On Tue, Aug 09, 2022 at 02:27:17PM +0100, Tom McLoughlin wrote:
> Recently started receiving this error and unable to find any solution to
> this, any ideas?
>
> |OpenSSL version: OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21
> Jun 2022) Postfix version: mail_version = 3.6.4 Dovecot version:
> 2.3.19.1 (9b53102964)|
>
> Log lines:
>
> Aug 7 22:10:46 mail postfix/smtps/smtpd[885716]: SSL_accept:before SSL
> initialization
Your TLS log level is too high, stick with "smtpd_tls_loglevel = 1".
> Aug 7 22:11:16 mail postfix/smtps/smtpd[885716]: SSL3 alert
> write:fatal:decode error
The SMTP client is sending the server a fatal alert, because it couldn't
decode something the server sent.
> Aug 7 22:11:16 mail postfix/smtps/smtpd[885716]: warning: TLS library
> problem:
> error:0A000126:SSL routines::unexpected eof while
> reading:../ssl/record/rec_layer_s3.c:308:
This is not surprising, given the client's fatal alert.
There is a recently fixed upstream bug in OpenSSL 3.0 where session
resumption fails when OpenSSL's internal session cache "overflows".
Perhaps that's your problem, though "decode error" is not the expected
alert in that case.
The resumption problem can be worked around by setting the server-side
session cache database empty (the default setting):
smtpd_tls_session_cache_database =
This is the recommended setting, since clients should be using session
tickets instead.
Most likely your problem is elsewhere, in which case, a "tshark" decode
of a single connection attempt from that client will be needed to
determine what went wrong.
# CLIENT_IP=192.0.2.1 # Insert actual IP address here
# tcpdump -s 0 -w /tmp/smtp.pcap tcp port 25 and host "$CLIENT_IP" &
# pid=$!
... Wait for client to try to connect and fail ...
# kill -INT $pid
# tcpdump -nr /tmp/smtp.pcap 'tcp[13] & 0x12 = 0x02'
The above reports SYN packets from the client, note the client's TCP
source port number for the first reported connection. For example:
19:05:39.014372 IP 127.0.0.1.52757 > 127.0.0.1.25: Flags [S],
seq 3815386084, win 65535, options
[mss 16344,nop,wscale 6,nop,nop,TS val 3114352004 ecr 0,sackOK,eol],
length 0
This has client port == 525757
Run the PCAP recording through "tshark":
# CPORT=52757 # Insert actual TCP port number here
# tshark -r /tmp/smtp.pcap -V -d tcp.port==25,ssl tcp.port==$CPORT |
sed -ne '/^Transport Layer Security/,/^$/p' > /tmp/tshark.txt
Post the "tshark.txt" file here (attach it, without folding lines or
otherwise changing whitespace), but keep the PCAP file around, just in
case.
--
Viktor.
