Quantcast

TLS library problem

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

TLS library problem

Mickael Monsieur
Hello,
I have this problem with receiving emails from outside in SSL / TLS.
Can you help me because I have some emails blocked because of it.


Dec  3 09:56:13 mail postfix/smtpd[13307]: warning: 212.35.xxx.xx: hostname 212.35.xxx.xx.xxxxx.xx verification failed: Name or service not known
Dec  3 09:56:13 mail postfix/smtpd[13307]: connect from unknown[212.35.xxx.xx]
Dec  3 09:56:13 mail postfix/smtpd[13307]: SSL_accept error from unknown[212.35.xxx.xx]: 0
Dec  3 09:56:13 mail postfix/smtpd[13307]: warning: TLS library problem: 13307:error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1102:SSL alert number 0:
Dec  3 09:56:13 mail postfix/smtpd[13307]: lost connection after STARTTLS from unknown[212.35.xxx.xx]
Dec  3 09:56:13 mail postfix/smtpd[13307]: disconnect from unknown[212.35.xxx.xx]

My OS is : Debian Squeeze
Postfix : 2.7.1-1

Thank you,
Mickael.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS library problem

Ralf Hildebrandt
* Mickael MONSIEUR <[hidden email]>:
> Hello,
> I have this problem with receiving emails from outside in SSL / TLS.
> Can you help me because I have some emails blocked because of it.

Where does it show that the mails are being blocked?
 
> Dec  3 09:56:13 mail postfix/smtpd[13307]: warning: 212.35.xxx.xx: hostname 212.35.xxx.xx.xxxxx.xx verification failed: Name or service not known
> Dec  3 09:56:13 mail postfix/smtpd[13307]: connect from unknown[212.35.xxx.xx]
> Dec  3 09:56:13 mail postfix/smtpd[13307]: SSL_accept error from unknown[212.35.xxx.xx]: 0
> Dec  3 09:56:13 mail postfix/smtpd[13307]: warning: TLS library problem: 13307:error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1102:SSL alert number 0:
> Dec  3 09:56:13 mail postfix/smtpd[13307]: lost connection after STARTTLS from unknown[212.35.xxx.xx]
> Dec  3 09:56:13 mail postfix/smtpd[13307]: disconnect from unknown[212.35.xxx.xx]

OK, it's an SSL Problem. But since we don't know what 212.35.xxx.xx is
(MTA? MUA?) it's hard to say anything. Also, since you don't say
anything about your server (config and such) it's also really hard.

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS library problem

Mickael Monsieur


2010/12/3 Ralf Hildebrandt <[hidden email]>
* Mickael MONSIEUR <[hidden email]>:
> Hello,
> I have this problem with receiving emails from outside in SSL / TLS.
> Can you help me because I have some emails blocked because of it.

Where does it show that the mails are being blocked?

They are blocked or rejected, because I do not received ..

> Dec  3 09:56:13 mail postfix/smtpd[13307]: warning: 212.35.xxx.xx: hostname 212.35.xxx.xx.xxxxx.xx verification failed: Name or service not known
> Dec  3 09:56:13 mail postfix/smtpd[13307]: connect from unknown[212.35.xxx.xx]
> Dec  3 09:56:13 mail postfix/smtpd[13307]: SSL_accept error from unknown[212.35.xxx.xx]: 0
> Dec  3 09:56:13 mail postfix/smtpd[13307]: warning: TLS library problem: 13307:error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1102:SSL alert number 0:
> Dec  3 09:56:13 mail postfix/smtpd[13307]: lost connection after STARTTLS from unknown[212.35.xxx.xx]
> Dec  3 09:56:13 mail postfix/smtpd[13307]: disconnect from unknown[212.35.xxx.xx]

OK, it's an SSL Problem. But since we don't know what 212.35.xxx.xx is
(MTA? MUA?) it's hard to say anything. Also, since you don't say
anything about your server (config and such) it's also really hard.

I do not think this is the SMTP 212.35.xxx.xx the problem because I have the same error with other SMTP ...

