especially then should NOT be the standard WebPKI
CA b
Steffen Nurpmeso wrote in
<20220609205550.kbvci%stef...@sdaoden.eu>:
...
|.. But .. in fact postfix's TLS configuration regarding CAfile
|made me appear so foolish i kept
|
| # That one is for client certificates!
| #smtpd_tls_CAfile = /etc/dovecot/cert.pem
|
|in my configuration. I can
Viktor Dukhovni wrote in
:
|On Thu, Jun 09, 2022 at 07:54:56PM +0200, Bastian Blank wrote:
|> On Thu, Jun 09, 2022 at 07:05:24PM +0200, Steffen Nurpmeso wrote:
|>> [also there is
|>> smtpd_tls_mandatory_exclude_ciphers =
|>> aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
|>>
On Thu, Jun 09, 2022 at 07:54:56PM +0200, Bastian Blank wrote:
> On Thu, Jun 09, 2022 at 07:05:24PM +0200, Steffen Nurpmeso wrote:
> > [also there is
> > smtpd_tls_mandatory_exclude_ciphers =
> > aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-C
On Thu, Jun 09, 2022 at 07:05:24PM +0200, Steffen Nurpmeso wrote:
> [also there is
> smtpd_tls_mandatory_exclude_ciphers =
> aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH,
> EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES,
> CBC3-SHA
> but i definetely should put more car
On Thu, Jun 09, 2022 at 06:47:10PM +0200, Benny Pedersen wrote:
> On 2022-06-09 17:13, Linda Pagillo wrote:
> > Holy cow!! I cannot believe I overlooked this!!! Ugh.. too many hours
> > of staring at the screen. Josef.. THANK YOU.
>
> >> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>
>
Benny Pedersen wrote in
<37a797bed4aeb5c01b75c262ba0fe...@junc.eu>:
|On 2022-06-09 17:13, Linda Pagillo wrote:
|> Holy cow!! I cannot believe I overlooked this!!! Ugh.. too many hours
|> of staring at the screen. Josef.. THANK YOU.
|
|>> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
On 2022-06-09 17:13, Linda Pagillo wrote:
Holy cow!! I cannot believe I overlooked this!!! Ugh.. too many hours
of staring at the screen. Josef.. THANK YOU.
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
tlsv1.1 is more weak then tlsv1, so keep tlsv1
smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 !TLSv1.1 !TLSv1.2 !TLSv1.3
On 09.06.22 16:41, Josef Vybíhal wrote:
By this you basically DISABLED all tls protocols. The ! means "not".
Try this:
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
no, try this:
smtpd_tls_protocols=!SSLv2,!SSL
On 2022-06-09 at 10:35:50 UTC-0400 (Thu, 9 Jun 2022 09:35:50 -0500)
Linda Pagillo
is rumored to have said:
Hi everyone! Yesterday I enabled TLS on my Postfix server (v.3.4.13).
When I did, no one with a Google or Yahoo hosted address could send us
mail
(possibly others too)
When I checked t
Holy cow!! I cannot believe I overlooked this!!! Ugh.. too many hours of
staring at the screen. Josef.. THANK YOU.
Fixed! :)
On Thu, Jun 9, 2022 at 9:41 AM Josef Vybíhal
wrote:
> Hi,
>
> > smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 !TLSv1.1 !TLSv1.2 !TLSv1.3
>
> By this you basically DISABLED
Hi,
> smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 !TLSv1.1 !TLSv1.2 !TLSv1.3
By this you basically DISABLED all tls protocols. The ! means "not".
Try this:
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
You can use
https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=i
On Tue, 22 Sep 2020, Viktor Dukhovni wrote:
On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote:
You might find another one in your logs now. :-)
You're welcome! :)
$ posttls-finger -g HIGH -o tls_high_cipherlist='DEFAULT:!aECDSA' -p
'!TLSv1.3' mars.unx.se
posttls-finger: Conn
On Tue, 22 Sep 2020, Herbert J. Skuhra wrote:
On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote:
Is it possible to not announce STARTTLS to some clients?
http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
Thank you!
Problem circumvented but not solved
On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote:
> What's your suggestion to avoid the following problem?
>
> Sep 22 13:11:22 postfix/smtpd[21000]: connect from
> dragon.trusteddomain.org[208.69.40.156]
> Sep 22 13:11:25 postfix/smtpd[21000]: SSL_accept error from
> dragon.trusteddoma
On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote:
>
> Is it possible to not announce STARTTLS to some clients?
http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
--
Herbert
Thank you for that, Wietse.
