warning: TLS library problem - messages in log

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

warning: TLS library problem - messages in log

Dominic Raferd
I have always received a number of warning messages (from
postfix/smtpd) stating 'TLS library problem' in my mail logs and I
think they are always followed by a dropped incoming connection. I
have hitherto assumed that they reflect a badly-configured (probably
spamming) foreign client/host, but the messages could be read as
implying an internal problem on my mailserver. Which is true?

The details of the reported error messages over the recent period can
be summarised thus:

$ grep -a "warning: TLS library problem" /var/log/mail.log.1
/var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr
     12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:362:
     11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
version number:s3_srvr.c:960:
     10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:640:
      2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse
tlsext:s3_srvr.c:1239:

Should I be concerned about these messages?
Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Poliman - Serwis
I have almost same logs. Some time ago I asked people on this mailing list. They said that somebody tries to connect to your server but he can't because of too old ssl he uses. You can ignore it.

2018-04-27 8:22 GMT+02:00 Dominic Raferd <[hidden email]>:
I have always received a number of warning messages (from
postfix/smtpd) stating 'TLS library problem' in my mail logs and I
think they are always followed by a dropped incoming connection. I
have hitherto assumed that they reflect a badly-configured (probably
spamming) foreign client/host, but the messages could be read as
implying an internal problem on my mailserver. Which is true?

The details of the reported error messages over the recent period can
be summarised thus:

$ grep -a "warning: TLS library problem" /var/log/mail.log.1
/var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr
     12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:362:
     11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
version number:s3_srvr.c:960:
     10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:640:
      2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse
tlsext:s3_srvr.c:1239:

Should I be concerned about these messages?



--
Pozdrawiam / Best Regards
Piotr Bracha
Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Dominic Raferd
On 27 April 2018 at 08:57, Poliman - Serwis <[hidden email]> wrote:

> 2018-04-27 8:22 GMT+02:00 Dominic Raferd <[hidden email]>:
>>
>> I have always received a number of warning messages (from
>> postfix/smtpd) stating 'TLS library problem' in my mail logs and I
>> think they are always followed by a dropped incoming connection. I
>> have hitherto assumed that they reflect a badly-configured (probably
>> spamming) foreign client/host, but the messages could be read as
>> implying an internal problem on my mailserver. Which is true?
>>
>> The details of the reported error messages over the recent period can
>> be summarised thus:
>>
>> $ grep -a "warning: TLS library problem" /var/log/mail.log.1
>> /var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr
>>      12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>> number:s3_pkt.c:362:
>>      11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
>> version number:s3_srvr.c:960:
>>      10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
>> protocol:s23_srvr.c:640:
>>       2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse
>> tlsext:s3_srvr.c:1239:
>>
>> Should I be concerned about these messages?
> I have almost same logs. Some time ago I asked people on this mailing list.
> They said that somebody tries to connect to your server but he can't because
> of too old ssl he uses. You can ignore it.


Thanks for your reply. In the absence of comments to the contrary I
take that as canonical. I still think the TLS library problem warning
message is confusing, but at least I can stop worrying about it.
Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Viktor Dukhovni
In reply to this post by Dominic Raferd


> On Apr 27, 2018, at 2:22 AM, Dominic Raferd <[hidden email]> wrote:
>
> $ grep -a "warning: TLS library problem" /var/log/mail.log.1
> /var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr
>     12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:362:
>     11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
> version number:s3_srvr.c:960:
>     10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol:s23_srvr.c:640:
>      2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse
> tlsext:s3_srvr.c:1239:
>
> Should I be concerned about these messages?

To know the answer you need to consider which clients are running into
this, and whether:

  * These clients are just network scanners and never send email
  * Are spammers and would send email if they could, but you're happy for them to fail
  * Are legitimate email senders, and fall back to cleartext.  In which case
    you're perhaps rather they use TLS, and should investigate further.
  * Are legitimate email senders, and don't fall back to cleartext (you don't
    see a message in the clear from them shortly after each TLS failure).
    In which case you're losing some email and really should investigate.

