TLS library problem: error:140760FC:SSL routines, is it a problem ?
whilst installing/configuring 2.1 to 3.2.x migration (using 2.1 main/master on 3.2 install), noticed these errors: anything to worry about ? # grep 'TLS library problem' /var/log/maillog* /var/log/maillog:Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: /var/log/maillog:Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:977: /var/log/maillog-20171224:Dec 21 05:25:49 geko postfix/smtpd[20642]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: /var/log/maillog-20171224:Dec 21 05:25:54 geko postfix/smtpd[20642]: warning: TLS library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:977: # egrep '(error|fatal|panic):' /var/log/maillog Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:977: egrep '(warning|error|fatal|panic):' /var/log/maillog returns many lines, seem mainly like this: Dec 26 11:56:52 geko postfix/smtpd[9572]: warning: hostname zg-1222a-130.stretchoid.com does not resolve to address 45.55.6.96: Name or service not known Dec 26 12:07:45 geko postfix/smtpd[9758]: warning: unknown[1.195.247.204]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 26 12:07:54 geko postfix/smtpd[9758]: warning: unknown[1.195.247.204]: SASL LOGIN authentication failed: UGFzc3dvcmQ6 Dec 26 12:08:08 geko postfix/smtpd[9758]: warning: unknown[1.195.247.204]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?
> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote: > > anything to worry about ? Generally no. There are some SMTP clients that both TLS, they'll either retry in the clear, or they are likely shoddy spamware. > # grep 'TLS library problem' /var/log/maillog* > /var/log/maillog:Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS > library problem: error:140760FC:SSL > routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: > /var/log/maillog:Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS > library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong > version number:s3_srvr.c:977: > /var/log/maillog-20171224:Dec 21 05:25:49 geko postfix/smtpd[20642]: > warning: TLS library problem: error:140760FC:SSL > routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: > /var/log/maillog-20171224:Dec 21 05:25:54 geko postfix/smtpd[20642]: > warning: TLS library problem: error:1408A10B:SSL > routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:977: Other log messages will show the IP address of the client. If you weren't expecting any email from that client, just ignore this. This of course assumes you've not configured particularly exotic TLS settings on your end. -- Viktor.
Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?
>> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote: >> >> anything to worry about ? > > Generally no. There are some SMTP clients that both TLS, > they'll either retry in the clear, or they are likely shoddy > spamware. > Other log messages will show the IP address of the client. If you weren't > expecting any email from that client, just ignore this. Viktor, thanks, both were from same no hostname IP address # host 125.212.217.214 Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN) log shows: # grep "Dec 25 08:39" /var/log/maillog Dec 25 08:39:12 geko postfix/smtpd[9700]: connect from unknown[125.212.217.214] Dec 25 08:39:17 geko postfix/smtpd[9700]: Anonymous TLS connection established from unknown[125.212.217.214]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 25 08:39:18 geko postfix/smtpd[9701]: connect from unknown[125.212.217.214] Dec 25 08:39:19 geko postfix/smtpd[9701]: Anonymous TLS connection established from unknown[125.212.217.214]: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Dec 25 08:39:19 geko postfix/smtpd[9701]: lost connection after STARTTLS from unknown[125.212.217.214] Dec 25 08:39:19 geko postfix/smtpd[9701]: disconnect from unknown[125.212.217.214] ehlo=1 starttls=1 commands=2 Dec 25 08:39:20 geko postfix/smtpd[9701]: connect from unknown[125.212.217.214] Dec 25 08:39:21 geko postfix/smtpd[9701]: SSL_accept error from unknown[125.212.217.214]: -1 Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: Dec 25 08:39:21 geko postfix/smtpd[9701]: lost connection after STARTTLS from unknown[125.212.217.214] Dec 25 08:39:21 geko postfix/smtpd[9701]: disconnect from unknown[125.212.217.214] ehlo=1 starttls=0/1 commands=1/2 Dec 25 08:39:23 geko postfix/smtpd[9701]: connect from unknown[125.212.217.214] Dec 25 08:39:23 geko postfix/smtpd[9700]: lost connection after STARTTLS from unknown[125.212.217.214] Dec 25 08:39:23 geko postfix/smtpd[9700]: disconnect from unknown[125.212.217.214] ehlo=1 starttls=1 commands=2 Dec 25 08:39:24 geko postfix/smtpd[9701]: SSL_accept error from unknown[125.212.217.214]: -1 Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:977: Dec 25 08:39:24 geko postfix/smtpd[9701]: lost connection after STARTTLS from unknown[125.212.217.214] Dec 25 08:39:24 geko postfix/smtpd[9701]: disconnect from unknown[125.212.217.214] ehlo=1 starttls=0/1 commands=1/2 Dec 25 08:39:25 geko postfix/smtpd[9700]: connect from unknown[125.212.217.214] Dec 25 08:39:26 geko postfix/smtpd[9700]: Anonymous TLS connection