[pfx] Re: TLS library problem: error:0A000102

2024-11-17 Thread Viktor Dukhovni via Postfix-users
On Sun, Nov 17, 2024 at 04:47:17PM -0800, Randy Bush via Postfix-users wrote: > 2024-11-18T00:03:12.077805+00:00 m0 postfix/smtpd[1756]: warning: > TLS library problem: error:0A000102:SSL routines: > :unsupported protocol - > :../ssl/statem/statem_

[pfx] Re: TLS Library Problem

2024-05-12 Thread Jason Hirsh via Postfix-users
Thanks. Was just confirming , Yes self signed. I broke certbot > On May 12, 2024, at 4:55 AM, Viktor Dukhovni via Postfix-users > wrote: > > On Sat, May 11, 2024 at 11:55:14PM -0400, Jason Hirsh via Postfix-users > wrote: > >> I have they error message >> >> postfix/smtps/smtpd[39559]: w

[pfx] Re: TLS Library Problem

2024-05-12 Thread Viktor Dukhovni via Postfix-users
On Sat, May 11, 2024 at 11:55:14PM -0400, Jason Hirsh via Postfix-users wrote: > I have they error message > > postfix/smtps/smtpd[39559]: warning: TLS library problem: > error:14094416:SSL routines:ssl3_read_bytes: > sslv3 alert certificate unknown: > /usr/src/crypto/openssl/ssl/record/rec_layer

[pfx] Re: TLS Library Problem

2024-05-12 Thread Matus UHLAR - fantomas via Postfix-users
On 11.05.24 23:55, Jason Hirsh via Postfix-users wrote: Still chasing ssl/tls issue I have they error message postfix/smtps/smtpd[39559]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c

[pfx] Re: TLS Library Problem? (SSL_accept error from ...)

2023-05-08 Thread Viktor Dukhovni via Postfix-users
On Mon, May 08, 2023 at 04:22:29PM -0500, E R via Postfix-users wrote: > Thank you so much for the suggestion to review the crypto setting as this > indeed a RedHat based distribution. I confirmed it is set to "default" > which means “The default system-wide cryptographic policy level offers > s

[pfx] Re: TLS Library Problem? (SSL_accept error from ...)

2023-05-08 Thread E R via Postfix-users
The /usr/share/crypto-policies/DEFAULT/opensslcnf.txt on RHEL 9 looks identical to what you posted for Fedora. I am not a RHEL expert but I have not see any references to opt out of the crypto policy on a per application basis. You can customize an existing crypto policy or create your own. I t

[pfx] Re: TLS Library Problem? (SSL_accept error from ...)

2023-05-08 Thread E R via Postfix-users
Thank you so much for the suggestion to review the crypto setting as this indeed a RedHat based distribution. I confirmed it is set to "default" which means “The default system-wide cryptographic policy level offers secure settings for current threat models. It allows the TLS 1.2 and 1.3 protocol

[pfx] Re: TLS Library Problem? (SSL_accept error from ...)

2023-05-06 Thread PGNet Dev via Postfix-users
I don't even know whether RedHat exposes any mechanisms for applications> to opt-out of crypto policy and use only application-driven OpenSSL> configuration. This is should perhaps be looked into in the Postfix 3.9> timeframe. from my notes dealing with new Fedora crypto-policies on a number o

[pfx] Re: TLS Library Problem? (SSL_accept error from ...)

2023-05-05 Thread Viktor Dukhovni via Postfix-users
On Fri, May 05, 2023 at 08:28:48PM -0400, Viktor Dukhovni via Postfix-users wrote: > You should of course also share > (https://www.postfix.org/DEBUG_README.html#mail) > > $ postconf -nf > $ postconf -Mf > > without any changes in whitespace, including line breaks. Attaching > these a

[pfx] Re: TLS Library Problem? (SSL_accept error from ...)

