Postfix TLS: SSL3_GET_CLIENT_HELLO:no shared cipher

whizz Mon, 05 Sep 2011 00:28:27 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,


I have a postfix set-up with TLS activated.
Outlook 2010 and Thunderbird can send any e-mail just fine.

Openssl -connect <servername> -starttls smtp returned no error
either.

The thing is I'm trying to check my SSL configuration using this
tool:
http://www.networking4all.com/en/support/tools/site+check/report/

and while it can validate mt certificate just fine, it says that it
can't establish a secure connection.

I inspected my maillog and this is what I get:

mailog:
Aug 31 21:01:42 johndoe postfix/smtpd[10223]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:42 johndoe postfix/smtpd[10223]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:01:43 johndoe postfix/smtpd[10223]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:43 johndoe postfix/smtpd[10223]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: SSL_accept error from
s097.networking4all.com[213.249.64.242]: -1
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: lost connection after
CONNECT from s097.networking4all.com[213.249.64.242]
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:01:53 johndoe postfix/smtpd[10223]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:54 johndoe postfix/smtpd[10223]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: SSL_accept error from
s097.networking4all.com[213.249.64.242]: -1
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: warning: TLS library
problem: 10223:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1221:
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: lost connection after
CONNECT from s097.networking4all.com[213.249.64.242]
Aug 31 21:01:55 johndoe postfix/smtpd[10223]: disconnect from
s097.networking4all.com[213.249.64.242]



So I added
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes

This is what I get in the maillog
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: initializing the
server-side TLS engine
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: setting up TLS
connection from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:01 johndoe postfix/smtpd[16200]:
s097.networking4all.com[213.249.64.242]: TLS cipher list
"ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Aug 31 21:38:01 johndoe postfix/smtpd[16200]:
SSL_accept:before/accept initialization
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client hello B
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server hello A
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write certificate A
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write key exchange A
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server done A
Aug 31 21:38:01 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client key exchange A
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
finished A
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write change cipher spec A
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write finished A
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: Anonymous TLS
connection established from
s097.networking4all.com[213.249.64.242]: TLSv1 with cipher DHE-RSA-
AES256-SHA (256/256 bits)
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:02 johndoe postfix/smtpd[16200]: setting up TLS
connection from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:02 johndoe postfix/smtpd[16200]:
s097.networking4all.com[213.249.64.242]: TLS cipher list
"ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Aug 31 21:38:02 johndoe postfix/smtpd[16200]:
SSL_accept:before/accept initialization
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept error from
s097.networking4all.com[213.249.64.242]: -1
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: lost connection after
CONNECT from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: setting up TLS
connection from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:12 johndoe postfix/smtpd[16200]:
s097.networking4all.com[213.249.64.242]: TLS cipher list
"ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Aug 31 21:38:12 johndoe postfix/smtpd[16200]:
SSL_accept:before/accept initialization
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client hello B
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server hello A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write key exchange A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server done A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client key exchange A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
finished A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write change cipher spec A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write finished A
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: Anonymous TLS
connection established from
s097.networking4all.com[213.249.64.242]: TLSv1 with cipher ADH-
AES256-SHA (256/256 bits)
Aug 31 21:38:12 johndoe postfix/smtpd[16200]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: setting up TLS
connection from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:13 johndoe postfix/smtpd[16200]:
s097.networking4all.com[213.249.64.242]: TLS cipher list
"ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Aug 31 21:38:13 johndoe postfix/smtpd[16200]:
SSL_accept:before/accept initialization
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client hello B
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server hello A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write key exchange A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write server done A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
client key exchange A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3 read
finished A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write change cipher spec A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
write finished A
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: SSL_accept:SSLv3
flush data
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: Anonymous TLS
connection established from
s097.networking4all.com[213.249.64.242]: TLSv1 with cipher ADH-
AES256-SHA (256/256 bits)
Aug 31 21:38:13 johndoe postfix/smtpd[16200]: NOQUEUE: reject:
CONNECT from s097.networking4all.com[213.249.64.242]: 554 5.7.1
<s097.networking4all.com[213.249.64.242]>: Client host rejected:
Access denied; proto=SMTP
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: connect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: setting up TLS
connection from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:14 johndoe postfix/smtpd[16200]:
s097.networking4all.com[213.249.64.242]: TLS cipher list
"ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH"
Aug 31 21:38:14 johndoe postfix/smtpd[16200]:
SSL_accept:before/accept initialization
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: SSL3 alert
write:fatal:handshake failure
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: SSL_accept:error in
SSLv3 read client hello C
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: SSL_accept error from
s097.networking4all.com[213.249.64.242]: -1
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: warning: TLS library
problem: 16200:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no
shared cipher:s3_srvr.c:1221:
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: lost connection after
CONNECT from s097.networking4all.com[213.249.64.242]
Aug 31 21:38:14 johndoe postfix/smtpd[16200]: disconnect from
s097.networking4all.com[213.249.64.242]
Aug 31 21:41:34 johndoe postfix/anvil[16203]: statistics: max
connection rate 3/60s for (smtps:213.249.64.242) at Aug 31 21:38:13
Aug 31 21:41:34 johndoe postfix/anvil[16203]: statistics: max
connection count 1 for (smtps:213.249.64.242) at Aug 31 21:38:02
Aug 31 21:41:34 johndoe postfix/anvil[16203]: statistics: max cache
size 1 at Aug 31 21:38:02

FYI in main.cnf
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = medium
smtp_tls_protocols = !SSLv2, !SSLv3

running postfix 2.84 on Centos 6

So anyone got any insight?

-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify

wsBcBAEBAgAGBQJOZHnmAAoJEIsVW8QaqqJOuooH/jjUas28D70pFKOZR8evFIwXQVnE
B+/B6vLFTr+63ibaYxJ8RIFxcZmOUbdA2O/2ToenI9RUlKeJ/709O5mZoshJJPdXWFqh
RLXD38igxyEIaQOa3OYjS+bpgyvQ/oOr+qjQw5oVfyxlIJ3kohigcHXrXv0XwwmHWjRi
rPybGDoBTyfPyIUscOFB7iGu4JzyzEEccT5uCBIaGUescdNZK81B9mf/PGUpaPLXPhls
ndvfITcjrMWCTc09UQyJoHPNkuwUqnh0RukFd8E4S8HO87nsQuRKwWmIJUyPflkWOfQp
6DgykBenOziBJWSqJv9NdoeVHimFOy+hbLiyh57Ez0k=
=FY1M
-----END PGP SIGNATURE-----

Postfix TLS: SSL3_GET_CLIENT_HELLO:no shared cipher

Reply via email to