established from unknown[125.212.217.214]: TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Dec 25 08:39:27 geko postfix/smtpd[9700]: lost connection after STARTTLS from unknown[125.212.217.214] Dec 25 08:39:27 geko postfix/smtpd[9700]: disconnect from unknown[125.212.217.214] ehlo=1 starttls=1 commands=2 Dec 25 08:39:28 geko postfix/smtpd[9701]: connect from unknown[125.212.217.214] Dec 25 08:39:29 geko postfix/smtpd[9701]: Anonymous TLS connection established from unknown[125.212.217.214]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 25 08:39:29 geko postfix/smtpd[9701]: lost connection after STARTTLS from unknown[125.212.217.214] Dec 25 08:39:29 geko postfix/smtpd[9701]: disconnect from unknown[125.212.217.214] ehlo=1 starttls=1 commands=2 Dec 25 08:39:29 geko postfix/smtpd[9700]: connect from unknown[125.212.217.214] Dec 25 08:39:30 geko postfix/smtpd[9700]: lost connection after UNKNOWN from unknown[125.212.217.214] Dec 25 08:39:30 geko postfix/smtpd[9700]: disconnect from unknown[125.212.217.214] unknown=0/1 commands=0/1 Dec 25 08:39:30 geko postfix/smtpd[9701]: connect from unknown[125.212.217.214] Dec 25 08:39:32 geko postfix/smtpd[9701]: Anonymous TLS connection established from unknown[125.212.217.214]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Dec 25 08:39:32 geko postfix/smtpd[9701]: lost connection after STARTTLS from unknown[125.212.217.214] Dec 25 08:39:32 geko postfix/smtpd[9701]: disconnect from unknown[125.212.217.214] ehlo=1 starttls=1 commands=2 Dec 25 08:39:36 geko postfix/smtpd[9700]: connect from unknown[125.212.217.214] Dec 25 08:39:36 geko postfix/smtpd[9700]: lost connection after CONNECT from unknown[125.212.217.214] Dec 25 08:39:36 geko postfix/smtpd[9700]: disconnect from unknown[125.212.217.214] commands=0/0 Dec 25 08:39:39 geko postfix/smtpd[9701]: connect from unknown[125.212.217.214] Dec 25 08:39:41 geko postfix/smtpd[9700]: connect from unknown[125.212.217.214] Dec 25 08:39:41 geko postfix/smtpd[9700]: lost connection after UNKNOWN from unknown[125.212.217.214] Dec 25 08:39:41 geko postfix/smtpd[9700]: disconnect from unknown[125.212.217.214] unknown=0/2 commands=0/2 Dec 25 08:39:45 geko postfix/smtpd[9701]: lost connection after CONNECT from unknow
Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?
>> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote: > This of course assumes you've not configured particularly exotic TLS > settings on your end. Viktor, thanks again, I hope it's not exotic, not to my knowledge, anyhow: that that show what it is ? suggestions and corrections appreciated # grep tls main.cf smtpd_tls_security_level = may smtpd_tls_loglevel = 1 smtpd_tls_key_file = /etc/letsencrypt/live/geko.sbt.net.au/privkey.pem smtpd_tls_cert_file = /etc/letsencrypt/live/geko.sbt.net.au/fullchain.pem smtpd_tls_session_cache_timeout = 36000s smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache tls_random_source = dev:/dev/urandom smtp_tls_loglevel = 1 smtp_tls_security_level = may smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_timeout = 3600s smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?
> On Dec 26, 2017, at 1:34 AM, li...@sbt.net.au wrote: > >> >> Generally no. There are some SMTP clients that both TLS, s/both/botch/ Hope that's less confusing. >> they'll either retry in the clear, or they are likely shoddy >> spamware. >> Other log messages will show the IP address of the client. If you weren't >> expecting any email from that client, just ignore this. > > > thanks, both were from same no hostname IP address > > # host 125.212.217.214 > Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN) According to "whois" that's an IP address in Vietnam... -- Viktor.
Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?
> On Dec 26, 2017, at 1:39 AM, li...@sbt.net.au wrote: Overall quite standard. Nothing to worry about. > smtpd_tls_session_cache_timeout = 36000s 10 hours is perhaps too long to be useful. Just let the default stand. > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache With Postfix 2.11 or later, just leave this empty, session tickets work better. > smtp_tls_security_level = may > smtp_tls_note_starttls_offer = yes The second is not needed. > smtp_tls_session_cache_timeout = 3600s > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache By way of contrast these are fine. -- Viktor.
Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?
>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > > With Postfix 2.11 or later, just leave this empty, session tickets work > better. Viktor, thanks does 'leave empty' means have it present on main.cf up to '=' ? as so ? smtpd_tls_session_cache_database =
Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?
>> thanks, both were from same no hostname IP address >> >> # host 125.212.217.214 >> Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN) > > According to "whois" that's an IP address in Vietnam... > well, we have about 20+ users located in Bangkok (whilst server is in Aus), so I'd guess connection from Vietnam can be routinely expected - but not from unresolvable hosts, that's denied anyhow is std restricitions thanks again, V