2023-05-05 Thread Ken Peng via Postfix-users
> > > > Because TLS/SSL things are very complex, you have to show us real > settings all. Like me: (yw-0919: inbound, yw-1204: outbound) > [1] https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/smtp-conf.yw-0919 > [2] https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/smtp-conf.yw-1204 > And P

[pfx] Re: TLS Library Problem? (SSL_accept error from ...)

2023-05-05 Thread Byung-Hee HWANG via Postfix-users
On Fri, May 05, 2023 at 06:55:23PM -0500, E R via Postfix-users wrote: > I have setup Postfix so that internally I offer TLS to systems but do not > require it since I have no control over their configuration. I did > extensive testing to ensure that the mail gateway supports TLS and accepts > ema

[pfx] Re: TLS Library Problem? (SSL_accept error from ...)

2023-05-05 Thread Viktor Dukhovni via Postfix-users
On Fri, May 05, 2023 at 06:55:23PM -0500, E R via Postfix-users wrote: > postfix/smtpd[1234567]: SSL_accept error from xxx.xxx.xxx[yyy.yyy.yyy.yyy]: -1 > postfix/smtpd[1234567]: warning: TLS library problem: > error:0398:digital envelope routines::invalid > digest:crypto/evp/m_sigver.c:343:

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Viktor Dukhovni
On Thu, Jun 09, 2022 at 10:55:50PM +0200, Steffen Nurpmeso wrote: > # That one is for client certificates! > #smtpd_tls_CAfile = /etc/dovecot/cert.pem The "smtpd_tls_CAfile" is unused bloat unless you solicit client certificates, and even/especially then should NOT be the standard WebPKI CA b

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Steffen Nurpmeso
Steffen Nurpmeso wrote in <20220609205550.kbvci%stef...@sdaoden.eu>: ... |.. But .. in fact postfix's TLS configuration regarding CAfile |made me appear so foolish i kept | | # That one is for client certificates! | #smtpd_tls_CAfile = /etc/dovecot/cert.pem | |in my configuration. I can

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Steffen Nurpmeso
Viktor Dukhovni wrote in : |On Thu, Jun 09, 2022 at 07:54:56PM +0200, Bastian Blank wrote: |> On Thu, Jun 09, 2022 at 07:05:24PM +0200, Steffen Nurpmeso wrote: |>> [also there is |>> smtpd_tls_mandatory_exclude_ciphers = |>> aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, |>>

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Viktor Dukhovni
On Thu, Jun 09, 2022 at 07:54:56PM +0200, Bastian Blank wrote: > On Thu, Jun 09, 2022 at 07:05:24PM +0200, Steffen Nurpmeso wrote: > > [also there is > > smtpd_tls_mandatory_exclude_ciphers = > > aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, > > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-C

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Bastian Blank
On Thu, Jun 09, 2022 at 07:05:24PM +0200, Steffen Nurpmeso wrote: > [also there is > smtpd_tls_mandatory_exclude_ciphers = > aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, > EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, > CBC3-SHA > but i definetely should put more car

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Viktor Dukhovni
On Thu, Jun 09, 2022 at 06:47:10PM +0200, Benny Pedersen wrote: > On 2022-06-09 17:13, Linda Pagillo wrote: > > Holy cow!! I cannot believe I overlooked this!!! Ugh.. too many hours > > of staring at the screen. Josef.. THANK YOU. > > >> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 > >

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Steffen Nurpmeso
Benny Pedersen wrote in <37a797bed4aeb5c01b75c262ba0fe...@junc.eu>: |On 2022-06-09 17:13, Linda Pagillo wrote: |> Holy cow!! I cannot believe I overlooked this!!! Ugh.. too many hours |> of staring at the screen. Josef.. THANK YOU. | |>> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Benny Pedersen
On 2022-06-09 17:13, Linda Pagillo wrote: Holy cow!! I cannot believe I overlooked this!!! Ugh.. too many hours of staring at the screen. Josef.. THANK YOU. smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 tlsv1.1 is more weak then tlsv1, so keep tlsv1