The errors broadly suggest use of unsupported TLS protocol versions or
unsupported TLS features, or simply malformed handshake messages.  That
would be expected from scanners, but can also happen if you're configured
too strictly, for example, to exclude everything below TLSv1.2.

So if you want to be sure, you'll need to do some further log analysis,
and perhaps collect some PCAP files with full packet captures for any
clients or netblocks that exhibit the symptoms repeatedly.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Dominic Raferd
On 27 April 2018 at 17:17, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Apr 27, 2018, at 2:22 AM, Dominic Raferd <[hidden email]> wrote:
>>
>> $ grep -a "warning: TLS library problem" /var/log/mail.log.1
>> /var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr
>>     12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
>> number:s3_pkt.c:362:
>>     11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
>> version number:s3_srvr.c:960:
>>     10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
>> protocol:s23_srvr.c:640:
>>      2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse
>> tlsext:s3_srvr.c:1239:
>>
>> Should I be concerned about these messages?
>
> To know the answer you need to consider which clients are running into
> this, and whether:
>
>   * These clients are just network scanners and never send email
>   * Are spammers and would send email if they could, but you're happy for them to fail
>   * Are legitimate email senders, and fall back to cleartext.  In which case
>     you're perhaps rather they use TLS, and should investigate further.
>   * Are legitimate email senders, and don't fall back to cleartext (you don't
>     see a message in the clear from them shortly after each TLS failure).
>     In which case you're losing some email and really should investigate.
>
> The errors broadly suggest use of unsupported TLS protocol versions or
> unsupported TLS features, or simply malformed handshake messages.  That
> would be expected from scanners, but can also happen if you're configured
> too strictly, for example, to exclude everything below TLSv1.2.
>
> So if you want to be sure, you'll need to do some further log analysis,
> and perhaps collect some PCAP files with full packet captures for any
> clients or netblocks that exhibit the symptoms repeatedly.

Thanks Viktor for that very clear explanation. I will start using
(something like) this for monitoring my logs:

sed -n '/SSL_accept error/{N;/warning: TLS library problem/{s/.* from
\([^:]*\).*/\1/;/unknown\[/d;/shodan\.io\[/d;p}}' /var/log/mail.log

So far I have one genuine sender that is failing TLS, but upon
checking I see that it falls back to cleartext.
Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Viktor Dukhovni


> On Apr 28, 2018, at 3:40 AM, Dominic Raferd <[hidden email]> wrote:
>
> So far I have one genuine sender that is failing TLS, but upon
> checking I see that it falls back to cleartext.

It'd be interesting to know why that particular sender is having
trouble.  Can you provide more detail?

Some senders have SMTP client implementations that refuse to complete
a STARTTLS handshake when they can't verify the server's certificate
chain, but are then willing to send in the clear.  The logic of
downgrading from unauthenticated encryption to unauthenticated cleartext
rather escapes me. :-)

  http://postfix.1071664.n5.nabble.com/Another-yahoo-problem-tp89756p89769.html


--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Dominic Raferd
On 28 April 2018 at 15:43, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Apr 28, 2018, at 3:40 AM, Dominic Raferd <[hidden email]> wrote:
>>
>> So far I have one genuine sender that is failing TLS, but upon
>> checking I see that it falls back to cleartext.
>
> It'd be interesting to know why that particular sender is having
> trouble.  Can you provide more detail?
>
> Some senders have SMTP client implementations that refuse to complete
> a STARTTLS handshake when they can't verify the server's certificate
> chain, but are then willing to send in the clear.  The logic of
> downgrading from unauthenticated encryption to unauthenticated cleartext
> rather escapes me. :-)
>
>   http://postfix.1071664.n5.nabble.com/Another-yahoo-problem-tp89756p89769.html

