lost connection after CONNECT / SSL_accept error from errors / network_biopair_interop: no inbound mail
I am getting no inbound email after locking down the requirements of users to authenticate before sending. I dropped back from current (2.7.*) to 2.6.5. Not having any success getting tcpdump output. The version I have differs from the example in the DEBUG instructions. Complete error messages. Please use cut-and-paste, or use attachments, instead of reciting information from memory. Sep 8 00:45:30 shuttle postfix/smtpd[56332]: qmta10.emeryville.ca.mail.comcast.net[76.96.30.17]: TLS cipher list ALL:!EXPORT:!LOW:+RC4:@STRENGTH Sep 8 00:45:30 shuttle postfix/smtpd[56332]: SSL_accept:before/accept initialization Sep 8 00:45:30 shuttle postfix/smtpd[56332]: read from 34103AC0 [341BF000] (11 bytes = -1 (0x)) Sep 8 00:45:33 shuttle postfix/smtpd[56335]: SSL_accept error from mail-pz0-f204.google.com[209.85.222.204]: -1 Sep 8 00:45:33 shuttle postfix/smtpd[56335]: lost connection after CONNECT from mail-pz0-f204.google.com[209.85.222.204] Sep 8 00:45:33 shuttle postfix/smtpd[56335]: disconnect from mail-pz0- f204.google.com[209.85.222.204] Sep 8 00:46:03 shuttle postfix/smtpd[56437]: warning: network_biopair_interop: error reading 11 bytes from the network: Connection reset by peer Sep 8 00:46:03 shuttle postfix/smtpd[56437]: SSL_accept error from mail-px0-f194.google.com[209.85.216.194]: -1 Sep 8 00:46:03 shuttle postfix/smtpd[56437]: lost connection after CONNECT from mail-px0-f194.google.com[209.85.216.194] Sep 8 00:46:03 shuttle postfix/smtpd[56437]: disconnect from mail-px0- f194.google.com[209.85.216.194] Sep 8 00:47:07 shuttle postfix/smtpd[56335]: connect from elasmtp- masked.atl.sa.earthlink.net[209.86.89.68] Sep 8 00:47:07 shuttle postfix/smtpd[56335]: setting up TLS connection from elasmtp-masked.atl.sa.earthlink.net[209.86.89.68] Sep 8 00:47:07 shuttle postfix/smtpd[56335]: elasmtp- masked.atl.sa.earthlink.net[209.86.89.68]: TLS cipher list ALL:! EXPORT:!LOW:+RC4:@STRENGTH postfinger - postfix configuration on Tue Sep 8 00:53:35 PDT 2009 version: 1.30 --System Parameters-- mail_version = 2.6.5 hostname = shuttle.ferbil.fotz uname = FreeBSD shuttle.ferbil.fotz 7.2-RELEASE-p1 FreeBSD 7.2-RELEASE- p1 #1: Fri Jun 12 22:10:40 PDT 2009 r...@shuttle.ferbil.fotz:/usr/ obj/usr/src/sys/SHUTTLE i386 --Packaging information-- looks like this postfix comes from BSD package: postfix-2.6.5,1 --main.cf non-default parameters-- default_process_limit = 200 disable_vrfy_command = yes invalid_hostname_reject_code = 554 maps_rbl_domains = blackholes.mail-abuse.org multi_recipient_bounce_reject_code = 554 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain myhostname = mail.ferbil.fotz mynetworks = 192.168.2.0/24, 127.0.0.0/8 myorigin = $mydomain non_fqdn_reject_code = 554 proxy_interfaces = 72.1.134.183 smtp_tls_session_cache_database = btree:/var/lib/postfix/ smtp_tls_session_cache smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit smtpd_reject_unlisted_sender = yes smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated smtpd_tls_CAfile = /usr/local/etc/postfix/ssl/cacert.pem smtpd_tls_cert_file = /usr/local/etc/postfix/ssl/pbo-cert.pem smtpd_tls_key_file = /usr/local/etc/postfix/ssl/pbo-key.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_security_level = may strict_rfc821_envelopes = yes unknown_address_reject_code = 554 unknown_client_reject_code = 554 unknown_hostname_reject_code = 554 unknown_relay_recipient_reject_code = 554 unknown_virtual_alias_reject_code = 554 unknown_virtual_mailbox_reject_code = 554 unverified_recipient_reject_code = 554 unverified_sender_reject_code = 554 virtual_alias_domains = mildew.org virtual_alias_maps = hash:/usr/local/etc/postfix/mildew.cf --master.cf-- smtp inet n - n - 200 smtpd -o content_filter=filter: -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes pickupfifo n - n 60 1 pickup cleanup unix n - n - 0 cleanup qmgr fifo n - n 300 1 qmgr tlsmgrunix - - n 1000? 1 tlsmgr rewrite unix - - n - - trivial-rewrite bounceunix - - n - 0 bounce defer unix - - n - 0 bounce trace unix - - n - 0 bounce verifyunix - - n - 1 verify flush unix n - n 1000? 0 flush proxymap unix - - n - - proxymap proxywrite unix - - n - 1 proxymap smtp unix - - n - - smtp relay unix -
Re: lost connection after CONNECT / SSL_accept error from errors / network_biopair_interop: no inbound mail