I'm inclined to agree that talktalk is at fault here, allowing a second
try to succeed.
Has anyone here found this problem with talktalk?
--
Dave Stiles
Linkcheck:
> Thank you for your response, Wietse. Apologies for the delay in my
> reply. I read the document you suggested and noted the possible scenario
> but cannot ascribe it to this situation.
>
> I have been finding out a bit more about the problem.
>
> The sender and his son have been ge
Linkcheck:
> May 13 12:16:25 BRISTOLWEB postfix/submission/smtpd[12960]: warning: TLS
> library problem: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption
> failed or bad record mac:s3_pkt.c:532:
Choose one or more.
1: broken TCP or broken proxy.
The TCP content was modified in trans
>> thanks, both were from same no hostname IP address
>>
>> # host 125.212.217.214
>> Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN)
>
> According to "whois" that's an IP address in Vietnam...
>
well, we have about 20+ users located in Bangkok (whilst server is in
Aus), so I'd guess con
>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>
> With Postfix 2.11 or later, just leave this empty, session tickets work
> better.
Viktor, thanks
does 'leave empty' means have it present on main.cf up to '=' ?
as so ?
smtpd_tls_session_cache_database =
> On Dec 26, 2017, at 1:39 AM, li...@sbt.net.au wrote:
Overall quite standard. Nothing to worry about.
> smtpd_tls_session_cache_timeout = 36000s
10 hours is perhaps too long to be useful. Just let the default stand.
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
> On Dec 26, 2017, at 1:34 AM, li...@sbt.net.au wrote:
>
>>
>> Generally no. There are some SMTP clients that both TLS,
s/both/botch/
Hope that's less confusing.
>> they'll either retry in the clear, or they are likely shoddy
>> spamware.
>> Other log messages will show the IP addre
>> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote:
> This of course assumes you've not configured particularly exotic TLS
> settings on your end.
Viktor,
thanks again, I hope it's not exotic, not to my knowledge, anyhow:
that that show what it is ? suggestions and corrections appreciated
>> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote:
>>
>> anything to worry about ?
>
> Generally no. There are some SMTP clients that both TLS,
> they'll either retry in the clear, or they are likely shoddy
> spamware.
> Other log messages will show the IP address of the client. If you weren
> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote:
>
> anything to worry about ?
Generally no. There are some SMTP clients that both TLS,
they'll either retry in the clear, or they are likely shoddy
spamware.
> # grep 'TLS library problem' /var/log/maillog*
> /var/log/maillog:Dec 25 08:39
> 2 of large size or quantity; generous or abundant:
Definitely meant as above.
Steve
On Thu, Feb 19, 2015 at 04:29:51PM -, st...@thornet.co.uk wrote:
> Thanks very much for your fulsome response.
> I'll do some more checking
Note: :-)
fulsome: adjective
1 complimentary or flattering to an excessive degree: 'the press
are embarrassingly fulsome in their appreci
> * This is logged by your smtpd(8) server.
>
>
* A small set of organizations operate remote SMTP clients that
> trigger this warning when sending email to you. Most
inbound
> mail uses TLS without generating said warning.
>
[snip]
Viktor
Thanks very much for your fulsome
On Thu, Feb 19, 2015 at 03:53:13PM -, st...@thornet.co.uk wrote:
> We have lots of these in the logs
>
> warning: TLS library problem:15696:error:14094416:
> SSL routines:SSL3_READ_BYTES:
> sslv3 alert certificate unknown:
> s3_pkt.c:1256:
> SSL alert number 46:
>
> Should I be worried
Am 19.02.2015 um 16:53 schrieb st...@thornet.co.uk:
We have lots of these in the logs
warning: TLS library problem: 15696:error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate
unknown:s3_pkt.c:1256:SSL alert number 46:
Should I be worried?
without the realted loglines above an
On Sun, Feb 01, 2015 at 11:42:30PM +0100, li...@rhsoft.net wrote:
> >For MSAs offering service to Joe Public, sure you'll want a CA-issued
> >cert.