Here are the relevant log entries:
2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: connect from
smtp1.finarea.ch[77.72.174.188]
2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: SSL_accept error
from smtp1.finarea.ch[77.72.174.188]: -1
2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: warning: TLS
library problem: error:1408A10B:SSL
routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960:
2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: lost connection
after STARTTLS from smtp1.finarea.ch[77.72.174.188]
2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: disconnect from
smtp1.finarea.ch[77.72.174.188] ehlo=1 starttls=0/1 commands=1/2
2018-03-26 00:29:23 ourdomain postfix/smtpd[6043]: connect from
smtp1.finarea.ch[77.72.174.188]
2018-03-26 00:29:23 ourdomain postfix/smtpd[6043]: 884A860167:
client=smtp1.finarea.ch[77.72.174.188]
2018-03-26 00:29:23 ourdomain postfix/cleanup[6091]: 884A860167:
message-id=<[hidden email]>
2018-03-26 00:29:23 ourdomain opendmarc[1566]: 884A860167:
SPF(mailfrom): [hidden email] fail
2018-03-26 00:29:23 ourdomain postfix/smtpd[6043]: disconnect from
smtp1.finarea.ch[77.72.174.188] helo=1 mail=1 rcpt=1 data=1 quit=1
commands=5
...continues to successful delivery...

I've now found similar fall-backs for atlas.net.tr (Turkish service
provider) - same TLS problem 'error:1408A10B:SSL
routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960:'. I
guess that (in both cases) this is because the incoming client is old
and can't offer better security than SSL3 - which we reject.

My TLS settings are pretty standard:
# postconf -n|grep smtpd_tls|grep -v _file
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 1
smtpd_tls_security_level = may
Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

@lbutlr
On 29 Apr 2018, at 01:18, Dominic Raferd <[hidden email]> wrote:
> I've now found similar fall-backs for atlas.net.tr (Turkish service
> provider) - same TLS problem 'error:1408A10B:SSL
> routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960:'. I
> guess that (in both cases) this is because the incoming client is old
> and can't offer better security than SSL3 - which we reject.


Are you expecting legit mail from these sources? Are you requiring encryption on port 25 (this is a bad idea).

My take on SSL3 (or lower) is the these are attempts to force an unsafe exploitable encryption and that these are not connections from legitimate mail servers. YMMV.

It appears that Swiss domain uses Google for their email:

finarea.ch. 21599 IN MX 20 alt2.aspmx.l.google.com.
finarea.ch. 21599 IN MX 30 aspmx2.googlemail.com.
finarea.ch. 21599 IN MX 30 aspmx3.googlemail.com.
finarea.ch. 21599 IN MX 30 aspmx4.googlemail.com.
finarea.ch. 21599 IN MX 30 aspmx5.googlemail.com.
finarea.ch. 21599 IN MX 10 aspmx.l.google.com.
finarea.ch. 21599 IN MX 20 alt1.aspmx.l.google.com.
finarea.ch. 21599 IN TXT "v=spf1 include:aspmx.googlemail.com a:spf.finarea.ch ~all”


So the smpt1 looks suspicious.


--
Moving into the universe
And she's drifting this way and that
Not touching the ground at all
And she's up above the yard
Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Viktor Dukhovni


> On Apr 29, 2018, at 3:28 AM, @lbutlr <[hidden email]> wrote:
>
> It appears that Swiss domain uses Google for their email:
>
> finarea.ch. 21599 IN MX 20 alt2.aspmx.l.google.com.
> finarea.ch. 21599 IN MX 30 aspmx2.googlemail.com.
> finarea.ch. 21599 IN MX 30 aspmx3.googlemail.com.
> finarea.ch. 21599 IN MX 30 aspmx4.googlemail.com.
> finarea.ch. 21599 IN MX 30 aspmx5.googlemail.com.
> finarea.ch. 21599 IN MX 10 aspmx.l.google.com.
> finarea.ch. 21599 IN MX 20 alt1.aspmx.l.google.com.
> finarea.ch. 21599 IN TXT "v=spf1 include:aspmx.googlemail.coma:spf.finarea.ch ~all”
>
>
> So the smpt1 looks suspicious.

