> On Apr 27, 2018, at 2:22 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote:
>
> $ grep -a "warning: TLS library problem" /var/log/mail.log.1
> /var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr
> 12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:362:
> 11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
> version number:s3_srvr.c:960:
> 10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
> protocol:s23_srvr.c:640:
> 2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse
> tlsext:s3_srvr.c:1239:
>
> Should I be concerned about these messages?
To know the answer you need to consider which clients are running into
this, and whether:
* These clients are just network scanners and never send email
* Are spammers and would send email if they could, but you're happy for them
to fail
* Are legitimate email senders, and fall back to cleartext. In which case
you're perhaps rather they use TLS, and should investigate further.
* Are legitimate email senders, and don't fall back to cleartext (you don't
see a message in the clear from them shortly after each TLS failure).
In which case you're losing some email and really should investigate.
The errors broadly suggest use of unsupported TLS protocol versions or
unsupported TLS features, or simply malformed handshake messages. That
would be expected from scanners, but can also happen if you're configured
too strictly, for example, to exclude everything below TLSv1.2.
So if you want to be sure, you'll need to do some further log analysis,
and perhaps collect some PCAP files with full packet captures for any
clients or netblocks that exhibit the symptoms repeatedly.
--
Viktor.