My OS is : Debian Squeeze
Postfix 2.7.1-1
openssl 0.9.8o-3
libssl0.9.8   0.9.8o-3

BR,
M.

What do you like the other config?
 

--
Ralf Hildebrandt
 Geschäftsbereich IT | Abteilung Netzwerk
 Charité - Universitätsmedizin Berlin
 Campus Benjamin Franklin
 Hindenburgdamm 30 | D-12203 Berlin
 Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
 [hidden email] | http://www.charite.de


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS library problem

Ralf Hildebrandt
* Mickael MONSIEUR <[hidden email]>:

> > OK, it's an SSL Problem. But since we don't know what 212.35.xxx.xx is
> > (MTA? MUA?) it's hard to say anything. Also, since you don't say
> > anything about your server (config and such) it's also really hard.
>
> I do not think this is the SMTP 212.35.xxx.xx the problem because I have the
> same error with other SMTP ...
>
> My OS is : Debian Squeeze
> Postfix 2.7.1-1
> openssl 0.9.8o-3
> libssl0.9.8   0.9.8o-3
>
> BR,
> M.
>
> What do you like the other config?

Like the mailing list welcome message says:

"postconf -n"
output

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS library problem

Mickael Monsieur
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/maps/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
header_checks = regexp:/etc/postfix/maps/header_checks
inet_interfaces = all
mailbox_command = procmail -a "$EXTENSION"
message_size_limit = 25600000
mime_header_checks = regexp:/etc/postfix/maps/mime_header_checks
mydestination = $myhostname, localhost.localdomain, localhost
myhostname = mail.xxxxxx.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
readme_directory = no
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/mysql_relay_domains_maps.cf
relayhost =
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname (xxxxxx Postfix SMTP)
smtpd_recipient_restrictions = permit_mynetworks,    permit_sasl_authenticated,    check_client_access hash:/etc/postfix/client_access    check_sender_access hash:/etc/postfix/sender_access,    reject_unauth_destination,    reject_rbl_client zen.spamhaus.org,    reject_rbl_client l1.spews.dnsbl.sorbs.net,    reject_rbl_client combined.njabl.org,    reject_rbl_client bl.spamcop.net,    reject_rhsbl_sender rhsbl.sorbs.net,    reject_rhsbl_client rhsbl.sorbs.net
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_tls_CAfile = /etc/postfix/tls/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/tls/smtpd.crt
smtpd_tls_key_file = /etc/postfix/tls/smtpd.key
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql_virtual_alias_alias_maps.cf
virtual_gid_maps = static:107
virtual_mailbox_base = /home/mail/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf, proxy:mysql:/etc/postfix/mysql_virtual_mailbox_alias_maps.cf
virtual_minimum_uid = 106
virtual_transport = virtual
virtual_uid_maps = static:106


2010/12/3 Ralf Hildebrandt <[hidden email]>
* Mickael MONSIEUR <[hidden email]>:

> > OK, it's an SSL Problem. But since we don't know what 212.35.xxx.xx is
> > (MTA? MUA?) it's hard to say anything. Also, since you don't say
> > anything about your server (config and such) it's also really hard.
>
> I do not think this is the SMTP 212.35.xxx.xx the problem because I have the
> same error with other SMTP ...
>
> My OS is : Debian Squeeze
> Postfix 2.7.1-1
> openssl 0.9.8o-3
> libssl0.9.8   0.9.8o-3
>
> BR,
> M.
>
> What do you like the other config?

Like the mailing list welcome message says:

"postconf -n"
output

--
Ralf Hildebrandt
 Geschäftsbereich IT | Abteilung Netzwerk
 Charité - Universitätsmedizin Berlin
 Campus Benjamin Franklin
 Hindenburgdamm 30 | D-12203 Berlin
 Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
 [hidden email] | http://www.charite.de


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS library problem

Victor Duchovni
In reply to this post by Mickael Monsieur
On Fri, Dec 03, 2010 at 10:12:07AM +0100, Mickael MONSIEUR wrote:

> I have this problem with receiving emails from outside in SSL / TLS.
> Can you help me because I have some emails blocked because of it.

