SSL_accept error on just one of several similar servers

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_accept error on just one of several similar servers

Michael Fox
I have several Postfix servers with virtually identical configurations.
That is, they have their own hostnames, IP addresses, etc.  But the rest of
main.cf and master.cf and various *_access, etc. files are the same.

I recently started having a problem with SSL_accept errors on just one of
the machines.  Several people report (including me) that from the same
Thunderbird client, we can connect to all of the other servers and send a
message.  But when we try to connect and send to the one server, it fails.

The Thunderbird client displays:  "Sending of the message failed.  The
message could not be sent because the connection to Outgoing server (SMTP)
host.domain timed out.  Try again.

/var/log/mail.log shows:  

Mar 25 21:35:19 w1xsc-gw postfix/submission/smtpd[9565]: connect from
client.domain.org[xx.xx.xx.xx]
Mar 25 21:35:19 w1xsc-gw postfix/submission/smtpd[9565]: SSL_accept error
from client.domain.org[xx.xx.xx.xx]: Connection reset by peer
Mar 25 21:35:19 w1xsc-gw postfix/submission/smtpd[9565]: lost connection
after STARTTLS from client.domain.org[xx.xx.xx.xx]
Mar 25 21:35:19 w1xsc-gw postfix/submission/smtpd[9565]: disconnect from
client.domain.org[xx.xx.xx.xx] ehlo=1 starttls=0/1 commands=1/2

I tried setting smtpd_tls_loglevel = 2, in case the extra information is
helpful:

Mar 25 21:43:34 w1xsc-gw postfix/submission/smtpd[9906]: connect from
client.domain.org[xx.xx.xx.xx]
Mar 25 21:43:34 w1xsc-gw postfix/submission/smtpd[9906]: setting up TLS
connection from client.domain.org[xx.xx.xx.xx]
Mar 25 21:43:34 w1xsc-gw postfix/submission/smtpd[9906]:
client.domain.org[xx.xx.xx.xx]: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
Mar 25 21:43:34 w1xsc-gw postfix/submission/smtpd[9906]:
SSL_accept:before/accept initialization
Mar 25 21:43:34 w1xsc-gw postfix/submission/smtpd[9906]: SSL_accept:error in
SSLv2/v3 read client hello A
Mar 25 21:43:34 w1xsc-gw postfix/submission/smtpd[9906]: SSL_accept error
from client.domain.org[xx.xx.xx.xx]: Connection reset by peer
Mar 25 21:43:34 w1xsc-gw postfix/submission/smtpd[9906]: lost connection
after STARTTLS from client.domain.org[xx.xx.xx.xx]
Mar 25 21:43:34 w1xsc-gw postfix/submission/smtpd[9906]: disconnect from
client.domain.org[xx.xx.xx.xx] ehlo=1 starttls=0/1 commands=1/2

I re-verified that the configs between the different Postfix machines are
the same (except for the obvious IP address, etc.) and they haven't changed.
I also looked at previous posts about SSL_accept but they didn't seem to be
the same situation.

Any idea of what's wrong?  Or how to find out what's wrong?

Thanks,
Michael
 

postconf -nf:

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_at_myorigin = yes
append_dot_mydomain = yes
biff = no
body_checks = pcre:${config_directory}/body_checks.pcre
bounce_queue_lifetime = 12h
bounce_template_file = ${config_directory}/bounce.cf
broken_sasl_auth_clients = yes
canonical_maps = pcre:${config_directory}/canonical.pcre
compatibility_level = 2
content_filter = amavisfeed:[127.0.0.1]:10024
delay_warning_time = 2h
fast_flush_domains = $relay_domains
header_checks = pcre:${config_directory}/header_checks.pcre
html_directory = /usr/share/doc/postfix/html
inet_interfaces = $xsc_inet_interfaces
mailbox_size_limit = 51200000
maximal_queue_lifetime = 12h
message_size_limit = 10240000
milter_default_action = accept
milter_protocol = 6
mime_header_checks = pcre:${config_directory}/mime_header_checks.pcre
mua_client_connection_count_limit = 5
mua_client_connection_rate_limit = 10
mua_client_message_rate_limit = 10
mua_client_recipient_rate_limit = 50
mua_client_restrictions = check_sasl_access
hash:${config_directory}/sasl_access
    permit_sasl_authenticated reject
mua_discard_ehlo_keyword_address_maps =
    cidr:${config_directory}/ehlo_keyword.cidr
mua_helo_restrictions =
mua_recipient_limit = 25
mua_recipient_overshoot_limit = 25
mua_recipient_restrictions = reject_non_fqdn_recipient
    reject_unknown_recipient_domain check_sasl_access
    hash:${config_directory}/sasl_access check_recipient_access
    hash:${config_directory}/roleaccount_exceptions check_recipient_access
    pcre:${config_directory}/recipient_access.pcre check_recipient_access
    pcre:${config_directory}/relay_recipient_access.pcre
check_recipient_access
    pcre:${config_directory}/virtual_recipient_access.pcre permit
mua_relay_restrictions = permit_sasl_authenticated reject
mua_sender_restrictions = $mua_tls_client_restrictions
reject_non_fqdn_sender
    reject_sender_login_mismatch permit_sasl_authenticated
    reject_unknown_sender_domain reject_unlisted_sender permit
mua_tls_client_restrictions = check_client_access
    cidr:${config_directory}/tls_clients.cidr
mydestination = $xsc_mydestination
mydomain = $xsc_mydomain
myhostname = $xsc_myhostname
mynetworks = $xsc_mynetworks
myorigin = $xsc_myorigin
non_smtpd_milters = inet:localhost:8891
postscreen_access_list = permit_mynetworks
    cidr:${config_directory}/postscreen_access.cidr
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_dnsbl_reply_map =
    pcre:${config_directory}/postscreen_dnsbl_reply_map.pcre
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.spameatingmonkey.net*2
    psbl.surriel.com*2 bl.spamcop.net
hostkarma.junkemailfilter.com=127.0.0.2
    dnsbl.sorbs.net bl.mailspike.net swl.spamhaus.org*-4
    list.dnswl.org=127.0.[0..255].0*-1 list.dnswl.org=127.0.[0..255].1*-2
    list.dnswl.org=127.0.[0..255].2*-3 list.dnswl.org=127.0.[0..255].3*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_ttl = 5m
postscreen_greet_action = enforce
proxy_interfaces = $xsc_proxy_interfaces
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = $xsc_relay_domains
relay_recipient_maps = pcre:${config_directory}/relay_recipients.pcre
relay_restrictions = check_sender_access
    pcre:${config_directory}/relay_sender_access.pcre
remote_header_rewrite_domain = invalid.domain
smtp_host_lookup = native
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_client_connection_count_limit = 10
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 20
smtpd_client_recipient_rate_limit = 200
smtpd_client_restrictions = permit_mynetworks check_client_access
    pcre:${config_directory}/client_access.pcre
    reject_unknown_reverse_client_hostname check_client_access
    hash:${config_directory}/client_whitelist
    check_reverse_client_hostname_access
pcre:${config_directory}/fqrdns.pcre
    reject_rbl_client zen.spamhaus.org reject_rhsbl_reverse_client
    dbl.spamhaus.org permit
smtpd_data_restrictions = reject_unauth_pipelining
reject_multi_recipient_bounce
    permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 2s
smtpd_etrn_restrictions = permit_mynetworks permit_sasl_authenticated reject
smtpd_hard_error_limit = 10
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname reject_rhsbl_helo dbl.spamhaus.org
    check_helo_access pcre:${config_directory}/helo_access.pcre permit
smtpd_junk_command_limit = 2
smtpd_milters = inet:localhost:8891
smtpd_recipient_limit = 100
smtpd_recipient_overshoot_limit = 100
smtpd_recipient_restrictions = reject_non_fqdn_recipient
    reject_unknown_recipient_domain check_recipient_access
    hash:${config_directory}/roleaccount_exceptions check_recipient_access
    pcre:${config_directory}/recipient_access.pcre check_recipient_access
    pcre:${config_directory}/relay_recipient_access.pcre
check_recipient_access
    pcre:${config_directory}/virtual_recipient_access.pcre permit
smtpd_reject_footer = \c. Diagnostic info: time ($localtime), client
    ($client_address:$client_port), server ($server_name).
smtpd_reject_unlisted_recipient = yes
smtpd_relay_restrictions = permit_mynetworks reject_unauth_destination
permit
smtpd_restriction_classes = relay_restrictions virtual_quota_restrictions
smtpd_sasl_auth_enable = no
smtpd_sasl_path = private/dovecot-auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = hash:${config_directory}/sasl_senders
    pcre:${config_directory}/sasl_senders_default.pcre
smtpd_sender_restrictions = reject_non_fqdn_sender permit_mynetworks
    reject_unknown_sender_domain reject_unlisted_sender reject_rhsbl_sender
    dbl.spamhaus.org check_sender_access
    pcre:${config_directory}/sender_access.pcre check_sender_mx_access
    cidr:${config_directory}/sender_mx_access.cidr permit
smtpd_soft_error_limit = 5
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = $xsc_smtpd_tls_cert_file
smtpd_tls_key_file = $xsc_smtpd_tls_key_file
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
transport_maps = hash:${config_directory}/transport
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_hostname_reject_code = 550
unverified_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = hash:${config_directory}/virtual_aliases
virtual_mailbox_domains = $xsc_virtual_mailbox_domains
virtual_mailbox_maps = hash:${config_directory}/virtual_mailboxes
virtual_quota_restrictions = check_policy_service inet:[127.0.0.1]:12340
virtual_transport = lmtp:unix:private/dovecot-lmtp
xsc_inet_interfaces = all
xsc_mydestination = $xsc_myhostname localhost.$mydomain
    localhost.localdomain localhost

Reply | Threaded
Open this post in threaded view
|

Re: SSL_accept error on just one of several similar servers

Viktor Dukhovni


> On Mar 26, 2018, at 1:07 AM, Michael Fox <[hidden email]> wrote:
>
> Any idea of what's wrong?  Or how to find out what's wrong?

Most likely a firewall is (mis)configured to block STARTTLS.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

RE: SSL_accept error on just one of several similar servers

Michael Fox
>
> > On Mar 26, 2018, at 1:07 AM, Michael Fox <[hidden email]> wrote:
> >
> > Any idea of what's wrong?  Or how to find out what's wrong?
>
> Most likely a firewall is (mis)configured to block STARTTLS.
>
> --
> Viktor.

You were correct!  The IT guys started filtering by domain name in their
firewall, which interrupted STARTTLS negotiation.

Thanks,
Michael