Mac Server 5.4 Mail Service TLS Error

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Mac Server 5.4 Mail Service TLS Error

avignonais
Mac Mini, 10.13 High Sierra running Mac Server 5.4. From a Mac client,
specifying "Use TLS/SSL" in SMTP settings works just fine when sending out
mail. However, from Windows 10 Mail running on a PC in the same network, I
cannot keep "Require SSL for outgoing email" checked in the Win10 Mail
settings; doing so results in the following error message in the Mac
Server's mail log:

2017-11-10 12:38:28.755534-0500 0x39f75    Default     0x0                
13873  smtpd: warning: TLS library problem: error:1408A10B:SSL
routines:SSL3_GET_CLIENT_HELLO:wrong version
number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s3_srvr.c:810:

I'm pretty much a newbie to Postfix but in reading other posts on this
forum, I knew enough to locate the  main.cf file on my Mac Server. I *think*
the portion seen below is the relevant section of that file that might be
involved in this issue; if not, I'd appreciate any advice. Thanks!

smtp_tls_protocols = !SSLv2
smtp_tls_mandatory_protocols = !SSLv2
smtpd_tls_protocols = !SSLv2
smtpd_tls_mandatory_protocols = !SSLv2
smtp_tls_loglevel = 1
smtp_tls_security_level = may





--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Mac Server 5.4 Mail Service TLS Error

Viktor Dukhovni

> On Nov 10, 2017, at 1:18 PM, avignonais <[hidden email]> wrote:
>
>
> 2017-11-10 12:38:28.755534-0500 0x39f75    Default     0x0                
> 13873  smtpd: warning: TLS library problem: error:1408A10B:SSL
> routines:SSL3_GET_CLIENT_HELLO:wrong version
> number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s3_srvr.c:810:

I do not recommend recent MacOS releases as an OS for Postfix.
The new logging system makes managing Postfix extremely difficult.

That said, my best guess is that the SMTP client is using STARTTLS
with a wrapper-mode server, and non-TLS plaintext does not make
for a valid TLS handshake.

 http://www.postfix.org/DEBUG_README.html#mail
 http://www.postfix.org/DEBUG_README.html#sniffer

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Mac Server 5.4 Mail Service TLS Error

avignonais
Thanks! From what I think you're saying, it sounds like this wouldn't be
particularly fixable, at least not by me, LOL. That's ok, we can still send
mail from the Win 10 PC if we uncheck "Require SSL for outgoing."

Awhile back, possibly with Mac Server 5.3 or maybe even earlier, mail logs
stopped being very informative as seen in Apple's Server app interface. At
that time I did some poking around online and latched onto the following
Terminal command, which I now run automatically at every Mac restart (once a
day at 4:45 am). As long as I keep the Terminal command window open (or
minimized) after executing this command, it generates a textfile onto the
Server desktop that records quite a lot of log info during the day, which is
where I found the error snippet in my original post:

log stream --predicate '(process == "smtpd") || (process == "smtp")' --debug
> /Users/admin/Desktop/"$(date +%Y%m%d-%H%M%S).txt"



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Mac Server 5.4 Mail Service TLS Error

Viktor Dukhovni


> On Nov 10, 2017, at 2:02 PM, avignonais <[hidden email]> wrote:
>
> Thanks! From what I think you're saying, it sounds like this wouldn't be
> particularly fixable, at least not by me, LOL. That's ok, we can still send
> mail from the Win 10 PC if we uncheck "Require SSL for outgoing."

No, I am saying that modern MacOS makes a poor Postfix platform, but the
TLS issue is separate and should be fixable, though hampered by poor
logging.

 http://www.postfix.org/DEBUG_README.html#mail
 http://www.postfix.org/DEBUG_README.html#sniffer

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Mac Server 5.4 Mail Service TLS Error

avignonais
Understood. Not sure I'd be able to install the debugger or sniffer utilities
you link to, but FWIW here's the entire relevant logfile captured by that
Terminal command I mentioned in my earlier reply. It's everthing that was
recorded pertaining to a failed test email sent from our Windows 10 PC, with
user name and IP address obfuscated:

2017-11-10 12:38:28.403870-0500 0x39f1f    Activity    0x38f80            
13870  smtpd: (libsystem_info.dylib) Retrieve User by Name
2017-11-10 12:38:28.404625-0500 0x39f1f    Activity    0x38f81            
13870  smtpd: (libsystem_info.dylib) Retrieve User by Name
2017-11-10 12:38:28.405120-0500 0x39f1f    Activity    0x38f82            
13870  smtpd: (libsystem_info.dylib) Retrieve Group by Name
2017-11-10 12:38:28.471490-0500 0x39f1f    Activity    0x38f83            
13870  smtpd: (libsystem_info.dylib) Resolve user group list
2017-11-10 12:38:28.479378-0500 0x39f1f    Info        0x0                
13870  smtpd: connect from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.481144-0500 0x39f1f    Info        0x0                
13870  smtpd: lost connection after UNKNOWN from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.481222-0500 0x39f1f    Info        0x0                
13870  smtpd: disconnect from AAA_AAAAAAA[DD.DD.DDD.DDD] unknown=0/1
commands=0/1
2017-11-10 12:38:28.490604-0500 0x39f1f    Info        0x0                
13870  smtpd: connect from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.492139-0500 0x39f1f    Info        0x0                
13870  smtpd: lost connection after CONNECT from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.492210-0500 0x39f1f    Info        0x0                
13870  smtpd: disconnect from AAA_AAAAAAA[DD.DD.DDD.DDD] commands=0/0
2017-11-10 12:38:28.505318-0500 0x39f75    Activity    0x38fb0            
13873  smtpd: (libsystem_info.dylib) Retrieve User by Name
2017-11-10 12:38:28.506050-0500 0x39f75    Activity    0x38fb1            
13873  smtpd: (libsystem_info.dylib) Retrieve User by Name
2017-11-10 12:38:28.506512-0500 0x39f75    Activity    0x38fb2            
13873  smtpd: (libsystem_info.dylib) Retrieve Group by Name
2017-11-10 12:38:28.563098-0500 0x39f75    Activity    0x38fb3            
13873  smtpd: (libsystem_info.dylib) Resolve user group list
2017-11-10 12:38:28.577883-0500 0x39f75    Info        0x0                
13873  smtpd: connect from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.579979-0500 0x39f75    Info        0x0                
13873  smtpd: lost connection after UNKNOWN from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.580044-0500 0x39f75    Info        0x0                
13873  smtpd: disconnect from AAA_AAAAAAA[DD.DD.DDD.DDD] unknown=0/1
commands=0/1
2017-11-10 12:38:28.584671-0500 0x39f75    Info        0x0                
13873  smtpd: connect from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.586241-0500 0x39f75    Info        0x0                
13873  smtpd: lost connection after CONNECT from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.586309-0500 0x39f75    Info        0x0                
13873  smtpd: disconnect from AAA_AAAAAAA[DD.DD.DDD.DDD] commands=0/0
2017-11-10 12:38:28.592739-0500 0x39f1f    Info        0x0                
13870  smtpd: connect from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.664278-0500 0x39f1f    Info        0x0                
13870  smtpd: lost connection after STARTTLS from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.664377-0500 0x39f1f    Info        0x0                
13870  smtpd: disconnect from AAA_AAAAAAA[DD.DD.DDD.DDD] ehlo=1 starttls=1
commands=2
2017-11-10 12:38:28.671096-0500 0x39f1f    Info        0x0                
13870  smtpd: connect from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.674035-0500 0x39f1f    Info        0x0                
13870  smtpd: SSL_accept error from AAA_AAAAAAA[DD.DD.DDD.DDD]: -1
2017-11-10 12:38:28.674154-0500 0x39f1f    Default     0x0                
13870  smtpd: warning: TLS library problem: error:1408A10B:SSL
routines:SSL3_GET_CLIENT_HELLO:wrong version
number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s3_srvr.c:810:
2017-11-10 12:38:28.674237-0500 0x39f1f    Info        0x0                
13870  smtpd: lost connection after STARTTLS from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.674304-0500 0x39f1f    Info        0x0                
13870  smtpd: disconnect from AAA_AAAAAAA[DD.DD.DDD.DDD] ehlo=1 starttls=0/1
commands=1/2
2017-11-10 12:38:28.680312-0500 0x39f75    Info        0x0                
13873  smtpd: connect from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.747325-0500 0x39f75    Info        0x0                
13873  smtpd: lost connection after STARTTLS from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.747467-0500 0x39f75    Info        0x0                
13873  smtpd: disconnect from AAA_AAAAAAA[DD.DD.DDD.DDD] ehlo=1 starttls=1
commands=2
2017-11-10 12:38:28.752370-0500 0x39f75    Info        0x0                
13873  smtpd: connect from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.755435-0500 0x39f75    Info        0x0                
13873  smtpd: SSL_accept error from AAA_AAAAAAA[DD.DD.DDD.DDD]: -1
2017-11-10 12:38:28.755534-0500 0x39f75    Default     0x0                
13873  smtpd: warning: TLS library problem: error:1408A10B:SSL
routines:SSL3_GET_CLIENT_HELLO:wrong version
number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s3_srvr.c:810:
2017-11-10 12:38:28.755615-0500 0x39f75    Info        0x0                
13873  smtpd: lost connection after STARTTLS from AAA_AAAAAAA[DD.DD.DDD.DDD]
2017-11-10 12:38:28.755663-0500 0x39f75    Info        0x0                
13873  smtpd: disconnect from AAA_AAAAAAA[DD.DD.DDD.DDD] ehlo=1 starttls=0/1
commands=1/2