>
> I only referred to "the interval between expiry is long enough that I get to
> learn everything over from first principles every time I have to r
Am 01.02.2015 um 23:15 schrieb Viktor Dukhovni:
On Sun, Feb 01, 2015 at 10:32:53PM +0100, li...@rhsoft.net wrote:
just make it once in your lifetime, create a template for default params and
a script with minimal maintainance like for hash-method and keylength - the
script below in any case bui
On Sun, Feb 01, 2015 at 10:32:53PM +0100, li...@rhsoft.net wrote:
> just make it once in your lifetime, create a template for default params and
> a script with minimal maintainance like for hash-method and keylength - the
> script below in any case builds a self signed PEM with key and cert as we
Am 01.02.2015 um 22:26 schrieb LuKreme:
On 01 Feb 2015, at 05:41 , DTNX Postmaster wrote:
By the way, CA-signed certificates start at less than $10/year, so if you ever
do run into an issue which might be resolved by getting one, and your
configuration isn't too complex, I would suggest spe
On 01 Feb 2015, at 05:41 , DTNX Postmaster wrote:
> By the way, CA-signed certificates start at less than $10/year, so if you
> ever do run into an issue which might be resolved by getting one, and your
> configuration isn't too complex, I would suggest spending that little bit of
> money.
>
>
On Sun, Feb 01, 2015 at 02:13:46AM -0700, LuKreme wrote:
> > Which confirms that the problem is with your SMTP server as expected.
>
> It does?
Sorry, confirms that the problem is observed on the server side.
The evidence to conclude which side is not there. However, both
Postfix and OpenSSL ar
On 01 Feb 2015, at 10:13, LuKreme wrote:
> On Jan 31, 2015, at 7:15 PM, Viktor Dukhovni
> wrote:
>> On Sat, Jan 31, 2015 at 05:16:33PM -0700, LuKreme wrote:
>>
>>> The start was just date stamp info and PID:
>>>
>>> Jan 31 01:52:10 mail postfix/smtpd[62297]: warning: TLS library problem:
>>>
On Jan 31, 2015, at 7:15 PM, Viktor Dukhovni wrote:
> On Sat, Jan 31, 2015 at 05:16:33PM -0700, LuKreme wrote:
>
>> The start was just date stamp info and PID:
>>
>> Jan 31 01:52:10 mail postfix/smtpd[62297]: warning: TLS library problem:
>> error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 ale
On Sat, Jan 31, 2015 at 05:16:33PM -0700, LuKreme wrote:
> The start was just date stamp info and PID:
>
> Jan 31 01:52:10 mail postfix/smtpd[62297]: warning: TLS library problem:
> error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
> certificate:s3_pkt.c:1293:SSL alert number 42:
Whi
On Jan 31, 2015, at 4:28 PM, Viktor Dukhovni wrote:
> On Sat, Jan 31, 2015 at 03:34:35PM -0700, LuKreme wrote:
>
>> Since I am not seeing a load of these, I am assuming this is indicating the
>> error is on the other end?
>>
>> TLS library problem: error:14094412:SSL routines:SSL3_READ_BYTES:ss
On Sat, Jan 31, 2015 at 03:34:35PM -0700, LuKreme wrote:
> Since I am not seeing a load of these, I am assuming this is indicating the
> error is on the other end?
>
> TLS library problem: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert
> bad certificate:s3_pkt.c:1293:SSL alert number 4
> Any thoughts on next steps without having to contact the target
> domains? I have read about disabling TLSEXT_TYPE_PADDING when
> compiling OpenSSL - would this be my next step, or was this somehow
> fixed in the releases we are using? Any other way I could simulate
> this problem, as we have h
Hi again,
Here is the output of postconf -n for this interface:
alias_database = hash:/etc/postfix-internal/aliases
alias_maps = hash:/etc/postfix-internal/aliases
allow_percent_hack = no
alternate_config_directories = /etc/postfix-internal, /etc/postfix-external
body_checks = pcre:/etc/postfix-i
On Mon, Oct 28, 2013 at 04:17:13PM +, Viktor Dukhovni wrote:
> > What else info I need to supply, to figure out what is wrong?
>
> tls_policy:
> # opportunistic, season to taste
> trialtolatvia.lv may exclude=3DES:aNULL
>
> main.cf:
> indexed = ${default_database_ty
On Mon, Oct 28, 2013 at 05:54:51PM +0200, KSB wrote:
> Hello!
> Have the similar problem:
It is exactly the same problem, with exactly the same solution.
> Oct 22 17:12:12 awtech postfix/smtp[17586]: warning: TLS library
> problem: 17586:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> versio
Hello!
Have the similar problem:
Oct 22 17:12:12 awtech postfix/smtp[17586]: warning: TLS library
problem: 17586:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:
Oct 22 17:12:12 awtech postfix/smtp[17586]: 034C0B14237: lost connection
with mail.trialtolatvia.lv[109
On Wed, Oct 16, 2013 at 10:29:21AM +0200, Michael B?ker wrote:
> > Add "exclude=3DES" to the entry table for this server, and you'll likely
> > be fine. You probably don't need to tweak the protocols.
