Re: warning: TLS library problem: routines:ssl_choose_client_version:unsupported protocol?
https://access.redhat.com/solutions/120383Did you do the poodle block back in the day? From: hamdi201...@gmail.comSent: February 7, 2020 10:37 PMTo: postfix-users@postfix.orgSubject: warning: TLS library problem: routines:ssl_choose_client_version:unsupported protocol? Hi everyone. I have a php contact form, that reports the following postfix error (getting that in maillog file): https://hastepaste.com/view/jr41NThe same applies for, when I send an e-mail to that e-mail address by using Outlook. Obviously my mail server having troubles sending e-mails to some servers in public, perhaps the remote e-mail server doesn't has SSL/TLS activated, maybe? But, I don't enforce/force smtp tls, having: smtp_tls_security_level = may - in my main.cf.How can I solve this problem from my side? Thank you.
Re: warning: TLS library problem: routines:ssl_choose_client_version:unsupported protocol?
On Sat, Feb 08, 2020 at 09:36:41AM +0300, Andreas X wrote: > Hi everyone. I have a php contact form, that reports the following postfix > error (getting that in maillog file): https://hastepaste.com/view/jr41N It is rude to post links to pastebins. If you want help, please paste all the logs for the relevant message to the list, with as least the destination domain not obfuscated (if at all possible). -- Viktor.
warning: TLS library problem: routines:ssl_choose_client_version:unsupported protocol?
Hi everyone. I have a php contact form, that reports the following postfix error (getting that in maillog file): https://hastepaste.com/view/jr41N The same applies for, when I send an e-mail to that e-mail address by using Outlook. Obviously my mail server having troubles sending e-mails to some servers in public, perhaps the remote e-mail server doesn't has SSL/TLS activated, maybe? But, I don't enforce/force smtp tls, having: smtp_tls_security_level = may - in my main.cf. How can I solve this problem from my side? Thank you.
Re: warning: TLS library problem - messages in log
> On Apr 29, 2018, at 12:06 PM, Dominic Raferdwrote: > > > Thanks Viktor, I will bear this in mind for the future. But even if > (with your help) I could determine exactly what the problem was for > these two senders I think there is zero chance they would be > interested in hearing from me about it. The effort might be primarily to make sure that there's not an unexpected problem in the SSL software or settings on your side. -- Viktor.
Re: warning: TLS library problem - messages in log
On 29 April 2018 at 16:57, Viktor Dukhovniwrote: > > >> On Apr 29, 2018, at 3:37 AM, Dominic Raferd wrote: >> >> This is a genuine and expected sender (VoIP provider). I am less sure >> about atlas.net.tr, but it is probably genuine and expected by >> recipient too. Unwanted ones I have not bothered to report here. >> >> I don't require encryption on port 25: smtpd_tls_security_level = may > > If you have time to look into this further, you need full-packet > capture PCAP files. > > # set -- 192.0.2.1 192.0.2.2 # season to taste > # filter=; for ip > do > [ -n "$filter" ] && filter="$filter or " > filter="${filter}tcp host $ip" > done > # tcpdump -s0 -w /var/tmp/tls.pcap $filter Thanks Viktor, I will bear this in mind for the future. But even if (with your help) I could determine exactly what the problem was for these two senders I think there is zero chance they would be interested in hearing from me about it.
Re: warning: TLS library problem - messages in log
> On Apr 29, 2018, at 3:37 AM, Dominic Raferdwrote: > > This is a genuine and expected sender (VoIP provider). I am less sure > about atlas.net.tr, but it is probably genuine and expected by > recipient too. Unwanted ones I have not bothered to report here. > > I don't require encryption on port 25: smtpd_tls_security_level = may If you have time to look into this further, you need full-packet capture PCAP files. # set -- 192.0.2.1 192.0.2.2 # season to taste # filter=; for ip do [ -n "$filter" ] && filter="$filter or " filter="${filter}tcp host $ip" done # tcpdump -s0 -w /var/tmp/tls.pcap $filter -- Viktor.
