Strange TLS error when sending mail from one server to my Postfix SMTP server

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Strange TLS error when sending mail from one server to my Postfix SMTP server

Sean Son
hello all

We have a RHEL 7 based server running monitoring software consisting of Groundwork Monitoring Software, which includes Nagios , Nedi, and other tools. This server is set up with TLS enabled and it uses a script to send email to any SMTP server that we choose.  I have an SMTP server set up with Postfix version 2.10.1.  Whenever I try to send mail from the monitoring server to this postfix based SMTP server, using TLS, I get the following strange errors in the maillog of the postfix server:

330448 Dec  7 20:39:21 mailer postfix/smtpd[12238]: connect from unknown[X.X.X.50]
 330449 Dec  7 20:39:21 mailer postfix/smtpd[12238]: C9E03120BCF: client=unknown[X.X.X.50]
 330450 Dec  7 20:39:21 mailer postfix/smtpd[12242]: connect from unknown[X.X.X.75]
 330451 Dec  7 20:39:21 mailer postfix/smtpd[12242]: setting up TLS connection from unknown[ X.X.X.75]
 330452 Dec  7 20:39:21 mailer postfix/smtpd[12242]: unknown[X.X.X.75]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
 330453 Dec  7 20:39:21 mailer postfix/smtpd[12238]: disconnect from unknown[X.X.X.50]
 330454 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:before/accept initialization
 330455 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:SSLv3 read client hello A
 330456 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:SSLv3 write server hello A
 330457 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:SSLv3 write certificate A
 330458 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:SSLv3 write key exchange A
 330459 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:SSLv3 write server done A
 330460 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:SSLv3 flush data
 330461 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:SSLv3 read client certificate A
 330462 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL3 alert read:fatal:unknown CA
 330463 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:failed in SSLv3 read client key exchange A
 330464 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept error from unknown[X.X.X.75]: 0
 330465 Dec  7 20:39:21 mailer postfix/smtpd[12242]: warning: TLS library problem: 12242:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1493:SSL alert number 48:
 330466 Dec  7 20:39:21 mailer postfix/smtpd[12242]: lost connection after STARTTLS from unknown[X.X.X.75]
 330467 Dec  7 20:39:21 mailer postfix/smtpd[12242]: disconnect from unknown[X.X.X.75]

I have substituted our IP addresses with X's for security purposes.  Any suggestions on how to fix this issue? It's preventing us from sending mail from the monitoring server to the SMTP Server. The ONLY way I can send the mail is to EXPLICITLY tell the send email script to not use TLS when sending the mail to the SMTP server. 


Thanks

Sean
Reply | Threaded
Open this post in threaded view
|

Re: Strange TLS error when sending mail from one server to my Postfix SMTP server

Viktor Dukhovni
> On Dec 10, 2018, at 6:41 PM, Sean Son <[hidden email]> wrote:
>
> 330462 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL3 alert read:fatal:unknown CA
>  330463 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:failed in SSLv3 read client key exchange A
>  330464 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept error from unknown[X.X.X.75]: 0
>  330465 Dec  7 20:39:21 mailer postfix/smtpd[12242]: warning: TLS library problem: 12242:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1493:SSL alert number 48:

The client did not like the server's certificate and hung up.
Configure the client to trust the server's certificate, or get
a new certificate for the server that the client does trust, or
disable authentication on the client side.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Strange TLS error when sending mail from one server to my Postfix SMTP server

Sean Son


On Mon, Dec 10, 2018 at 6:57 PM Viktor Dukhovni <[hidden email]> wrote:
> On Dec 10, 2018, at 6:41 PM, Sean Son <[hidden email]> wrote:
>
> 330462 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL3 alert read:fatal:unknown CA
>  330463 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept:failed in SSLv3 read client key exchange A
>  330464 Dec  7 20:39:21 mailer postfix/smtpd[12242]: SSL_accept error from unknown[X.X.X.75]: 0
>  330465 Dec  7 20:39:21 mailer postfix/smtpd[12242]: warning: TLS library problem: 12242:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1493:SSL alert number 48:

The client did not like the server's certificate and hung up.
Configure the client to trust the server's certificate, or get
a new certificate for the server that the client does trust, or
disable authentication on the client side.