>
> Adding "exclude=3DES" or "exclude=DES-CBC3-SHA" to the smtp_tls_policy_maps
> file didn't
On Oct 16, 2013, at 10:29, Michael Büker wrote:
> Now, everything works. Phew.
>
> I might still combine the sender_dependent_default_transport_maps with my
> sender_dependent_relayhost_maps so I don't have to maintain both files. Come
> to
> think of it: Couldn't I combine the single line in
On Wed 16.10.13 10:29:21 Michael Büker wrote:
> I might still combine the sender_dependent_default_transport_maps with my
> sender_dependent_relayhost_maps so I don't have to maintain both files. Come
> to think of it: Couldn't I combine the single line in smtp_tls_policy_maps
> into the transpor
On Tue 15.10.13 15:18:06 Viktor Dukhovni wrote:
> The server in question is a Microsoft Exchange server with buggy 3DES
> ciphersuites (IIRC found in Windows XP, and perhaps Windows Server 2003).
>
> Add "exclude=3DES" to the entry table for this server, and you'll likely
> be fine. You probably
On Oct 15, 2013, at 17:18, Viktor Dukhovni wrote:
> On Tue, Oct 15, 2013 at 12:21:28PM +0200, Michael B?ker wrote:
>
>>> Oct 15 02:30:04 asterix postfix/smtp[4458]: warning: TLS library problem:
>>> 4458:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>>> number:s3_pkt.c:337:
>>>
>>>
On Tue, Oct 15, 2013 at 12:21:28PM +0200, Michael B?ker wrote:
> > Oct 15 02:30:04 asterix postfix/smtp[4458]: warning: TLS library problem:
> > 4458:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> > number:s3_pkt.c:337:
> >
> > Oct 15 02:30:04 asterix postfix/smtp[4458]: 42E021A0F44:
On Tue 15.10.13 01:48:57 Viktor Dukhovni wrote:
> Obfuscating the target domain and IP address makes it much harder
> to help you. At the very least you MUST obfuscate using a 1-to-1
> function, so that each distinct domain or IP address is mapped to
> a distinct obfuscated value.
I see the probl
On Tue, Oct 15, 2013 at 03:20:13AM +0200, Michael B?ker wrote:
> > postfix/smtp[9689]: warning: TLS library problem: 9689:error:1408F10B:SSL
> > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
> > postfix/smtp[9689]: 033661A108A: to=,
> > relay=server[X.X.X.X]:587, delay=0.51, delays
On Tue, Feb 12, 2013 at 04:51:33PM +, Viktor Dukhovni wrote:
> Do you know how you accidentally ended-up with a 512-bit RSA key?
> [ Did you use the snake-oil key-pair included with the O/S? ]
No. The snake-oil key-pair is 1024 bit rsa in gentoo.
--
Eray Aslan
On Tue, Feb 12, 2013 at 09:22:55AM +0100, we...@zackbummfertig.de wrote:
> I checked the certificate with:
>
> $ openssl x509 -in cert.pem -text -noout
>
> and voila, 512 bit like you said.
Do you know how you accidentally ended-up with a 512-bit RSA key?
[ Did you use the snake-oil key-pa
sorry for 2nd reply,
and no i had openssl 1.0.1c on gentoo
i see theres now 1.0.1d-r1 and the 1.0.1d is MASKED now.
marko
Am 2013-02-12 07:58, schrieb Viktor Dukhovni:
On Mon, Feb 11, 2013 at 11:58:07PM +0100, we...@zackbummfertig.de
wrote:
on my backup relay server i find these lines in
Viktor,
thanks for the detailed reply.
i checked the crt with
openssl rsa -in private.key -text -noout
and voila, 512 bit like you said.
after generating all things new all is fine now.
thanks for help.
marko
Am 2013-02-12 07:58, schrieb Viktor Dukhovni:
On Mon, Feb 11, 2013 at 11:58:07PM
On Mon, Feb 11, 2013 at 11:58:07PM +0100, we...@zackbummfertig.de wrote:
> on my backup relay server i find these lines in the logs.
> i rebuild openssl and postfix.
> i am on gentoo linux.
