Hi again, Here is the output of postconf -n for this interface:
alias_database = hash:/etc/postfix-internal/aliases alias_maps = hash:/etc/postfix-internal/aliases allow_percent_hack = no alternate_config_directories = /etc/postfix-internal, /etc/postfix-external body_checks = pcre:/etc/postfix-internal/b2b_encrypted.body_check.pcre bounce_queue_lifetime = 1d command_directory = /opt/PFXpostfix/postfix/usr/sbin/ config_directory = /etc/postfix-internal daemon_directory = /opt/PFXpostfix/postfix/usr/libexec/postfix data_directory = /var/lib/postfix-internal default_database_type = hash default_destination_concurrency_limit = 25 default_process_limit = 350 disable_vrfy_command = yes header_checks = pcre:/etc/postfix-internal/headers_mimetypes.pcre, pcre:/etc/postfix-internal/headers_compliance.pcre, pcre:/etc/postfix-internal/b2b_encrypted.header_check.pcre html_directory = no mail_owner = postfix mailbox_size_limit = 60000000 mailq_path = /usr/bin/mailq manpage_directory = /opt/PFXpostfix/postfix/usr/local/man maximal_backoff_time = 5h maximal_queue_lifetime = 1d message_size_limit = 52500000 mime_header_checks = pcre:/etc/postfix-internal/b2b_encrypted.header_check.pcre mydestination = $myhostname, ssng0016xmh.sng.swissbank.com, dmz-vsgate4.sng.swissbank.com, dmz-vsgate4.sng, localhost.$mydomain, localhost mydomain = ubs.com myhostname = dmz-vsgate4.sng.ibb.ubs.com mynetworks = /etc/postfix-internal/mynetworks myorigin = $mydomain nested_header_checks = newaliases_path = /usr/bin/newaliases parent_domain_matches_subdomains = queue_directory = /var/spool/postfix-internal queue_minfree = 102400000 readme_directory = no sample_directory = /etc/postfix sendmail_path = /usr/lib/sendmail setgid_group = postdrop smtp_bind_address = 0.0.0.0 smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/etc/postfix-internal/ssl/smtp_session_cache smtpd_banner = $myhostname ESMTP Internal smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/recipient_block.map, check_sender_access hash:/etc/postfix/glamsenders.map, check_recipient_access, pcre:/etc/postfix-internal/smtpd_bang_reject.pcre, permit_mynetworks, reject smtpd_restriction_classes = glam smtpd_sender_restrictions = check_sender_access hash:/etc/postfix-internal/blocked_senders.map,hash:/etc/postfix-internal/domains_ok.map,reject smtpd_tls_cert_file = /etc/postfix-external/ssl2014/dmz-vsgate4.sng.pem smtpd_tls_key_file = /etc/postfix-external/ssl2014/dmz-vsgate4.sng.key swap_bangpath = no syslog_name = postfix-internal tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix-internal/transport.map unknown_local_recipient_reject_code = 550 virtual_mailbox_limit = 60000000 Regards, Robin From: Wakefield, Robin Sent: 23 August 2014 00:24 To: postfix-users@postfix.org Subject: TLS library problem - handshake failure Hi, We recently upgraded from Postfix 2.5.5 to 2.8.17 and OpenSSL 0.9.8k to 1.0.1h (both compiled from source). A number of domains that we normally send to are now not working. The log is showing the following typical entries: Aug 22 23:51:37 ssng0016xmh postfix-internal/smtp[6284]: [ID 197553 mail.info] SSL_connect error to ssc-dc2-mx02.chainiq.com[193.169.186.213]:25: -1 Aug 22 23:51:37 ssng0016xmh postfix-internal/smtp[6284]: [ID 947731 mail.warning] warning: TLS library problem: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762: Aug 22 23:51:37 ssng0016xmh postfix-internal/smtp[6284]: [ID 197553 mail.info] CE20F1099F: Cannot start TLS: handshake failure Aug 22 23:51:38 ssng0016xmh postfix-internal/smtp[6284]: [ID 197553 mail.info] SSL_connect error to ssc-dc1-mx02.chainiq.com[193.169.186.212]:25: -1 Aug 22 23:51:38 ssng0016xmh postfix-internal/smtp[6284]: [ID 947731 mail.warning] warning: TLS library problem: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762: Aug 22 23:51:38 ssng0016xmh postfix-internal/smtp[6284]: [ID 197553 mail.info] CE20F1099F: to=<a...@chainiq.com<mailto:a...@chainiq.com>>, relay=ssc-dc1-mx02.chainiq.com[193.169.186.212]:25, delay=3, delays=0.01/0.03/3/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure) I have tried restricting smtp_tls_protocols to sslv3, and excluding tlsv1.1 and tlsv1.2, but am seeing the same result. If I try and test the connection using: openssl s_client -connect ssc-dc1-mx02.chainiq.com:25 -starttls smtp I see no error, and I get presented with the 250 STARTTLS prompt. Any thoughts on next steps without having to contact the target domains? I have read about disabling TLSEXT_TYPE_PADDING when compiling OpenSSL - would this be my next step, or was this somehow fixed in the releases we are using? Any other way I could simulate this problem, as we have had to regress the versions until this is resolved? Any help would be appreciated. Regards, Robin
