TLS library problem: error:140760FC:SSL routines, is it a problem ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS library problem: error:140760FC:SSL routines, is it a problem ?

Voytek
whilst installing/configuring 2.1 to 3.2.x migration
(using 2.1 main/master on 3.2 install), noticed these errors:

anything to worry about ?


# grep 'TLS library problem' /var/log/maillog*
/var/log/maillog:Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS
library problem: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
/var/log/maillog:Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS
library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
version number:s3_srvr.c:977:
/var/log/maillog-20171224:Dec 21 05:25:49 geko postfix/smtpd[20642]:
warning: TLS library problem: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
/var/log/maillog-20171224:Dec 21 05:25:54 geko postfix/smtpd[20642]:
warning: TLS library problem: error:1408A10B:SSL
routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:977:

# egrep '(error|fatal|panic):' /var/log/maillog
Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS library problem:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:640:
Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS library problem:
error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version
number:s3_srvr.c:977:

 egrep '(warning|error|fatal|panic):' /var/log/maillog

returns many lines, seem mainly like this:

Dec 26 11:56:52 geko postfix/smtpd[9572]: warning: hostname
zg-1222a-130.stretchoid.com does not resolve to address 45.55.6.96: Name
or service not known
Dec 26 12:07:45 geko postfix/smtpd[9758]: warning: unknown[1.195.247.204]:
SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 26 12:07:54 geko postfix/smtpd[9758]: warning: unknown[1.195.247.204]:
SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 26 12:08:08 geko postfix/smtpd[9758]: warning: unknown[1.195.247.204]:
SASL LOGIN authentication failed: UGFzc3dvcmQ6



Reply | Threaded
Open this post in threaded view
|

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

Viktor Dukhovni


> On Dec 25, 2017, at 8:57 PM, [hidden email] wrote:
>
> anything to worry about ?

Generally no.  There are some SMTP clients that both TLS,
they'll either retry in the clear, or they are likely shoddy
spamware.

> # grep 'TLS library problem' /var/log/maillog*
> /var/log/maillog:Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS
> library problem: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
> /var/log/maillog:Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS
> library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
> version number:s3_srvr.c:977:
> /var/log/maillog-20171224:Dec 21 05:25:49 geko postfix/smtpd[20642]:
> warning: TLS library problem: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
> /var/log/maillog-20171224:Dec 21 05:25:54 geko postfix/smtpd[20642]:
> warning: TLS library problem: error:1408A10B:SSL
> routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:977:


Other log messages will show the IP address of the client.  If you weren't
expecting any email from that client, just ignore this.

This of course assumes you've not configured particularly exotic TLS
settings on your end.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

Voytek
>> On Dec 25, 2017, at 8:57 PM, [hidden email] wrote:
>>
>> anything to worry about ?
>
> Generally no.  There are some SMTP clients that both TLS,
> they'll either retry in the clear, or they are likely shoddy
> spamware.
> Other log messages will show the IP address of the client.  If you weren't
> expecting any email from that client, just ignore this.


Viktor,

thanks, both were from same no hostname IP address

# host 125.212.217.214
Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN)

log shows:

# grep "Dec 25 08:39" /var/log/maillog
Dec 25 08:39:12 geko postfix/smtpd[9700]: connect from
unknown[125.212.217.214]
Dec 25 08:39:17 geko postfix/smtpd[9700]: Anonymous TLS connection
established from unknown[125.212.217.214]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 25 08:39:18 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:19 geko postfix/smtpd[9701]: Anonymous TLS connection
established from unknown[125.212.217.214]: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Dec 25 08:39:19 geko postfix/smtpd[9701]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:19 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=1 commands=2
Dec 25 08:39:20 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:21 geko postfix/smtpd[9701]: SSL_accept error from
unknown[125.212.217.214]: -1
Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS library problem:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:640:
Dec 25 08:39:21 geko postfix/smtpd[9701]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:21 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=0/1 commands=1/2
Dec 25 08:39:23 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:23 geko postfix/smtpd[9700]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:23 geko postfix/smtpd[9700]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=1 commands=2
Dec 25 08:39:24 geko postfix/smtpd[9701]: SSL_accept error from
unknown[125.212.217.214]: -1
Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS library problem:
error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version
number:s3_srvr.c:977:
Dec 25 08:39:24 geko postfix/smtpd[9701]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:24 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=0/1 commands=1/2
Dec 25 08:39:25 geko postfix/smtpd[9700]: connect from
unknown[125.212.217.214]
Dec 25 08:39:26 geko postfix/smtpd[9700]: Anonymous TLS connection
established from unknown[125.212.217.214]: TLSv1.1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Dec 25 08:39:27 geko postfix/smtpd[9700]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:27 geko postfix/smtpd[9700]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=1 commands=2
Dec 25 08:39:28 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:29 geko postfix/smtpd[9701]: Anonymous TLS connection
established from unknown[125.212.217.214]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 25 08:39:29 geko postfix/smtpd[9701]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:29 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=1 commands=2
Dec 25 08:39:29 geko postfix/smtpd[9700]: connect from
unknown[125.212.217.214]
Dec 25 08:39:30 geko postfix/smtpd[9700]: lost connection after UNKNOWN
from unknown[125.212.217.214]
Dec 25 08:39:30 geko postfix/smtpd[9700]: disconnect from
unknown[125.212.217.214] unknown=0/1 commands=0/1
Dec 25 08:39:30 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:32 geko postfix/smtpd[9701]: Anonymous TLS connection
established from unknown[125.212.217.214]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 25 08:39:32 geko postfix/smtpd[9701]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:32 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=1 commands=2
Dec 25 08:39:36 geko postfix/smtpd[9700]: connect from
unknown[125.212.217.214]
Dec 25 08:39:36 geko postfix/smtpd[9700]: lost connection after CONNECT
from unknown[125.212.217.214]
Dec 25 08:39:36 geko postfix/smtpd[9700]: disconnect from
unknown[125.212.217.214] commands=0/0
Dec 25 08:39:39 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:41 geko postfix/smtpd[9700]: connect from
unknown[125.212.217.214]
Dec 25 08:39:41 geko postfix/smtpd[9700]: lost connection after UNKNOWN
from unknown[125.212.217.214]
Dec 25 08:39:41 geko postfix/smtpd[9700]: disconnect from
unknown[125.212.217.214] unknown=0/2 commands=0/2
Dec 25 08:39:45 geko postfix/smtpd[9701]: lost connection after CONNECT
from unknown[125.212.217.214]
Dec 25 08:39:45 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] commands=0/0
Dec 25 08:47:41 geko postfix/anvil[5707]: statistics: max connection rate
11/1800s for (submission:125.212.217.214) at Dec 25 08:39:41
Dec 25 08:47:41 geko postfix/anvil[5707]: statistics: max connection count
2 for (submission:125.212.217.214) at Dec 25 08:39:18




Reply | Threaded
Open this post in threaded view
|

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

Voytek
In reply to this post by Viktor Dukhovni

>> On Dec 25, 2017, at 8:57 PM, [hidden email] wrote:

> This of course assumes you've not configured particularly exotic TLS
> settings on your end.

Viktor,
thanks again, I hope it's not exotic, not to my knowledge, anyhow:

that that show what it is ? suggestions and corrections appreciated

# grep tls main.cf

smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /etc/letsencrypt/live/geko.sbt.net.au/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/geko.sbt.net.au/fullchain.pem
smtpd_tls_session_cache_timeout = 36000s
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_random_source = dev:/dev/urandom
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache




Reply | Threaded
Open this post in threaded view
|

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

Viktor Dukhovni
In reply to this post by Voytek


> On Dec 26, 2017, at 1:34 AM, [hidden email] wrote:
>
>>
>> Generally no.  There are some SMTP clients that both TLS,

        s/both/botch/

Hope that's less confusing.

>> they'll either retry in the clear, or they are likely shoddy
>> spamware.
>> Other log messages will show the IP address of the client.  If you weren't
>> expecting any email from that client, just ignore this.
>
>
> thanks, both were from same no hostname IP address
>
> # host 125.212.217.214
> Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN)

According to "whois" that's an IP address in Vietnam...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

Viktor Dukhovni
In reply to this post by Voytek


> On Dec 26, 2017, at 1:39 AM, [hidden email] wrote:

Overall quite standard.  Nothing to worry about.

> smtpd_tls_session_cache_timeout = 36000s

10 hours is perhaps too long to be useful. Just let the default stand.

> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

With Postfix 2.11 or later, just leave this empty, session tickets work
better.

> smtp_tls_security_level = may
> smtp_tls_note_starttls_offer = yes

The second is not needed.

> smtp_tls_session_cache_timeout = 3600s
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

By way of contrast these are fine.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

Voytek
>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>
> With Postfix 2.11 or later, just leave this empty, session tickets work
> better.


Viktor, thanks

does 'leave empty' means have it present on main.cf up to '=' ?
as so ?

smtpd_tls_session_cache_database =



Reply | Threaded
Open this post in threaded view
|

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

Voytek
In reply to this post by Viktor Dukhovni
>> thanks, both were from same no hostname IP address
>>
>> # host 125.212.217.214
>> Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN)
>
> According to "whois" that's an IP address in Vietnam...
>

well, we have about 20+ users located in Bangkok (whilst server is in
Aus), so I'd guess connection from Vietnam can be routinely expected - but
not from unresolvable hosts, that's denied anyhow is std restricitions

thanks again,

V