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Matus UHLAR - fantomas
smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 !TLSv1.1 !TLSv1.2 !TLSv1.3 On 09.06.22 16:41, Josef Vybíhal wrote: By this you basically DISABLED all tls protocols. The ! means "not". Try this: smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 no, try this: smtpd_tls_protocols=!SSLv2,!SSL

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Bill Cole
On 2022-06-09 at 10:35:50 UTC-0400 (Thu, 9 Jun 2022 09:35:50 -0500) Linda Pagillo is rumored to have said: Hi everyone! Yesterday I enabled TLS on my Postfix server (v.3.4.13). When I did, no one with a Google or Yahoo hosted address could send us mail (possibly others too) When I checked t

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Linda Pagillo
Holy cow!! I cannot believe I overlooked this!!! Ugh.. too many hours of staring at the screen. Josef.. THANK YOU. Fixed! :) On Thu, Jun 9, 2022 at 9:41 AM Josef Vybíhal wrote: > Hi, > > > smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 !TLSv1.1 !TLSv1.2 !TLSv1.3 > > By this you basically DISABLED

Re: TLS library problem: error:141FC044 after enabling TLS

2022-06-09 Thread Josef Vybíhal
Hi, > smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 !TLSv1.1 !TLSv1.2 !TLSv1.3 By this you basically DISABLED all tls protocols. The ! means "not". Try this: smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 You can use https://ssl-config.mozilla.org/#server=postfix&version=3.4.8&config=i

Re: TLS library problem: no shared cipher

2020-09-22 Thread Markus E.
On Tue, 22 Sep 2020, Viktor Dukhovni wrote: On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote: You might find another one in your logs now. :-) You're welcome! :) $ posttls-finger -g HIGH -o tls_high_cipherlist='DEFAULT:!aECDSA' -p '!TLSv1.3' mars.unx.se posttls-finger: Conn

Re: TLS library problem: no shared cipher

2020-09-22 Thread Markus E.
On Tue, 22 Sep 2020, Herbert J. Skuhra wrote: On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote: Is it possible to not announce STARTTLS to some clients? http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps Thank you! Problem circumvented but not solved

Re: TLS library problem: no shared cipher

2020-09-22 Thread Viktor Dukhovni
On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote: > What's your suggestion to avoid the following problem? > > Sep 22 13:11:22 postfix/smtpd[21000]: connect from > dragon.trusteddomain.org[208.69.40.156] > Sep 22 13:11:25 postfix/smtpd[21000]: SSL_accept error from > dragon.trusteddoma

Re: TLS library problem: no shared cipher

2020-09-22 Thread Herbert J. Skuhra
On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote: > > Is it possible to not announce STARTTLS to some clients? http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps -- Herbert

Re: TLS library problem

2020-05-15 Thread Linkcheck
Thank you for that, Wietse. I'm inclined to agree that talktalk is at fault here, allowing a second try to succeed. Has anyone here found this problem with talktalk? -- Dave Stiles

Re: TLS library problem

2020-05-15 Thread Wietse Venema
Linkcheck: > Thank you for your response, Wietse. Apologies for the delay in my > reply. I read the document you suggested and noted the possible scenario > but cannot ascribe it to this situation. > > I have been finding out a bit more about the problem. > > The sender and his son have been ge

Re: TLS library problem

2020-05-13 Thread Wietse Venema
Linkcheck: > May 13 12:16:25 BRISTOLWEB postfix/submission/smtpd[12960]: warning: TLS > library problem: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption > failed or bad record mac:s3_pkt.c:532: Choose one or more. 1: broken TCP or broken proxy. The TCP content was modified in trans

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

2017-12-26 Thread lists
>> thanks, both were from same no hostname IP address >> >> # host 125.212.217.214 >> Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN) > > According to "whois" that's an IP address in Vietnam... > well, we have about 20+ users located in Bangkok (whilst server is in Aus), so I'd guess con

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

2017-12-25 Thread lists
>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > > With Postfix 2.11 or later, just leave this empty, session tickets work > better. Viktor, thanks does 'leave empty' means have it present on main.cf up to '=' ? as so ? smtpd_tls_session_cache_database =