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Mac Server 5.4 Mail Service TLS Error

Viktor Dukhovni


> On Nov 10, 2017, at 2:19 PM, avignonais <[hidden email]> wrote:
>
> Understood. Not sure I'd be able to install the debugger or sniffer utilities
> you link to,

The "tcpdump" utility is a standard feature of MacOS:

$ uname -srv
Darwin 17.2.0 Darwin Kernel Version 17.2.0: Fri Sep 29 18:27:05 PDT 2017; root:xnu-4570.20.62~3/RELEASE_X86_64
$ ls -l /usr/sbin/tcpdump
-rwxr-xr-x  1 root  wheel  902720 Oct 25 13:30 /usr/sbin/tcpdump

Without a PCAP file, no further help is possible.

> 2017-11-10 12:38:28.671096-0500 0x39f1f    Info        0x0                
> 13870  smtpd: connect from AAA_AAAAAAA[DD.DD.DDD.DDD]
> 2017-11-10 12:38:28.674035-0500 0x39f1f    Info        0x0                
> 13870  smtpd: SSL_accept error from AAA_AAAAAAA[DD.DD.DDD.DDD]: -1
> 2017-11-10 12:38:28.674154-0500 0x39f1f    Default     0x0                
> 13870  smtpd: warning: TLS library problem: error:1408A10B:SSL
> routines:SSL3_GET_CLIENT_HELLO:wrong version
> number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22/libressl/ssl/s3_srvr.c:810:
> 2017-11-10 12:38:28.674237-0500 0x39f1f    Info        0x0                
> 13870  smtpd: lost connection after STARTTLS from AAA_AAAAAAA[DD.DD.DDD.DDD]
> 2017-11-10 12:38:28.674304-0500 0x39f1f    Info        0x0                
> 13870  smtpd: disconnect from AAA_AAAAAAA[DD.DD.DDD.DDD] ehlo=1 starttls=0/1
> commands=1/2

It looks like the client used STARTTLS, on a STARTTLS port, so
that theory is out.  This is Apple's Postfix, linked with LibreSSL.
I don't know what protocol versions it supports, or what the client
is requesting.  Do try getting a PCAP file with tcpdump.  Then
send me the pcap file.

Support for Apple's customized Postfix, over an unsupported (here)
TLS library, and with a difficult to use logging system is rather
limited:

http://dilbert.com/strip/1995-06-24

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: Mac Server 5.4 Mail Service TLS Error

avignonais
OK.. I'm far from proficient in this, but checking for instructions online I
*think* I was able to capture a pcap file that should include the failed
email attempt sent from one of our Windows 10 PCs specifying "Require SSL
for outgoing email." I looked thru the pcap file using Mac Terminal but have
no clue what I'm looking at, or if it'll give you what you need. I'm
attaching it to this reply. DumpFile01.pcap
<http://postfix.1071664.n5.nabble.com/file/t6713/DumpFile01.pcap>  



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Mac Server 5.4 Mail Service TLS Error

avignonais
Did you get my PCAP file that I uploaded (see reply above). I sent it as you
asked...



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html
Reply | Threaded
Open this post in threaded view
|

Re: Mac Server 5.4 Mail Service TLS Error

avignonais
Ah, ok, so this involves  our certificate instead of a postfix
mis-configuration of some sort. Yes, our (only) certificate is self-signed,
we don't   s u b s c r i b e   to any SSL Certificate service. On the Mac we
can specify "Always trust" when the Mail client first asks about the
self-signed certificate; on the PC, Windows 10 Mail also asked about it but
didn't offer the same "Always trust" option. Thanks for investigating this
and bearing with my lack of technical expertise !



--
Sent from: http://postfix.1071664.n5.nabble.com/Postfix-Users-f2.html