The messages are not "blocked", rather the SMTP client fails to establish
a TLS handshake with your server, and in some cases may be configured
to only send TLS. Mandatory SMTP TLS is not terribly practical except
by *mutual* agreement between the sending and receiving organizations.

Have you negotiated a mandatory TLS policy with any sites?

> Dec  3 09:56:13 mail postfix/smtpd[13307]: connect from
> unknown[212.35.xxx.xx]

Why does this IP address not reverse-resolve? Is this really an MTA
sending you legitimate email?

> Dec  3 09:56:13 mail postfix/smtpd[13307]: SSL_accept error from
> unknown[212.35.xxx.xx]: 0
> Dec  3 09:56:13 mail postfix/smtpd[13307]: warning: TLS library problem:
> error:140943E8:SSL routines:SSL3_READ_BYTES:reason(1000):s3_pkt.c:1102:
> SSL alert number 0:

The remote SSL client sends "alert 0" which according to

    http://tools.ietf.org/html/rfc2246#section-7.2

is a "close_notify" alert. So the remote client called the equivalent of
SSL_shutdown() in the middle of the SSL handshake. Perhaps the client was
"unimpressed" by your server's X509 certficate, or it is just buggy.

> Dec  3 09:56:13 mail postfix/smtpd[13307]: lost connection after STARTTLS
> from unknown[212.35.xxx.xx]

The connection is lost. Your server does nothing to "block" this client.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS library problem

Ralf Hildebrandt
* Victor Duchovni <[hidden email]>:

> The remote SSL client sends "alert 0" which according to
>
>     http://tools.ietf.org/html/rfc2246#section-7.2
>
> is a "close_notify" alert. So the remote client called the equivalent of
> SSL_shutdown() in the middle of the SSL handshake. Perhaps the client was
> "unimpressed" by your server's X509 certficate, or it is just buggy.

This happens if the client doesn't like the certificate, because it is
not signed by a trusted CA.

Which machine is it, so we can have a look with s_client?

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS library problem

Victor Duchovni
On Fri, Dec 03, 2010 at 07:09:05PM +0100, Ralf Hildebrandt wrote:

> * Victor Duchovni <[hidden email]>:
>
> > The remote SSL client sends "alert 0" which according to
> >
> >     http://tools.ietf.org/html/rfc2246#section-7.2
> >
> > is a "close_notify" alert. So the remote client called the equivalent of
> > SSL_shutdown() in the middle of the SSL handshake. Perhaps the client was
> > "unimpressed" by your server's X509 certficate, or it is just buggy.
>
> This happens if the client doesn't like the certificate, because it is
> not signed by a trusted CA.

This is a reasonably plausible conjecture, but not yet a fact.

> Which machine is it, so we can have a look with s_client?

More importantly, the OP has said nothing useful about the nature of
relationship between the sending and receiving systems.

    - Are they an MUA and an MSA, with the client (MUA) configured
      to combine STARTTLS and AUTH (ideally on port 587)? What host
      is the client expecting to connect to and does the server certificate
      match (trusted chain and matching CN) this hostname to the client's
      satisfaction?

    - Are they a pair of MTAs, with a bilateral mandatory TLS policy?
      Details of the expected security level and certificate policy?

    - Other? Please explain...

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: TLS library problem

Ralf Hildebrandt
* Victor Duchovni <[hidden email]>:

> > This happens if the client doesn't like the certificate, because it is
> > not signed by a trusted CA.
>
> This is a reasonably plausible conjecture, but not yet a fact.

Yup.

> > Which machine is it, so we can have a look with s_client?
>
> More importantly, the OP has said nothing useful about the nature of
> relationship between the sending and receiving systems.

Indeed!

>     - Are they an MUA and an MSA, with the client (MUA) configured
>       to combine STARTTLS and AUTH (ideally on port 587)? What host
>       is the client expecting to connect to and does the server certificate
>       match (trusted chain and matching CN) this hostname to the client's
>       satisfaction?

I wonder if Postfix can log the smtpd port.

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  [hidden email] | http://www.charite.de
           
Loading...