Re: warning: TLS library problem - messages in log
On 29 April 2018 at 08:35, Viktor Dukhovniwrote: > > >> On Apr 29, 2018, at 3:28 AM, @lbutlr wrote: >> >> It appears that Swiss domain uses Google for their email: >> >> finarea.ch. 21599 IN MX 20 alt2.aspmx.l.google.com. >> finarea.ch. 21599 IN MX 30 aspmx2.googlemail.com. >> finarea.ch. 21599 IN MX 30 aspmx3.googlemail.com. >> finarea.ch. 21599 IN MX 30 aspmx4.googlemail.com. >> finarea.ch. 21599 IN MX 30 aspmx5.googlemail.com. >> finarea.ch. 21599 IN MX 10 aspmx.l.google.com. >> finarea.ch. 21599 IN MX 20 alt1.aspmx.l.google.com. >> finarea.ch. 21599 IN TXT "v=spf1 >> include:aspmx.googlemail.coma:spf.finarea.ch ~all” >> >> >> So the smpt1 looks suspicious. > > No. Fairly typical. This is a genuine and expected sender (VoIP provider). I am less sure about atlas.net.tr, but it is probably genuine and expected by recipient too. Unwanted ones I have not bothered to report here. I don't require encryption on port 25: smtpd_tls_security_level = may
Re: warning: TLS library problem - messages in log
> On Apr 29, 2018, at 3:28 AM, @lbutlrwrote: > > It appears that Swiss domain uses Google for their email: > > finarea.ch. 21599 IN MX 20 alt2.aspmx.l.google.com. > finarea.ch. 21599 IN MX 30 aspmx2.googlemail.com. > finarea.ch. 21599 IN MX 30 aspmx3.googlemail.com. > finarea.ch. 21599 IN MX 30 aspmx4.googlemail.com. > finarea.ch. 21599 IN MX 30 aspmx5.googlemail.com. > finarea.ch. 21599 IN MX 10 aspmx.l.google.com. > finarea.ch. 21599 IN MX 20 alt1.aspmx.l.google.com. > finarea.ch. 21599 IN TXT "v=spf1 > include:aspmx.googlemail.coma:spf.finarea.ch ~all” > > > So the smpt1 looks suspicious. No. Fairly typical. -- Viktor.
Re: warning: TLS library problem - messages in log
On 29 Apr 2018, at 01:18, Dominic Raferdwrote: > I've now found similar fall-backs for atlas.net.tr (Turkish service > provider) - same TLS problem 'error:1408A10B:SSL > routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960:'. I > guess that (in both cases) this is because the incoming client is old > and can't offer better security than SSL3 - which we reject. Are you expecting legit mail from these sources? Are you requiring encryption on port 25 (this is a bad idea). My take on SSL3 (or lower) is the these are attempts to force an unsafe exploitable encryption and that these are not connections from legitimate mail servers. YMMV. It appears that Swiss domain uses Google for their email: finarea.ch. 21599 IN MX 20 alt2.aspmx.l.google.com. finarea.ch. 21599 IN MX 30 aspmx2.googlemail.com. finarea.ch. 21599 IN MX 30 aspmx3.googlemail.com. finarea.ch. 21599 IN MX 30 aspmx4.googlemail.com. finarea.ch. 21599 IN MX 30 aspmx5.googlemail.com. finarea.ch. 21599 IN MX 10 aspmx.l.google.com. finarea.ch. 21599 IN MX 20 alt1.aspmx.l.google.com. finarea.ch. 21599 IN TXT "v=spf1 include:aspmx.googlemail.com a:spf.finarea.ch ~all” So the smpt1 looks suspicious. -- Moving into the universe And she's drifting this way and that Not touching the ground at all And she's up above the yard
Re: warning: TLS library problem - messages in log
On 28 April 2018 at 15:43, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > >> On Apr 28, 2018, at 3:40 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote: >> >> So far I have one genuine sender that is failing TLS, but upon >> checking I see that it falls back to cleartext. > > It'd be interesting to know why that particular sender is having > trouble. Can you provide more detail? > > Some senders have SMTP client implementations that refuse to complete > a STARTTLS handshake when they can't verify the server's certificate > chain, but are then willing to send in the clear. The logic of > downgrading from unauthenticated encryption to unauthenticated cleartext > rather escapes me. :-) > > > http://postfix.1071664.n5.nabble.com/Another-yahoo-problem-tp89756p89769.html Here are the relevant log entries: 2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: connect from smtp1.finarea.ch[77.72.174.188] 2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: SSL_accept error from smtp1.finarea.ch[77.72.174.188]: -1 2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: warning: TLS library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960: 2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: lost connection after STARTTLS from smtp1.finarea.ch[77.72.174.188] 2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: disconnect from smtp1.finarea.ch[77.72.174.188] ehlo=1 starttls=0/1 commands=1/2 2018-03-26 00:29:23 ourdomain postfix/smtpd[6043]: connect from smtp1.finarea.ch[77.72.174.188] 2018-03-26 00:29:23 ourdomain postfix/smtpd[6043]: 884A860167: client=smtp1.finarea.ch[77.72.174.188] 2018-03-26 00:29:23 ourdomain postfix/cleanup[6091]: 884A860167: message-id=<61f7f420541b2be8ac51dbe240ff2...@18185.co.uk> 2018-03-26 00:29:23 ourdomain opendmarc[1566]: 884A860167: SPF(mailfrom): donotre...@18185.co.uk fail 2018-03-26 00:29:23 ourdomain postfix/smtpd[6043]: disconnect from smtp1.finarea.ch[77.72.174.188] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 ...continues to successful delivery... I've now found similar fall-backs for atlas.net.tr (Turkish service provider) - same TLS problem 'error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960:'. I guess that (in both cases) this is because the incoming client is old and can't offer better security than SSL3 - which we reject. My TLS settings are pretty standard: # postconf -n|grep smtpd_tls|grep -v _file smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtpd_tls_security_level = may
