SSL alert number 42 in logs

[Jaime Fuentes - Ditecal]

Hello group,

I am implementing a Mail Server using postfix + dbmail. I recently configured STARTTLS and I found that lines on my /var/log/mail.log

Jan 29 19:59:56 correo2 postfix/smtpd[3384]: warning: TLS library problem: 3384:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1108:SSL alert number 42:
Jan 29 20:03:42 correo2 postfix/smtpd[3495]: warning: TLS library problem: 3495:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1108:SSL alert number 42:

I don't know what mean this lines, because when I probe the connection with the command:

openssl s_client -connect mx10.losbichos.com:25 -starttls smtp   

there is no error, I get this answer to the command:

CONNECTED(00000003)
...
...
certificate details
...
...
    Start Time: 1391078882
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 DSN

and this lines appear on the /var/log/mail.log

Jan 30 11:47:38 correo2 postfix/smtpd[21340]: Anonymous TLS connection established from unknown[10.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

I generated my certificates with this commands:

openssl genrsa -des3 -out my-ca.key 2048
openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt
openssl x509 -in my-ca.crt -text -noout
cat my-ca.crt my-ca.key > my-ca.pem
openssl verify my-ca.pem
openssl req -new -nodes -keyout smtp-key.pem -out smtp-req.pem -days 365
openssl req -in smtp-req.pem -noout -text
openssl req -in smtp-req.pem -noout -verify -key smtp-key.pem
openssl x509 -req -out smtp.pem -in  smtp-req.pem -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 365

I moved this files to my postfix folder and assign the next privileges:

cp smtp.pem smtp-key.pem my-ca.crt /etc/postfix 
chmod 644 /etc/postfix/smtp.pem /etc/postfix/my-ca.crt 
chmod 400 /etc/postfix/smtp-key.pem

I paste here my config file /etc/postfix/main.cf:

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no


# TLS parameters

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_use_tls=yes

smtpd_tls_CAfile = /etc/postfix/tls/my-ca.crt
smtpd_tls_cert_file = /etc/postfix/tls/smtp.pem
smtpd_tls_key_file = /etc/postfix/tls/smtp-key.pem

smtpd_tls_received_header = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_random_source = dev:/dev/urandom
smtpd_tls_security_level = may

#smtpd_enforce_tls=no
smtpd_tls_loglevel=1
# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = correo2
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
mydestination = correo2, localhost.localdomain, localhost, ditecal.es
relayhost =
#mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mynetworks =0.0.0.0
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = ipv4

local_recipient_maps = proxy:mysql:/etc/postfix/sql-recipients.cf

mailbox_transport = dbmail-lmtp:localhost:24
virtual_transport = dbmail-lmtp:localhost:24
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql-virtual_mailbox_maps.cf
#virtual_alias_maps = proxy:mysql:/etc/postfix/sql-virtual_mailbox_maps.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql-virtual_mailbox_domains.$
virtual_transport = dbmail-lmtp:localhost:24
#local_transport = dbmail-lmtp:

Any idea? Thanks in advance

[Viktor Dukhovni]

On Thu, Jan 30, 2014 at 12:23:28PM +0100, Jaime Fuentes - Ditecal wrote:

> I am implementing a Mail Server using postfix + dbmail. I recently

> configured STARTTLS and I found that lines on my */var/log/mail.log*

>
> Jan 29 19:59:56 correo2 postfix/smtpd[3384]: warning: TLS library
> problem: 3384:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate:s3_pkt.c:1108:SSL alert number 42:
> Jan 29 20:03:42 correo2 postfix/smtpd[3495]: warning: TLS library
> problem: 3495:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
> alert bad certificate:s3_pkt.c:1108:SSL alert number 42:

There is nothing wrong with your server, it is just reporting the
fatal alert from the remote client. SSL/TLS alerts are reports of
problems fromt the remote SSL/TLS peer.

You've left out essential context. What are the other log entries
for "postfix/smtpd[3384]" and/or "postfix/smtpd[3495]" directly
before and after the warnings above.

