TLS library problem: error:140760FC:SSL routines, is it a problem ?

[lists]

whilst installing/configuring 2.1 to 3.2.x migration
(using 2.1 main/master on 3.2 install), noticed these errors:

anything to worry about ?


# grep 'TLS library problem' /var/log/maillog*
/var/log/maillog:Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS
library problem: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
/var/log/maillog:Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS
library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
version number:s3_srvr.c:977:
/var/log/maillog-20171224:Dec 21 05:25:49 geko postfix/smtpd[20642]:
warning: TLS library problem: error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
/var/log/maillog-20171224:Dec 21 05:25:54 geko postfix/smtpd[20642]:
warning: TLS library problem: error:1408A10B:SSL
routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:977:

# egrep '(error|fatal|panic):' /var/log/maillog
Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS library problem:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:640:
Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS library problem:
error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version
number:s3_srvr.c:977:

 egrep '(warning|error|fatal|panic):' /var/log/maillog

returns many lines, seem mainly like this:

Dec 26 11:56:52 geko postfix/smtpd[9572]: warning: hostname
zg-1222a-130.stretchoid.com does not resolve to address 45.55.6.96: Name
or service not known
Dec 26 12:07:45 geko postfix/smtpd[9758]: warning: unknown[1.195.247.204]:
SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 26 12:07:54 geko postfix/smtpd[9758]: warning: unknown[1.195.247.204]:
SASL LOGIN authentication failed: UGFzc3dvcmQ6
Dec 26 12:08:08 geko postfix/smtpd[9758]: warning: unknown[1.195.247.204]:
SASL LOGIN authentication failed: UGFzc3dvcmQ6

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

[Viktor Dukhovni]

> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote:
> 
> anything to worry about ?

Generally no.  There are some SMTP clients that both TLS,
they'll either retry in the clear, or they are likely shoddy
spamware.

> # grep 'TLS library problem' /var/log/maillog*
> /var/log/maillog:Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS
> library problem: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
> /var/log/maillog:Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS
> library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong
> version number:s3_srvr.c:977:
> /var/log/maillog-20171224:Dec 21 05:25:49 geko postfix/smtpd[20642]:
> warning: TLS library problem: error:140760FC:SSL
> routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640:
> /var/log/maillog-20171224:Dec 21 05:25:54 geko postfix/smtpd[20642]:
> warning: TLS library problem: error:1408A10B:SSL
> routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:977:


Other log messages will show the IP address of the client.  If you weren't
expecting any email from that client, just ignore this.

This of course assumes you've not configured particularly exotic TLS
settings on your end.

-- 
Viktor.

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

[lists]

>> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote:
>>
>> anything to worry about ?
>
> Generally no.  There are some SMTP clients that both TLS,
> they'll either retry in the clear, or they are likely shoddy
> spamware.
> Other log messages will show the IP address of the client.  If you weren't
> expecting any email from that client, just ignore this.


Viktor,

thanks, both were from same no hostname IP address

# host 125.212.217.214
Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN)

log shows:

# grep "Dec 25 08:39" /var/log/maillog
Dec 25 08:39:12 geko postfix/smtpd[9700]: connect from
unknown[125.212.217.214]
Dec 25 08:39:17 geko postfix/smtpd[9700]: Anonymous TLS connection
established from unknown[125.212.217.214]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 25 08:39:18 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:19 geko postfix/smtpd[9701]: Anonymous TLS connection
established from unknown[125.212.217.214]: TLSv1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Dec 25 08:39:19 geko postfix/smtpd[9701]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:19 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=1 commands=2
Dec 25 08:39:20 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:21 geko postfix/smtpd[9701]: SSL_accept error from
unknown[125.212.217.214]: -1
Dec 25 08:39:21 geko postfix/smtpd[9701]: warning: TLS library problem:
error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol:s23_srvr.c:640:
Dec 25 08:39:21 geko postfix/smtpd[9701]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:21 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=0/1 commands=1/2
Dec 25 08:39:23 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:23 geko postfix/smtpd[9700]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:23 geko postfix/smtpd[9700]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=1 commands=2
Dec 25 08:39:24 geko postfix/smtpd[9701]: SSL_accept error from
unknown[125.212.217.214]: -1
Dec 25 08:39:24 geko postfix/smtpd[9701]: warning: TLS library problem:
error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version
number:s3_srvr.c:977:
Dec 25 08:39:24 geko postfix/smtpd[9701]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:24 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=0/1 commands=1/2
Dec 25 08:39:25 geko postfix/smtpd[9700]: connect from
unknown[125.212.217.214]
Dec 25 08:39:26 geko postfix/smtpd[9700]: Anonymous TLS connection
established from unknown[125.212.217.214]: TLSv1.1 with cipher
ECDHE-RSA-AES256-SHA (256/256 bits)
Dec 25 08:39:27 geko postfix/smtpd[9700]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:27 geko postfix/smtpd[9700]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=1 commands=2
Dec 25 08:39:28 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:29 geko postfix/smtpd[9701]: Anonymous TLS connection
established from unknown[125.212.217.214]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 25 08:39:29 geko postfix/smtpd[9701]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:29 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=1 commands=2
Dec 25 08:39:29 geko postfix/smtpd[9700]: connect from
unknown[125.212.217.214]
Dec 25 08:39:30 geko postfix/smtpd[9700]: lost connection after UNKNOWN
from unknown[125.212.217.214]
Dec 25 08:39:30 geko postfix/smtpd[9700]: disconnect from
unknown[125.212.217.214] unknown=0/1 commands=0/1
Dec 25 08:39:30 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:32 geko postfix/smtpd[9701]: Anonymous TLS connection
established from unknown[125.212.217.214]: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Dec 25 08:39:32 geko postfix/smtpd[9701]: lost connection after STARTTLS
from unknown[125.212.217.214]
Dec 25 08:39:32 geko postfix/smtpd[9701]: disconnect from
unknown[125.212.217.214] ehlo=1 starttls=1 commands=2
Dec 25 08:39:36 geko postfix/smtpd[9700]: connect from
unknown[125.212.217.214]
Dec 25 08:39:36 geko postfix/smtpd[9700]: lost connection after CONNECT
from unknown[125.212.217.214]
Dec 25 08:39:36 geko postfix/smtpd[9700]: disconnect from
unknown[125.212.217.214] commands=0/0
Dec 25 08:39:39 geko postfix/smtpd[9701]: connect from
unknown[125.212.217.214]
Dec 25 08:39:41 geko postfix/smtpd[9700]: connect from
unknown[125.212.217.214]
Dec 25 08:39:41 geko postfix/smtpd[9700]: lost connection after UNKNOWN
from unknown[125.212.217.214]
Dec 25 08:39:41 geko postfix/smtpd[9700]: disconnect from
unknown[125.212.217.214] unknown=0/2 commands=0/2
Dec 25 08:39:45 geko postfix/smtpd[9701]: lost connection after CONNECT
from unknow

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

[lists]

>> On Dec 25, 2017, at 8:57 PM, li...@sbt.net.au wrote:

> This of course assumes you've not configured particularly exotic TLS
> settings on your end.

Viktor,
thanks again, I hope it's not exotic, not to my knowledge, anyhow:

that that show what it is ? suggestions and corrections appreciated

# grep tls main.cf

smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /etc/letsencrypt/live/geko.sbt.net.au/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/geko.sbt.net.au/fullchain.pem
smtpd_tls_session_cache_timeout = 36000s
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_random_source = dev:/dev/urandom
smtp_tls_loglevel = 1
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_timeout = 3600s
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

[Viktor Dukhovni]

> On Dec 26, 2017, at 1:34 AM, li...@sbt.net.au wrote:
> 
>> 
>> Generally no.  There are some SMTP clients that both TLS,

s/both/botch/

Hope that's less confusing.

>> they'll either retry in the clear, or they are likely shoddy
>> spamware.
>> Other log messages will show the IP address of the client.  If you weren't
>> expecting any email from that client, just ignore this.
> 
> 
> thanks, both were from same no hostname IP address
> 
> # host 125.212.217.214
> Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN)

According to "whois" that's an IP address in Vietnam...

-- 
Viktor.

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

[Viktor Dukhovni]

> On Dec 26, 2017, at 1:39 AM, li...@sbt.net.au wrote:

Overall quite standard.  Nothing to worry about.

> smtpd_tls_session_cache_timeout = 36000s

10 hours is perhaps too long to be useful. Just let the default stand.

> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

With Postfix 2.11 or later, just leave this empty, session tickets work
better.

> smtp_tls_security_level = may
> smtp_tls_note_starttls_offer = yes

The second is not needed.

> smtp_tls_session_cache_timeout = 3600s
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

By way of contrast these are fine.

-- 
Viktor.

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

[lists]

>> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
>
> With Postfix 2.11 or later, just leave this empty, session tickets work
> better.


Viktor, thanks

does 'leave empty' means have it present on main.cf up to '=' ?
as so ?

smtpd_tls_session_cache_database =

Re: TLS library problem: error:140760FC:SSL routines, is it a problem ?

[lists]

>> thanks, both were from same no hostname IP address
>>
>> # host 125.212.217.214
>> Host 214.217.212.125.in-addr.arpa. not found: 3(NXDOMAIN)
>
> According to "whois" that's an IP address in Vietnam...
>

well, we have about 20+ users located in Bangkok (whilst server is in
Aus), so I'd guess connection from Vietnam can be routinely expected - but
not from unresolvable hosts, that's denied anyhow is std restricitions

thanks again,

V