Re: warning: TLS library problem - messages in log
> On Apr 28, 2018, at 3:40 AM, Dominic Raferdwrote: > > So far I have one genuine sender that is failing TLS, but upon > checking I see that it falls back to cleartext. It'd be interesting to know why that particular sender is having trouble. Can you provide more detail? Some senders have SMTP client implementations that refuse to complete a STARTTLS handshake when they can't verify the server's certificate chain, but are then willing to send in the clear. The logic of downgrading from unauthenticated encryption to unauthenticated cleartext rather escapes me. :-) http://postfix.1071664.n5.nabble.com/Another-yahoo-problem-tp89756p89769.html -- Viktor.
Re: warning: TLS library problem - messages in log
On 27 April 2018 at 17:17, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > >> On Apr 27, 2018, at 2:22 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote: >> >> $ grep -a "warning: TLS library problem" /var/log/mail.log.1 >> /var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr >> 12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version >> number:s3_pkt.c:362: >> 11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong >> version number:s3_srvr.c:960: >> 10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown >> protocol:s23_srvr.c:640: >> 2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse >> tlsext:s3_srvr.c:1239: >> >> Should I be concerned about these messages? > > To know the answer you need to consider which clients are running into > this, and whether: > > * These clients are just network scanners and never send email > * Are spammers and would send email if they could, but you're happy for > them to fail > * Are legitimate email senders, and fall back to cleartext. In which case > you're perhaps rather they use TLS, and should investigate further. > * Are legitimate email senders, and don't fall back to cleartext (you don't > see a message in the clear from them shortly after each TLS failure). > In which case you're losing some email and really should investigate. > > The errors broadly suggest use of unsupported TLS protocol versions or > unsupported TLS features, or simply malformed handshake messages. That > would be expected from scanners, but can also happen if you're configured > too strictly, for example, to exclude everything below TLSv1.2. > > So if you want to be sure, you'll need to do some further log analysis, > and perhaps collect some PCAP files with full packet captures for any > clients or netblocks that exhibit the symptoms repeatedly. Thanks Viktor for that very clear explanation. I will start using (something like) this for monitoring my logs: sed -n '/SSL_accept error/{N;/warning: TLS library problem/{s/.* from \([^:]*\).*/\1/;/unknown\[/d;/shodan\.io\[/d;p}}' /var/log/mail.log So far I have one genuine sender that is failing TLS, but upon checking I see that it falls back to cleartext.
Re: warning: TLS library problem - messages in log
> On Apr 27, 2018, at 2:22 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote: > > $ grep -a "warning: TLS library problem" /var/log/mail.log.1 > /var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr > 12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > number:s3_pkt.c:362: > 11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong > version number:s3_srvr.c:960: > 10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown > protocol:s23_srvr.c:640: > 2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse > tlsext:s3_srvr.c:1239: > > Should I be concerned about these messages? To know the answer you need to consider which clients are running into this, and whether: * These clients are just network scanners and never send email * Are spammers and would send email if they could, but you're happy for them to fail * Are legitimate email senders, and fall back to cleartext. In which case you're perhaps rather they use TLS, and should investigate further. * Are legitimate email senders, and don't fall back to cleartext (you don't see a message in the clear from them shortly after each TLS failure). In which case you're losing some email and really should investigate. The errors broadly suggest use of unsupported TLS protocol versions or unsupported TLS features, or simply malformed handshake messages. That would be expected from scanners, but can also happen if you're configured too strictly, for example, to exclude everything below TLSv1.2. So if you want to be sure, you'll need to do some further log analysis, and perhaps collect some PCAP files with full packet captures for any clients or netblocks that exhibit the symptoms repeatedly. -- Viktor.