On 9/8/2009 3:07 AM, Paul Beard wrote: I am getting no inbound email after locking down the requirements of users to authenticate before sending. I dropped back from current (2.7.*) to 2.6.5. Not having any success getting tcpdump output. The version I have differs from the example in the DEBUG instructions. Complete error messages. Please use cut-and-paste, or use attachments, instead of reciting information from memory. Sep 8 00:45:33 shuttle postfix/smtpd[56335]: lost connection after CONNECT from mail-pz0-f204.google.com[209.85.222.204] Looks like the client disconnected. Test your TLS implementation with openssl s_client -connect IP:port -starttls smtp If you get a 250 DSN or similar message after all the SSL handshake goop, then it worked. maps_rbl_domains = blackholes.mail-abuse.org maps_rbl_domains parameter is deprecated. See the reject_rbl_client command instead. smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit You need permit_sasl_authenticated right after permit_mynetworks. smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated This is a no-op, you can remove it. I don't see an smtpd_recipient_restrictions here. You will need at least: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_tls_loglevel = 3 Everything you may need should be logged at level 1. strict_rfc821_envelopes = yes This may reject legit mail. --master.cf-- smtp inet n - n - 200 smtpd -o content_filter=filter: -o smtpd_tls_wrappermode=yes Ouch! Don't do that! This is likely why the client disconnected; your server was speaking SSL and the client was speaking normal SMTP. It looked like garbage to the client. Wrappermode should only be used on a dedicated port, typically 465 smtps. -o smtpd_sasl_auth_enable=yes Since smtpd_sasl_auth_enable is set in main.cf, no reason to set it here. -- Noel Jones
Re: lost connection after CONNECT / SSL_accept error from errors / network_biopair_interop: no inbound mail
On Tue, Sep 8, 2009 at 8:01 AM, Noel Jones njo...@megan.vbhcs.org wrote: Looks like the client disconnected. Test your TLS implementation with openssl s_client -connect IP:port -starttls smtp If you get a 250 DSN or similar message after all the SSL handshake goop, then it worked. OK, all is well here. maps_rbl_domains = blackholes.mail-abuse.org maps_rbl_domains parameter is deprecated. See the reject_rbl_client command instead. smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_hostname, reject_invalid_hostname, permit You need permit_sasl_authenticated right after permit_mynetworks. smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated This is a no-op, you can remove it. I don't see an smtpd_recipient_restrictions here. You will need at least: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_recipient_restrictions was there, as specified. So that's alright. smtpd_tls_loglevel = 3 Everything you may need should be logged at level 1. strict_rfc821_envelopes = yes This may reject legit mail. OK, I fixed those. I cranked logging up in vain hope of finding something indicative. --master.cf-- smtp inet n - n - 200 smtpd -o content_filter=filter: -o smtpd_tls_wrappermode=yes Ouch! Don't do that! This is likely why the client disconnected; your server was speaking SSL and the client was speaking normal SMTP. It looked like garbage to the client. Wrappermode should only be used on a dedicated port, typically 465 smtps. Hmm, that's been here forever, but I guess it was obsoleted by the recent authentication changes. Well, it looks like I am seeing some deliveries being logged, so maybe it's fixed. Any idea if I should care about this? Sep 8 08:06:57 shuttle postfix/smtpd[61994]: warning: network_biopair_interop: error reading 11 bytes from the network: Connection reset by peer I see it's a warning but the only mention I found in the Google was that it was fixed in the next release and that was some time ago. -- Paul Beard / www.paulbeard.org/
Re: lost connection after CONNECT / SSL_accept error from errors / network_biopair_interop: no inbound mail
On Tue, Sep 08, 2009 at 08:20:19AM -0700, paul beard wrote: Any idea if I should care about this? Sep 8 08:06:57 shuttle postfix/smtpd[61994]: warning: network_biopair_interop: error reading 11 bytes from the network: Connection reset by peer After you turned-off wrapper mode and reloaded or restarted Postfix? In your original report this was a client-server deadlock because you had TLS wrapper mode on port 25, and so the client was waiting for a 220 banner, http://tools.ietf.org/html/rfc5321#section-3.1 while the server was waiting for an SSL client hello. http://tools.ietf.org/html/rfc4346#section-7.4.1.2 -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
Re: lost connection after CONNECT / SSL_accept error from errors / network_biopair_interop: no inbound mail
On 9/8/2009 10:20 AM, paul beard wrote: I don't see an smtpd_recipient_restrictions here. You will need at least: smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination smtpd_recipient_restrictions was there, as specified. So that's alright. Did I miss it in your postconf -n output? If it's not listed in postconf -n, then postfix doesn't see it either. Usually a typo in the parameter name. Any idea if I should care about this? Sep 8 08:06:57 shuttle postfix/smtpd[61994]: warning: network_biopair_interop: error reading 11 bytes from the network: Connection reset by peer This is logged by the openssl library when a client aborts the SSL handshake. As long as mail (usually) works from clients you want mail from, you can ignore this message. -- Noel Jones