No. Fairly typical.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Dominic Raferd
On 29 April 2018 at 08:35, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Apr 29, 2018, at 3:28 AM, @lbutlr <[hidden email]> wrote:
>>
>> It appears that Swiss domain uses Google for their email:
>>
>> finarea.ch.           21599   IN      MX      20 alt2.aspmx.l.google.com.
>> finarea.ch.           21599   IN      MX      30 aspmx2.googlemail.com.
>> finarea.ch.           21599   IN      MX      30 aspmx3.googlemail.com.
>> finarea.ch.           21599   IN      MX      30 aspmx4.googlemail.com.
>> finarea.ch.           21599   IN      MX      30 aspmx5.googlemail.com.
>> finarea.ch.           21599   IN      MX      10 aspmx.l.google.com.
>> finarea.ch.           21599   IN      MX      20 alt1.aspmx.l.google.com.
>> finarea.ch.           21599   IN      TXT     "v=spf1 include:aspmx.googlemail.coma:spf.finarea.ch ~all”
>>
>>
>> So the smpt1 looks suspicious.
>
> No. Fairly typical.

This is a genuine and expected sender (VoIP provider). I am less sure
about atlas.net.tr, but it is probably genuine and expected by
recipient too. Unwanted ones I have not bothered to report here.

I don't require encryption on port 25: smtpd_tls_security_level = may
Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Viktor Dukhovni


> On Apr 29, 2018, at 3:37 AM, Dominic Raferd <[hidden email]> wrote:
>
> This is a genuine and expected sender (VoIP provider). I am less sure
> about atlas.net.tr, but it is probably genuine and expected by
> recipient too. Unwanted ones I have not bothered to report here.
>
> I don't require encryption on port 25: smtpd_tls_security_level = may

If you have time to look into this further, you need full-packet
capture PCAP files.

  # set -- 192.0.2.1 192.0.2.2 # season to taste
  # filter=; for ip
    do
      [ -n "$filter" ] && filter="$filter or "
      filter="${filter}tcp host $ip"
    done
  # tcpdump -s0 -w /var/tmp/tls.pcap $filter

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Dominic Raferd
On 29 April 2018 at 16:57, Viktor Dukhovni <[hidden email]> wrote:

>
>
>> On Apr 29, 2018, at 3:37 AM, Dominic Raferd <[hidden email]> wrote:
>>
>> This is a genuine and expected sender (VoIP provider). I am less sure
>> about atlas.net.tr, but it is probably genuine and expected by
>> recipient too. Unwanted ones I have not bothered to report here.
>>
>> I don't require encryption on port 25: smtpd_tls_security_level = may
>
> If you have time to look into this further, you need full-packet
> capture PCAP files.
>
>   # set -- 192.0.2.1 192.0.2.2 # season to taste
>   # filter=; for ip
>     do
>       [ -n "$filter" ] && filter="$filter or "
>       filter="${filter}tcp host $ip"
>     done
>   # tcpdump -s0 -w /var/tmp/tls.pcap $filter

Thanks Viktor, I will bear this in mind for the future. But even if
(with your help) I could determine exactly what the problem was for
these two senders I think there is zero chance they would be
interested in hearing from me about it.
Reply | Threaded
Open this post in threaded view
|

Re: warning: TLS library problem - messages in log

Viktor Dukhovni


> On Apr 29, 2018, at 12:06 PM, Dominic Raferd <[hidden email]> wrote:
>
>
> Thanks Viktor, I will bear this in mind for the future. But even if
> (with your help) I could determine exactly what the problem was for
> these two senders I think there is zero chance they would be
> interested in hearing from me about it.

The effort might be primarily to make sure that there's not an
unexpected problem in the SSL software or settings on your side.

--
        Viktor.