info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Postfix/TLS unknown protocol error
104 views
Skip to first unread message
Igor Khomyakov
Apr 7, 2015, 4:55:38 AM4/7/15
to
Hi,
I've turned on TLS in postfix and I've started getting an error from sans.org mail server
SSL_accept error from mass1a.sans.org[66.35.59.243]: -1
warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649:
I've got a valid SSL certificate. The server passed checktls.com test successfully.
I have no clue what is going wrong. Please find all details at the end of the email.
I'm using Ubuntu 14.04.02 postfix 2.11.0-1ubuntu1
Debug log:
< mass1a.sans.org[66.35.59.243]: EHLO mass1a.sans.org
match_list_match: mass1a.sans.org: no match
match_list_match: 66.35.59.243: no match
> mass1a.sans.org[66.35.59.243]: 250-mail.domain.tld
> mass1a.sans.org[66.35.59.243]: 250-PIPELINING
> mass1a.sans.org[66.35.59.243]: 250-SIZE 10240000
> mass1a.sans.org[66.35.59.243]: 250-VRFY
> mass1a.sans.org[66.35.59.243]: 250-ETRN
> mass1a.sans.org[66.35.59.243]: 250-STARTTLS
> mass1a.sans.org[66.35.59.243]: 250-ENHANCEDSTATUSCODES
> mass1a.sans.org[66.35.59.243]: 250-8BITMIME
> mass1a.sans.org[66.35.59.243]: 250 DSN
watchdog_pat: 0x7f5fe36d1ec0
< mass1a.sans.org[66.35.59.243]: STARTTLS
match_hostname: mass1a.sans.org ~? 127.0.0.0/8
match_hostaddr: 66.35.59.243 ~? 127.0.0.0/8
match_list_match: mass1a.sans.org: no match
match_list_match: 66.35.59.243: no match
send attr request = newtls_status
send attr ident = smtp:66.35.59.243
private/anvil: wanted attribute: status
input attribute name: status
input attribute value: 0
private/anvil: wanted attribute: rate
input attribute name: rate
input attribute value: 0
private/anvil: wanted attribute: (list terminator)
input attribute name: (end)
> mass1a.sans.org[66.35.59.243]: 220 2.0.0 Ready to start TLS
send attr request = seed
send attr size = 32
private/tlsmgr: wanted attribute: status
input attribute name: status
input attribute value: 0
private/tlsmgr: wanted attribute: seed
input attribute name: seed
input attribute value: aVv0wBLrbK8LGhBxb6O8mQRlyPut8FHOJoRbXODv+jI=
private/tlsmgr: wanted attribute: (list terminator)
input attribute name: (end)
SSL_accept error from mass1a.sans.org[66.35.59.243]: -1
warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649:
main.cf
myhostname = mail.domain.tld
myorigin = $myhostname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
smtpd_use_tls = yes
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt
smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
debug_peer_list = mass1a.sans.org
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt
smtp_tls_key_file = /etc/ssl/private/mail.domain.tld.key
smtp_tls_security_level = may
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_ciphers = medium
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
tls_random_source = dev:/dev/urandom
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
mailbox_command =
default_transport = smtp
relay_transport = smtp
inet_protocols = ipv4
virtual_alias_maps = hash:/etc/postfix/virtual_aliases
virtual_alias_domains = domain.tld
receive_override_options = no_unknown_recipient_checks,no_header_body_checks,no_milters
smtpd_client_connection_count_limit = 2
smtpd_client_connection_rate_limit = 10
smtpd_client_event_limit_exceptions = 127.0.0.0/8
smtpd_client_message_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 10
smtpd_data_restrictions = reject_unauth_pipelining
I've turned on TLS in postfix and I've started getting an error from sans.org mail server
SSL_accept error from mass1a.sans.org[66.35.59.243]: -1
warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649:
I've got a valid SSL certificate. The server passed checktls.com test successfully.
I have no clue what is going wrong. Please find all details at the end of the email.
I'm using Ubuntu 14.04.02 postfix 2.11.0-1ubuntu1
Debug log:
< mass1a.sans.org[66.35.59.243]: EHLO mass1a.sans.org
match_list_match: mass1a.sans.org: no match
match_list_match: 66.35.59.243: no match
> mass1a.sans.org[66.35.59.243]: 250-mail.domain.tld
> mass1a.sans.org[66.35.59.243]: 250-PIPELINING
> mass1a.sans.org[66.35.59.243]: 250-SIZE 10240000
> mass1a.sans.org[66.35.59.243]: 250-VRFY
> mass1a.sans.org[66.35.59.243]: 250-ETRN
> mass1a.sans.org[66.35.59.243]: 250-STARTTLS
> mass1a.sans.org[66.35.59.243]: 250-ENHANCEDSTATUSCODES
> mass1a.sans.org[66.35.59.243]: 250-8BITMIME
> mass1a.sans.org[66.35.59.243]: 250 DSN
watchdog_pat: 0x7f5fe36d1ec0
< mass1a.sans.org[66.35.59.243]: STARTTLS
match_hostname: mass1a.sans.org ~? 127.0.0.0/8
match_hostaddr: 66.35.59.243 ~? 127.0.0.0/8
match_list_match: mass1a.sans.org: no match
match_list_match: 66.35.59.243: no match
send attr request = newtls_status
send attr ident = smtp:66.35.59.243
private/anvil: wanted attribute: status
input attribute name: status
input attribute value: 0
private/anvil: wanted attribute: rate
input attribute name: rate
input attribute value: 0
private/anvil: wanted attribute: (list terminator)
input attribute name: (end)
> mass1a.sans.org[66.35.59.243]: 220 2.0.0 Ready to start TLS
send attr request = seed
send attr size = 32
private/tlsmgr: wanted attribute: status
input attribute name: status
input attribute value: 0
private/tlsmgr: wanted attribute: seed
input attribute name: seed
input attribute value: aVv0wBLrbK8LGhBxb6O8mQRlyPut8FHOJoRbXODv+jI=
private/tlsmgr: wanted attribute: (list terminator)
input attribute name: (end)
SSL_accept error from mass1a.sans.org[66.35.59.243]: -1
warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649:
main.cf
myhostname = mail.domain.tld
myorigin = $myhostname
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
biff = no
append_dot_mydomain = no
smtpd_use_tls = yes
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt
smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
debug_peer_list = mass1a.sans.org
smtpd_tls_auth_only = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_use_tls = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt
smtp_tls_key_file = /etc/ssl/private/mail.domain.tld.key
smtp_tls_security_level = may
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_ciphers = medium
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
tls_random_source = dev:/dev/urandom
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = $myhostname, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
home_mailbox = Maildir/
mailbox_command =
default_transport = smtp
relay_transport = smtp
inet_protocols = ipv4
virtual_alias_maps = hash:/etc/postfix/virtual_aliases
virtual_alias_domains = domain.tld
receive_override_options = no_unknown_recipient_checks,no_header_body_checks,no_milters
smtpd_client_connection_count_limit = 2
smtpd_client_connection_rate_limit = 10
smtpd_client_event_limit_exceptions = 127.0.0.0/8
smtpd_client_message_rate_limit = 10
smtpd_client_new_tls_session_rate_limit = 10
smtpd_data_restrictions = reject_unauth_pipelining
0 new messages