>
> openssl 1.0.1c
Gentoo builds software from source, are you sure you built OpenSSL
1.0.1c and not the t
Am 2013-02-12 01:07, schrieb Wietse Venema:
we...@zackbummfertig.de:
Feb 11 22:52:52 fallbackhost postfix/smtp[18823]: warning: TLS
library
problem: 18823:error:04075070:rsa routines:RSA_sign:digest too big
for
rsa key:rsa_sign.c:127:
Feb 11 22:52:52 fallbackhost postfix/smtp[18823]: warning
we...@zackbummfertig.de:
> Feb 11 22:52:52 fallbackhost postfix/smtp[18823]: warning: TLS library
> problem: 18823:error:04075070:rsa routines:RSA_sign:digest too big for
> rsa key:rsa_sign.c:127:
> Feb 11 22:52:52 fallbackhost postfix/smtp[18823]: warning: TLS library
> problem: 18823:error:140
On Sun, 22 Apr 2012 12:25:05 -0400
Julien Vehent articulated:
>On other system, I have noticed that openssl-1.0.1 uses TLS1.2 by
>default and that seemed to break a bunch of connections.
>Try opening connections with different TLS versions and see which ones
>break:
>
Both fail:
>openssl s_clien
On 2012-04-22 10:16, Jerry wrote:
System: FreeBSD 8.2-STABLE amd64
I just updated to "openssl-1.0.1" on my machine. The machine went
trough a complete reboot so I would assume that everything was started
correctly. I did rebuild Postfix after updating "openssl". I am using
the "postfix-current"
On Apr 22, 2012, at 7:16 AM, Jerry wrote:
> System: FreeBSD 8.2-STABLE amd64
>
> I just updated to "openssl-1.0.1" on my machine.
I have experienced many broken packages after upgrading to "openssl 1.0.1" that
upgrading to "openssl 1.0.1a" appears to have fixed.
Regards,
Bradley Giesbrecht
* Victor Duchovni :
> > This happens if the client doesn't like the certificate, because it is
> > not signed by a trusted CA.
>
> This is a reasonably plausible conjecture, but not yet a fact.
Yup.
> > Which machine is it, so we can have a look with s_client?
>
> More importantly, the OP has
On Fri, Dec 03, 2010 at 07:09:05PM +0100, Ralf Hildebrandt wrote:
> * Victor Duchovni :
>
> > The remote SSL client sends "alert 0" which according to
> >
> > http://tools.ietf.org/html/rfc2246#section-7.2
> >
> > is a "close_notify" alert. So the remote client called the equivalent of
> >
* Victor Duchovni :
> The remote SSL client sends "alert 0" which according to
>
> http://tools.ietf.org/html/rfc2246#section-7.2
>
> is a "close_notify" alert. So the remote client called the equivalent of
> SSL_shutdown() in the middle of the SSL handshake. Perhaps the client was
> "unimpr
On Fri, Dec 03, 2010 at 10:12:07AM +0100, Mickael MONSIEUR wrote:
> I have this problem with receiving emails from outside in SSL / TLS.
> Can you help me because I have some emails blocked because of it.
The messages are not "blocked", rather the SMTP client fails to establish
a TLS handshake wi
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/maps/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
header_checks = regexp:/etc/postfix/maps/header_checks
inet_interfaces = all
mailbox
* Mickael MONSIEUR :
> > OK, it's an SSL Problem. But since we don't know what 212.35.xxx.xx is
> > (MTA? MUA?) it's hard to say anything. Also, since you don't say
> > anything about your server (config and such) it's also really hard.
>
> I do not think this is the SMTP 212.35.xxx.xx the proble
2010/12/3 Ralf Hildebrandt
> * Mickael MONSIEUR :
> > Hello,
> > I have this problem with receiving emails from outside in SSL / TLS.
> > Can you help me because I have some emails blocked because of it.
>
> Where does it show that the mails are being blocked?
>
They are blocked or rejected, bec
* Mickael MONSIEUR :
> Hello,
> I have this problem with receiving emails from outside in SSL / TLS.
> Can you help me because I have some emails blocked because of it.
Where does it show that the mails are being blocked?
> Dec 3 09:56:13 mail postfix/smtpd[13307]: warning: 212.35.xxx.xx: hostn
On Tue, 30 Mar 2010, Terry Barnum wrote:
> Mar 28 04:47:54 mail postfix/smtpd[22135]: warning: TLS library problem:
> 22135:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol:s23_srvr.c:578:
> Mar 29 15:12:39 mail postfix/smtpd[35073]: warning: TLS library problem:
> 35073:er
86 matches
Mail list logo