--
        Viktor.



Hello Viktor

Thank you for the reply.  Can the client be configured to trust more than one SSL cert?

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Strange TLS error when sending mail from one server to my Postfix SMTP server

Viktor Dukhovni
> On Dec 10, 2018, at 8:00 PM, Sean Son <[hidden email]> wrote:
>
> Thank you for the reply.  Can the client be configured to trust more than one SSL cert?

You've told us nothing about the client, so it would be a miracle
if someone on the list could give an answer to that question.

Is the client running Postfix?  What sort of certificate chain
does the server have? ...

This is something you should be able to determine from the client
software documentation, and by checking the server's certificate
chain.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: Strange TLS error when sending mail from one server to my Postfix SMTP server

Sean Son


On Mon, Dec 10, 2018 at 9:40 PM Viktor Dukhovni <[hidden email]> wrote:
> On Dec 10, 2018, at 8:00 PM, Sean Son <[hidden email]> wrote:
>
> Thank you for the reply.  Can the client be configured to trust more than one SSL cert?

You've told us nothing about the client, so it would be a miracle
if someone on the list could give an answer to that question.

Is the client running Postfix?  What sort of certificate chain
does the server have? ...

This is something you should be able to determine from the client
software documentation, and by checking the server's certificate
chain.

--
        Viktor.


Hello Viktor

If, by "client", you mean the SMTP server, it is running Postfix.   The client server is using a self signed cert and it is set up to offer STARTLS to any senders who request TLS.   As for the sending server, the monitoring application server that is, it is using a wild card certificate with a bundled cert containing the intermediate certificate.


Thanks
Reply | Threaded
Open this post in threaded view
|

Re: Strange TLS error when sending mail from one server to my Postfix SMTP server

Matus UHLAR - fantomas
>> > On Dec 10, 2018, at 8:00 PM, Sean Son
>> > <[hidden email]> wrote:
>> >
>> > Thank you for the reply.  Can the client be configured to trust more
>> > than one SSL cert?

most of clients support more than one certificate authority.

>On Mon, Dec 10, 2018 at 9:40 PM Viktor Dukhovni <[hidden email]>
>wrote:
>> You've told us nothing about the client, so it would be a miracle
>> if someone on the list could give an answer to that question.
>>
>> Is the client running Postfix?  What sort of certificate chain
>> does the server have? ...
>>
>> This is something you should be able to determine from the client
>> software documentation, and by checking the server's certificate
>> chain.

On 11.12.18 10:21, Sean Son wrote:
>If, by "client", you mean the SMTP server, it is running Postfix.

No. by "client" people usually mean the one who is connecting to server.
SMTP client connects to SMTP server etc.

> The client server is using a self signed cert and it is set up to offer
> STARTLS to any senders who request TLS.

I understand this as "SMTP server of your client"

> As for the sending server, the monitoring application server that is, it
> is using a wild card certificate with a bundled cert containing the
> intermediate certificate.

if your monitoring application sends mail to another server, it's not
important what certificate your monitoring server uses, because it's not
used.

according to your original mail:

>>> This server is set up with TLS enabled and it uses a script to send
>>> email to any SMTP server that we choose.

>>> Whenever I try to send mail from the monitoring
>>> server to this postfix based SMTP server, using TLS, I get the following
>>> strange errors in the maillog of the postfix server:

As I undertsand it, the script running on your monitoring server [x.x.x.75]
is trying to connect to your client's postfix server and fails.
Such script must accept certificate send by the postfix server.

Another possibility is that client application uses mail transfer agent
(MTA, e.g. postfix) installed on your monitoring server which further
passes the mail to your client's SMTP server.  In such case, this MTA must
accept certificate of your client's postfix server.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.