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

2017-12-25 Thread Viktor Dukhovni
> On Dec 26, 2017, at 1:39 AM, li...@sbt.net.au wrote: Overall quite standard. Nothing to worry about. > smtpd_tls_session_cache_timeout = 36000s 10 hours is perhaps too long to be useful. Just let the default stand. > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

2017-12-25 Thread Viktor Dukhovni
> On Dec 26, 2017, at 1:34 AM, li...@sbt.net.au wrote: > >> >> Generally no. There are some SMTP clients that both TLS, s/both/botch/ Hope that's less confusing. >> they'll either retry in the clear, or they are likely shoddy >> spamware. >> Other log messages will show the IP addre

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

2017-12-25 Thread lists
>> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote: > This of course assumes you've not configured particularly exotic TLS > settings on your end. Viktor, thanks again, I hope it's not exotic, not to my knowledge, anyhow: that that show what it is ? suggestions and corrections appreciated

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

2017-12-25 Thread lists
>> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote: >> >> anything to worry about ? > > Generally no. There are some SMTP clients that both TLS, > they'll either retry in the clear, or they are likely shoddy > spamware. > Other log messages will show the IP address of the client. If you weren

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

2017-12-25 Thread Viktor Dukhovni
> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote: > > anything to worry about ? Generally no. There are some SMTP clients that both TLS, they'll either retry in the clear, or they are likely shoddy spamware. > # grep 'TLS library problem' /var/log/maillog* > /var/log/maillog:Dec 25 08:39

Re: TLS library problem

2015-02-19 Thread steve
> 2 of large size or quantity; generous or abundant:   Definitely meant as above. Steve

Re: TLS library problem

2015-02-19 Thread Viktor Dukhovni
On Thu, Feb 19, 2015 at 04:29:51PM -, st...@thornet.co.uk wrote: > Thanks very much for your fulsome response. > I'll do some more checking Note: :-) fulsome: adjective 1 complimentary or flattering to an excessive degree: 'the press are embarrassingly fulsome in their appreci

Re: TLS library problem

2015-02-19 Thread steve
> * This is logged by your smtpd(8) server. > > * A small set of organizations operate remote SMTP clients that > trigger this warning when sending email to you. Most inbound > mail uses TLS without generating said warning. > [snip] Viktor Thanks very much for your fulsome

Re: TLS library problem

2015-02-19 Thread Viktor Dukhovni
On Thu, Feb 19, 2015 at 03:53:13PM -, st...@thornet.co.uk wrote: > We have lots of these in the logs > > warning: TLS library problem:15696:error:14094416: > SSL routines:SSL3_READ_BYTES: > sslv3 alert certificate unknown: > s3_pkt.c:1256: > SSL alert number 46: > > Should I be worried

Re: TLS library problem

2015-02-19 Thread li...@rhsoft.net
Am 19.02.2015 um 16:53 schrieb st...@thornet.co.uk: We have lots of these in the logs warning: TLS library problem: 15696:error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1256:SSL alert number 46: Should I be worried? without the realted loglines above an

Re: TLS Library Problem

2015-02-01 Thread Viktor Dukhovni
On Sun, Feb 01, 2015 at 11:42:30PM +0100, li...@rhsoft.net wrote: > >For MSAs offering service to Joe Public, sure you'll want a CA-issued > >cert. > > I only referred to "the interval between expiry is long enough that I get to > learn everything over from first principles every time I have to r

Re: TLS Library Problem

2015-02-01 Thread li...@rhsoft.net
Am 01.02.2015 um 23:15 schrieb Viktor Dukhovni: On Sun, Feb 01, 2015 at 10:32:53PM +0100, li...@rhsoft.net wrote: just make it once in your lifetime, create a template for default params and a script with minimal maintainance like for hash-method and keylength - the script below in any case bui

