[pfx] Re: What would cause this STARTTLS error?

Tue, 17 Mar 2026 00:54:26 -0700 

On Tue, Mar 17, 2026 at 07:13:11AM +0100, Ralf Hildebrandt via Postfix-users 
wrote:

> meyer-koering.de won't accept mail anymore (since we made TLS mandatory)
> 
> # posttls-finger -L debug meyer-koering.de
> posttls-finger: initializing the client-side TLS engine
> posttls-finger: Connected to mail.berlin.mkvdp.de[195.50.138.59]:25
> posttls-finger: < 220 mail.berlin.mkvdp.de - system ready
> posttls-finger: > EHLO mail-cvk.charite.de
> posttls-finger: < 250-mail.berlin.mkvdp.de welcome
> posttls-finger: < 250-DSN
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250-X-ANONYMOUSTLS
> posttls-finger: < 250-STARTTLS
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250 SIZE
> posttls-finger: > STARTTLS
> posttls-finger: < 220 2.0.0 Ready to start TLS
> posttls-finger: setting up TLS connection to 
> mail.berlin.mkvdp.de[195.50.138.59]:25
> posttls-finger: mail.berlin.mkvdp.de[195.50.138.59]:25: TLS cipher list 
> "aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH:!aNULL"
> posttls-finger: SSL_connect:before SSL initialization
> posttls-finger: SSL_connect:SSLv3/TLS write client hello
> posttls-finger: SSL_connect:error in SSLv3/TLS write client hello
> posttls-finger: SSL_connect error to mail.berlin.mkvdp.de[195.50.138.59]:25: 
> lost connection
> 
> What would typically cause "error in SSLv3/TLS write client hello"?
> I mean, I can't fix that but it would be nice to know...

The remote end closes the TCP socket, for reasons best known to them,
neither TLS 1.2, nor TLS 1.3 Client Hello requests get through.
And even (with some effort) TLSv1.0 also fails.  A "tshark" decode
shows:

    1   0.000000 128.9.29.254 → 195.50.138.59 TCP 74 52872 → 25 [SYN] Seq=0 
Win=64240 Len=0 MSS=1460 SACK_PERM TSval=3981074185 TSecr=0 WS=128
    2   0.156385 195.50.138.59 → 128.9.29.254 TCP 74 25 → 52872 [SYN, ACK] 
Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=256 SACK_PERM TSval=3149461 
TSecr=3981074185
    3   0.156434 128.9.29.254 → 195.50.138.59 TCP 66 52872 → 25 [ACK] Seq=1 
Ack=1 Win=64256 Len=0 TSval=3981074341 TSecr=3149461
    4   0.313228 195.50.138.59 → 128.9.29.254 SMTP 107 S: 220 
mail.berlin.mkvdp.de - system ready
    5   0.313262 128.9.29.254 → 195.50.138.59 TCP 66 52872 → 25 [ACK] Seq=1 
Ack=42 Win=64256 Len=0 TSval=3981074498 TSecr=3149618
    6   0.313464 128.9.29.254 → 195.50.138.59 SMTP 97 C: EHLO 
dnssec-stats.ant.isi.edu
    7   0.470580 195.50.138.59 → 128.9.29.254 SMTP 192 S: 
250-mail.berlin.mkvdp.de welcome | DSN | ENHANCEDSTATUSCODES | X-ANONYMOUSTLS | 
STARTTLS | 8BITMIME | SIZE
    8   0.470807 128.9.29.254 → 195.50.138.59 SMTP 76 C: STARTTLS
    9   0.626457 195.50.138.59 → 128.9.29.254 SMTP 96 S: 220 2.0.0 Ready to 
start TLS
   10   0.627543 128.9.29.254 → 195.50.138.59 TLSv1.2 583 Client Hello
   11   0.783413 195.50.138.59 → 128.9.29.254 TCP 66 25 → 52872 [ACK] Seq=198 
Ack=559 Win=2097920 Len=0 TSval=3149931 TSecr=3981074812

    Above, the server has ACKed the TLS Client Hello.

   12   0.800216 195.50.138.59 → 128.9.29.254 TCP 66 25 → 52872 [FIN, ACK] 
Seq=198 Ack=559 Win=2097408 Len=0 TSval=3149931 TSecr=3981074812
   13   0.800499 128.9.29.254 → 195.50.138.59 TCP 66 52872 → 25 [FIN, ACK] 
Seq=559 Ack=199 Win=64256 Len=0 TSval=3981074985 TSecr=3149931
   14   0.971838 195.50.138.59 → 128.9.29.254 TCP 66 25 → 52872 [ACK] Seq=199 
Ack=560 Win=2097408 Len=0 TSval=3150129 TSecr=3981074985

    And then immediately tears down the connection.

So, you'd have to ask the operator of that server, nothing at the
network layer reveals **why** they drop the connection after TLS Client
Hello.

-- 
    Viktor.  🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to