Scott Haneda: > On Jul 12, 2009, at 1:07 PM, Wietse Venema wrote: > > > Scott Haneda: > >> Thanks for the estimation. Comparing a working transaction with one > >> that does not work, shows no difference. The one part I need even > >> more debug log data, only states "start tls" and then "failure". I > >> somehow need to get to the data that happens between those two log > >> lines. > > > > OpenSSL does not like what the proxy sends. To find out where the > > proxy errs, you will need to go beyond logfiles, and look at the > > data that is actually sent over the wire. > > > > As Tsutomu once said, tcpdump is your friend (*). > > Where is the best place to run tcpdump from, the proxy machine, or the > postfix machine?
OpenSSL on YOUR machine complains, so you need to find out what OpenSSL on YOUR machine receives. > Could you suggest a tcpdump command that would help > me with this? I imagine, as long as tcpdump is instructed to send out > something that is human readable, I can compare a packet dump of a > working case, and a failing case, and look for the differences. http://www.postfix.org/DEBUG_README.html has suggestions. And no, the output is not human-readable, as tcpdump has limited understanding, if any, of SMTP and TLS. > > For example one mistake is to send STARTTLS in a network packet > > that also contains the first portion of the TLS handshake. The > > proxy should send STARTTLS, wait for a positives server reply, and > > then it should send the TLS handshake. > > Thanks. Can you make any estimations as to why some sending servers > have no issue, and others fail? That is exactly how buggy systems work. There is a region called "normal" where things appear to work error-free, and then there is a much larger region called "not normal" where things break in unexpected ways. Wietse