Re: TLS Library Problem

2015-02-01 Thread Viktor Dukhovni
On Sun, Feb 01, 2015 at 10:32:53PM +0100, li...@rhsoft.net wrote: > just make it once in your lifetime, create a template for default params and > a script with minimal maintainance like for hash-method and keylength - the > script below in any case builds a self signed PEM with key and cert as we

Re: TLS Library Problem

2015-02-01 Thread li...@rhsoft.net
Am 01.02.2015 um 22:26 schrieb LuKreme: On 01 Feb 2015, at 05:41 , DTNX Postmaster wrote: By the way, CA-signed certificates start at less than $10/year, so if you ever do run into an issue which might be resolved by getting one, and your configuration isn't too complex, I would suggest spe

Re: TLS Library Problem

2015-02-01 Thread LuKreme
On 01 Feb 2015, at 05:41 , DTNX Postmaster wrote: > By the way, CA-signed certificates start at less than $10/year, so if you > ever do run into an issue which might be resolved by getting one, and your > configuration isn't too complex, I would suggest spending that little bit of > money. > >

Re: TLS Library Problem

2015-02-01 Thread Viktor Dukhovni
On Sun, Feb 01, 2015 at 02:13:46AM -0700, LuKreme wrote: > > Which confirms that the problem is with your SMTP server as expected. > > It does? Sorry, confirms that the problem is observed on the server side. The evidence to conclude which side is not there. However, both Postfix and OpenSSL ar

Re: TLS Library Problem

2015-02-01 Thread DTNX Postmaster
On 01 Feb 2015, at 10:13, LuKreme wrote: > On Jan 31, 2015, at 7:15 PM, Viktor Dukhovni > wrote: >> On Sat, Jan 31, 2015 at 05:16:33PM -0700, LuKreme wrote: >> >>> The start was just date stamp info and PID: >>> >>> Jan 31 01:52:10 mail postfix/smtpd[62297]: warning: TLS library problem: >>>

Re: TLS Library Problem

2015-02-01 Thread LuKreme
On Jan 31, 2015, at 7:15 PM, Viktor Dukhovni wrote: > On Sat, Jan 31, 2015 at 05:16:33PM -0700, LuKreme wrote: > >> The start was just date stamp info and PID: >> >> Jan 31 01:52:10 mail postfix/smtpd[62297]: warning: TLS library problem: >> error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 ale

Re: TLS Library Problem

2015-01-31 Thread Viktor Dukhovni
On Sat, Jan 31, 2015 at 05:16:33PM -0700, LuKreme wrote: > The start was just date stamp info and PID: > > Jan 31 01:52:10 mail postfix/smtpd[62297]: warning: TLS library problem: > error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad > certificate:s3_pkt.c:1293:SSL alert number 42: Whi

Re: TLS Library Problem

2015-01-31 Thread LuKreme
On Jan 31, 2015, at 4:28 PM, Viktor Dukhovni wrote: > On Sat, Jan 31, 2015 at 03:34:35PM -0700, LuKreme wrote: > >> Since I am not seeing a load of these, I am assuming this is indicating the >> error is on the other end? >> >> TLS library problem: error:14094412:SSL routines:SSL3_READ_BYTES:ss

Re: TLS Library Problem

2015-01-31 Thread Viktor Dukhovni
On Sat, Jan 31, 2015 at 03:34:35PM -0700, LuKreme wrote: > Since I am not seeing a load of these, I am assuming this is indicating the > error is on the other end? > > TLS library problem: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert > bad certificate:s3_pkt.c:1293:SSL alert number 4

Re: TLS library problem - handshake failure

2014-08-26 Thread Wietse Venema
> Any thoughts on next steps without having to contact the target > domains? I have read about disabling TLSEXT_TYPE_PADDING when > compiling OpenSSL - would this be my next step, or was this somehow > fixed in the releases we are using? Any other way I could simulate > this problem, as we have h

RE: TLS library problem - handshake failure

2014-08-26 Thread robin.wakefield
Hi again, Here is the output of postconf -n for this interface: alias_database = hash:/etc/postfix-internal/aliases alias_maps = hash:/etc/postfix-internal/aliases allow_percent_hack = no alternate_config_directories = /etc/postfix-internal, /etc/postfix-external body_checks = pcre:/etc/postfix-i

