On Wed, Jun 17, 2009 at 02:51:10PM -0700, Kyle Hamilton wrote: > This isn't really an OpenSSL issue, and I'd suggest asking for help > from people who are more familiar with postfix. However...
That's what I told him on the Postfix-users list, but he chose to come here anyway, despite my best efforts. http://archives.neohapsis.com/archives/postfix/2009-06/0560.html > > The log says that none of the names matched: Irrelevant. This name matching is something else entirely (Postfix mynetworks, and similar lookups). > I would view this as a postfix ACL configuration issue, since it's > denying access from your IP. No. > > (Also: TCP FIN means that the connection was closed by close(), not by > killing the process such as what happens with a segfault or a rebooted > system. This in turn means that the problem is in the software, not > the network.) The OP should return to the Postfix users list AFTER working with the owner of the sending system to find out why they drop the connection immediately after sending "STARTLS" and receiving a "220" from Postfix: ... SMTP up to and including EHLO req/resp ... TCP: sepaip2.webish.nl(34538) -> helmwijk.xs4all.nl(25) Seq 1570587417.(10) ACK 2723884545 PUSH 0.0934 (0.0180) C>S --------------------------------------------------------------- STARTTLS --------------------------------------------------------------- TCP: helmwijk.xs4all.nl(25) -> sepaip2.webish.nl(34538) Seq 2723884545.(30) ACK 1570587427 PUSH 0.0935 (0.0001) S>C --------------------------------------------------------------- 220 2.0.0 Ready to start TLS --------------------------------------------------------------- TCP: sepaip2.webish.nl(34538) -> helmwijk.xs4all.nl(25) Seq 1570587427.(0) ACK 2723884575 FIN 1 0.1111 (0.0176) C>S TCP FIN TCP: helmwijk.xs4all.nl(25) -> sepaip2.webish.nl(34538) Seq 2723884575.(0) ACK 1570587428 FIN 1 0.1117 (0.0005) S>C TCP FIN TCP: sepaip2.webish.nl(34538) -> helmwijk.xs4all.nl(25) Seq 1570587428.(0) ACK 2723884576 The client drops the TCP connection without sending an SSL HELO, of any kind and before receiving any other traffic from the server. This is a client-side issue, with either the client software broken/misconfigured, or an unhappy firewall in between. Because ZERO actual SSL protocol messages are exchanged, if there is an SSL library problem it is entirely in the client session initialization code. The OP is operating the server, and so has no questions, related to the SSL-library or protocol, to ask here. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