> I don't know what mean this lines, because when I probe the
> connection with the command:

They mean that the remote SMTP client was for some reason unhappy
with your certificate. Perhaps some MUA, expecting certificates
from a "trusted" CA, is failing to authenticate your self-signed
server certificate.

You need to find out what client was connecting to the Postfix SMTP
server to cause these messages. Perhaps also check for further
connections from the same IP address and look at those...

--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org

[Jaime Fuentes - Ditecal]

On first, thanks for your quickly answer.

That's true, I took only this lines from my log file.

I paste here the log from another connection attempt:

Jan 30 18:04:31 correo1 dbmail/imap4d[14702]: Message:[serverchild]
serverchild.c,PerformChildTask(+349): incoming connection from
[10.0.0.1] by pid [14702]
Jan 30 18:04:44 correo1 postfix/smtpd[20693]: connect from unknown[10.0.0.1]
Jan 30 18:04:44 correo1 postfix/smtpd[20693]: setting up TLS connection
from unknown[10.0.0.1]
Jan 30 18:04:44 correo1 postfix/smtpd[20693]: Anonymous TLS connection

established from unknown[10.0.0.1]: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)

Jan 30 18:04:44 correo1 postfix/smtpd[20693]: warning: TLS library
problem: 20693:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert

bad certificate:s3_pkt.c:1108:SSL alert number 42:

Jan 30 18:04:44 correo1 postfix/smtpd[20693]: lost connection after
STARTTLS from unknown[10.0.0.1]
Jan 30 18:04:44 correo1 postfix/smtpd[20693]: disconnect from
unknown[10.0.0.1]

I connect to the server using Mozilla Thunderbird.

Thanks again.

> On Thu, Jan 30, 2014 at 12:23:28PM +0100, Jaime Fuentes - Ditecal wrote:
>
>> I am implementing a Mail Server using postfix + dbmail. I recently
>> configured STARTTLS and I found that lines on my */var/log/mail.log*
>>
>> Jan 29 19:59:56 correo2 postfix/smtpd[3384]: warning: TLS library
>> problem: 3384:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
>> alert bad certificate:s3_pkt.c:1108:SSL alert number 42:
>> Jan 29 20:03:42 correo2 postfix/smtpd[3495]: warning: TLS library
>> problem: 3495:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3
>> alert bad certificate:s3_pkt.c:1108:SSL alert number 42:
> There is nothing wrong with your server, it is just reporting the
> fatal alert from the remote client. SSL/TLS alerts are reports of
> problems fromt the remote SSL/TLS peer.
>
> You've left out essential context. What are the other log entries
> for "postfix/smtpd[3384]" and/or "postfix/smtpd[3495]" directly
> before and after the warnings above.
>
>> I don't know what mean this lines, because when I probe the
>> connection with the command:
> They mean that the remote SMTP client was for some reason unhappy
> with your certificate. Perhaps some MUA, expecting certificates
> from a "trusted" CA, is failing to authenticate your self-signed
> server certificate.
>
> You need to find out what client was connecting to the Postfix SMTP
> server to cause these messages. Perhaps also check for further
> connections from the same IP address and look at those...
>

[Viktor Dukhovni]

On Thu, Jan 30, 2014 at 06:10:45PM +0100, Jaime Fuentes - Ditecal wrote:

> I connect to the server using Mozilla Thunderbird.

Then you need to configure Mozilla to accept your server certificate
or get a new one that it does accept.

> >They mean that the remote SMTP client was for some reason unhappy
> >with your certificate. Perhaps some MUA, expecting certificates
> >from a "trusted" CA, is failing to authenticate your self-signed
> >server certificate.

What I said.

--
Viktor.

[Stephan Soulayrol]

Hello,
I have exactly the same problem. My postfix configuration is right and i use the MUA Thunderbird. @jaime Fuentes: Did you solve this problem....8 years ago ;-)!?
Note: I have already installed my CA in the client Windows10 (trusted CA).
Thanks a lot if you reade this post
Stephan.