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-28 Thread Viktor Dukhovni
On Mon, Oct 28, 2013 at 04:17:13PM +, Viktor Dukhovni wrote: > > What else info I need to supply, to figure out what is wrong? > > tls_policy: > # opportunistic, season to taste > trialtolatvia.lv may exclude=3DES:aNULL > > main.cf: > indexed = ${default_database_ty

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-28 Thread Viktor Dukhovni
On Mon, Oct 28, 2013 at 05:54:51PM +0200, KSB wrote: > Hello! > Have the similar problem: It is exactly the same problem, with exactly the same solution. > Oct 22 17:12:12 awtech postfix/smtp[17586]: warning: TLS library > problem: 17586:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong > versio

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-28 Thread KSB
Hello! Have the similar problem: Oct 22 17:12:12 awtech postfix/smtp[17586]: warning: TLS library problem: 17586:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: Oct 22 17:12:12 awtech postfix/smtp[17586]: 034C0B14237: lost connection with mail.trialtolatvia.lv[109

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-16 Thread Viktor Dukhovni
On Wed, Oct 16, 2013 at 10:29:21AM +0200, Michael B?ker wrote: > > Add "exclude=3DES" to the entry table for this server, and you'll likely > > be fine. You probably don't need to tweak the protocols. > > Adding "exclude=3DES" or "exclude=DES-CBC3-SHA" to the smtp_tls_policy_maps > file didn't

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-16 Thread DTNX Postmaster
On Oct 16, 2013, at 10:29, Michael Büker wrote: > Now, everything works. Phew. > > I might still combine the sender_dependent_default_transport_maps with my > sender_dependent_relayhost_maps so I don't have to maintain both files. Come > to > think of it: Couldn't I combine the single line in

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-16 Thread Michael Büker
On Wed 16.10.13 10:29:21 Michael Büker wrote: > I might still combine the sender_dependent_default_transport_maps with my > sender_dependent_relayhost_maps so I don't have to maintain both files. Come > to think of it: Couldn't I combine the single line in smtp_tls_policy_maps > into the transpor

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-16 Thread Michael Büker
On Tue 15.10.13 15:18:06 Viktor Dukhovni wrote: > The server in question is a Microsoft Exchange server with buggy 3DES > ciphersuites (IIRC found in Windows XP, and perhaps Windows Server 2003). > > Add "exclude=3DES" to the entry table for this server, and you'll likely > be fine. You probably

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-15 Thread DTNX Postmaster
On Oct 15, 2013, at 17:18, Viktor Dukhovni wrote: > On Tue, Oct 15, 2013 at 12:21:28PM +0200, Michael B?ker wrote: > >>> Oct 15 02:30:04 asterix postfix/smtp[4458]: warning: TLS library problem: >>> 4458:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version >>> number:s3_pkt.c:337: >>> >>>

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-15 Thread Viktor Dukhovni
On Tue, Oct 15, 2013 at 12:21:28PM +0200, Michael B?ker wrote: > > Oct 15 02:30:04 asterix postfix/smtp[4458]: warning: TLS library problem: > > 4458:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > > number:s3_pkt.c:337: > > > > Oct 15 02:30:04 asterix postfix/smtp[4458]: 42E021A0F44:

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-15 Thread Michael Büker
On Tue 15.10.13 01:48:57 Viktor Dukhovni wrote: > Obfuscating the target domain and IP address makes it much harder > to help you. At the very least you MUST obfuscate using a 1-to-1 > function, so that each distinct domain or IP address is mapped to > a distinct obfuscated value. I see the probl

Re: TLS library problem - SSL routines:SSL3_GET_RECORD - wrong version number

2013-10-14 Thread Viktor Dukhovni
On Tue, Oct 15, 2013 at 03:20:13AM +0200, Michael B?ker wrote: > > postfix/smtp[9689]: warning: TLS library problem: 9689:error:1408F10B:SSL > > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > > postfix/smtp[9689]: 033661A108A: to=, > > relay=server[X.X.X.X]:587, delay=0.51, delays

Re: TLS Library Problem? Postfix 2.9.6

2013-02-13 Thread Eray Aslan
On Tue, Feb 12, 2013 at 04:51:33PM +, Viktor Dukhovni wrote: > Do you know how you accidentally ended-up with a 512-bit RSA key? > [ Did you use the snake-oil key-pair included with the O/S? ] No. The snake-oil key-pair is 1024 bit rsa in gentoo. -- Eray Aslan

Re: TLS Library Problem? Postfix 2.9.6

2013-02-12 Thread Viktor Dukhovni
On Tue, Feb 12, 2013 at 09:22:55AM +0100, we...@zackbummfertig.de wrote: > I checked the certificate with: > > $ openssl x509 -in cert.pem -text -noout > > and voila, 512 bit like you said. Do you know how you accidentally ended-up with a 512-bit RSA key? [ Did you use the snake-oil key-pa

Re: TLS Library Problem? Postfix 2.9.6

2013-02-12 Thread weber
sorry for 2nd reply, and no i had openssl 1.0.1c on gentoo i see theres now 1.0.1d-r1 and the 1.0.1d is MASKED now. marko Am 2013-02-12 07:58, schrieb Viktor Dukhovni: On Mon, Feb 11, 2013 at 11:58:07PM +0100, we...@zackbummfertig.de wrote: on my backup relay server i find these lines in

Re: TLS Library Problem? Postfix 2.9.6

2013-02-12 Thread weber
Viktor, thanks for the detailed reply. i checked the crt with openssl rsa -in private.key -text -noout and voila, 512 bit like you said. after generating all things new all is fine now. thanks for help. marko Am 2013-02-12 07:58, schrieb Viktor Dukhovni: On Mon, Feb 11, 2013 at 11:58:07PM

Re: TLS Library Problem? Postfix 2.9.6

2013-02-11 Thread Viktor Dukhovni
On Mon, Feb 11, 2013 at 11:58:07PM +0100, we...@zackbummfertig.de wrote: > on my backup relay server i find these lines in the logs. > i rebuild openssl and postfix. > i am on gentoo linux. > > openssl 1.0.1c Gentoo builds software from source, are you sure you built OpenSSL 1.0.1c and not the t

Re: TLS Library Problem? Postfix 2.9.6

2013-02-11 Thread weber
Am 2013-02-12 01:07, schrieb Wietse Venema: we...@zackbummfertig.de: Feb 11 22:52:52 fallbackhost postfix/smtp[18823]: warning: TLS library problem: 18823:error:04075070:rsa routines:RSA_sign:digest too big for rsa key:rsa_sign.c:127: Feb 11 22:52:52 fallbackhost postfix/smtp[18823]: warning

Re: TLS Library Problem? Postfix 2.9.6

2013-02-11 Thread Wietse Venema
we...@zackbummfertig.de: > Feb 11 22:52:52 fallbackhost postfix/smtp[18823]: warning: TLS library > problem: 18823:error:04075070:rsa routines:RSA_sign:digest too big for > rsa key:rsa_sign.c:127: > Feb 11 22:52:52 fallbackhost postfix/smtp[18823]: warning: TLS library > problem: 18823:error:140

Re: TLS library problem after updating "openssl"

2012-04-22 Thread Jerry
On Sun, 22 Apr 2012 12:25:05 -0400 Julien Vehent articulated: >On other system, I have noticed that openssl-1.0.1 uses TLS1.2 by >default and that seemed to break a bunch of connections. >Try opening connections with different TLS versions and see which ones >break: > Both fail: >openssl s_clien

Re: TLS library problem after updating "openssl"

2012-04-22 Thread Julien Vehent
On 2012-04-22 10:16, Jerry wrote: System: FreeBSD 8.2-STABLE amd64 I just updated to "openssl-1.0.1" on my machine. The machine went trough a complete reboot so I would assume that everything was started correctly. I did rebuild Postfix after updating "openssl". I am using the "postfix-current"

Re: TLS library problem after updating "openssl"

2012-04-22 Thread Bradley Giesbrecht
On Apr 22, 2012, at 7:16 AM, Jerry wrote: > System: FreeBSD 8.2-STABLE amd64 > > I just updated to "openssl-1.0.1" on my machine. I have experienced many broken packages after upgrading to "openssl 1.0.1" that upgrading to "openssl 1.0.1a" appears to have fixed. Regards, Bradley Giesbrecht

Re: TLS library problem

2010-12-03 Thread Ralf Hildebrandt
* Victor Duchovni : > > This happens if the client doesn't like the certificate, because it is > > not signed by a trusted CA. > > This is a reasonably plausible conjecture, but not yet a fact. Yup. > > Which machine is it, so we can have a look with s_client? > > More importantly, the OP has

Re: TLS library problem

2010-12-03 Thread Victor Duchovni
On Fri, Dec 03, 2010 at 07:09:05PM +0100, Ralf Hildebrandt wrote: > * Victor Duchovni : > > > The remote SSL client sends "alert 0" which according to > > > > http://tools.ietf.org/html/rfc2246#section-7.2 > > > > is a "close_notify" alert. So the remote client called the equivalent of > >

Re: TLS library problem

2010-12-03 Thread Ralf Hildebrandt
* Victor Duchovni : > The remote SSL client sends "alert 0" which according to > > http://tools.ietf.org/html/rfc2246#section-7.2 > > is a "close_notify" alert. So the remote client called the equivalent of > SSL_shutdown() in the middle of the SSL handshake. Perhaps the client was > "unimpr

Re: TLS library problem

2010-12-03 Thread Victor Duchovni
On Fri, Dec 03, 2010 at 10:12:07AM +0100, Mickael MONSIEUR wrote: > I have this problem with receiving emails from outside in SSL / TLS. > Can you help me because I have some emails blocked because of it. The messages are not "blocked", rather the SMTP client fails to establish a TLS handshake wi

Re: TLS library problem

2010-12-03 Thread Mickael MONSIEUR
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no body_checks = regexp:/etc/postfix/maps/body_checks broken_sasl_auth_clients = yes config_directory = /etc/postfix header_checks = regexp:/etc/postfix/maps/header_checks inet_interfaces = all mailbox

Re: TLS library problem

2010-12-03 Thread Ralf Hildebrandt
* Mickael MONSIEUR : > > OK, it's an SSL Problem. But since we don't know what 212.35.xxx.xx is > > (MTA? MUA?) it's hard to say anything. Also, since you don't say > > anything about your server (config and such) it's also really hard. > > I do not think this is the SMTP 212.35.xxx.xx the proble

Re: TLS library problem

2010-12-03 Thread Mickael MONSIEUR
2010/12/3 Ralf Hildebrandt > * Mickael MONSIEUR : > > Hello, > > I have this problem with receiving emails from outside in SSL / TLS. > > Can you help me because I have some emails blocked because of it. > > Where does it show that the mails are being blocked? > They are blocked or rejected, bec

Re: TLS library problem

2010-12-03 Thread Ralf Hildebrandt
* Mickael MONSIEUR : > Hello, > I have this problem with receiving emails from outside in SSL / TLS. > Can you help me because I have some emails blocked because of it. Where does it show that the mails are being blocked? > Dec 3 09:56:13 mail postfix/smtpd[13307]: warning: 212.35.xxx.xx: hostn

Re: TLS library problem

2010-03-30 Thread Sahil Tandon
On Tue, 30 Mar 2010, Terry Barnum wrote: > Mar 28 04:47:54 mail postfix/smtpd[22135]: warning: TLS library problem: > 22135:error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown > protocol:s23_srvr.c:578: > Mar 29 15:12:39 mail postfix/smtpd[35073]: warning: TLS library problem: > 35073:er