Re: warning: TLS library problem - messages in log
On 27 April 2018 at 08:57, Poliman - Serwis <ser...@poliman.pl> wrote: > 2018-04-27 8:22 GMT+02:00 Dominic Raferd <domi...@timedicer.co.uk>: >> >> I have always received a number of warning messages (from >> postfix/smtpd) stating 'TLS library problem' in my mail logs and I >> think they are always followed by a dropped incoming connection. I >> have hitherto assumed that they reflect a badly-configured (probably >> spamming) foreign client/host, but the messages could be read as >> implying an internal problem on my mailserver. Which is true? >> >> The details of the reported error messages over the recent period can >> be summarised thus: >> >> $ grep -a "warning: TLS library problem" /var/log/mail.log.1 >> /var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr >> 12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version >> number:s3_pkt.c:362: >> 11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong >> version number:s3_srvr.c:960: >> 10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown >> protocol:s23_srvr.c:640: >> 2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse >> tlsext:s3_srvr.c:1239: >> >> Should I be concerned about these messages? > I have almost same logs. Some time ago I asked people on this mailing list. > They said that somebody tries to connect to your server but he can't because > of too old ssl he uses. You can ignore it. Thanks for your reply. In the absence of comments to the contrary I take that as canonical. I still think the TLS library problem warning message is confusing, but at least I can stop worrying about it.
Re: warning: TLS library problem - messages in log
I have almost same logs. Some time ago I asked people on this mailing list. They said that somebody tries to connect to your server but he can't because of too old ssl he uses. You can ignore it. 2018-04-27 8:22 GMT+02:00 Dominic Raferd <domi...@timedicer.co.uk>: > I have always received a number of warning messages (from > postfix/smtpd) stating 'TLS library problem' in my mail logs and I > think they are always followed by a dropped incoming connection. I > have hitherto assumed that they reflect a badly-configured (probably > spamming) foreign client/host, but the messages could be read as > implying an internal problem on my mailserver. Which is true? > > The details of the reported error messages over the recent period can > be summarised thus: > > $ grep -a "warning: TLS library problem" /var/log/mail.log.1 > /var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr > 12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > number:s3_pkt.c:362: > 11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong > version number:s3_srvr.c:960: > 10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown > protocol:s23_srvr.c:640: > 2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse > tlsext:s3_srvr.c:1239: > > Should I be concerned about these messages? > -- *Pozdrawiam / Best Regards* *Piotr Bracha*
warning: TLS library problem - messages in log
I have always received a number of warning messages (from postfix/smtpd) stating 'TLS library problem' in my mail logs and I think they are always followed by a dropped incoming connection. I have hitherto assumed that they reflect a badly-configured (probably spamming) foreign client/host, but the messages could be read as implying an internal problem on my mailserver. Which is true? The details of the reported error messages over the recent period can be summarised thus: $ grep -a "warning: TLS library problem" /var/log/mail.log.1 /var/log/mail.log|grep -o "error:.*"|sort|uniq -c|sort -nr 12 error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:362: 11 error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960: 10 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: 2 error:1408A0E3:SSL routines:ssl3_get_client_hello:parse tlsext:s3_srvr.c:1239: Should I be concerned about these messages?
Re: warning: TLS library problem
On Jan 24, 2018, at 9:25 PM, li...@lazygranch.com wrote: postfix/smtpd[14755]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: Should I be blocking some encryption method? I thought openssl dropped support for the hackable protocols. On 24.01.18 22:41, Viktor Dukhovni wrote: The error message is not what it appears. The SSLv23 functions are the generic layer that handles all protocol versions before the actual protocol is determined. for example, dropping connection or speaking plaintest to it can result in this kind of error. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows."
Re: warning: TLS library problem
> On Jan 24, 2018, at 9:25 PM, li...@lazygranch.com wrote: > > postfix/smtpd[14755]: warning: TLS library problem: error:140760FC:SSL > routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: > > Should I be blocking some encryption method? I thought openssl dropped > support for the hackable protocols. The error message is not what it appears. The SSLv23 functions are the generic layer that handles all protocol versions before the actual protocol is determined. -- Viktor.
warning: TLS library problem
postfix/smtpd[14755]: warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:640: Should I be blocking some encryption method? I thought openssl dropped support for the hackable protocols.
warning: TLS library problem: 457:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:293:
Hello everyone, I have problem receiving e-mails via STARTSSL from the hays mailservers. It bails out with the following error message. My mailserver is infra.glanzmann.de and I have no trouble receiving or sending e-mail via startssl to a various mailserver with official or unofficial signed certificates. Sep 20 13:15:03 infra postfix/smtpd[457]: connect from mail2.hays.de[93.188.241.74] Sep 20 13:15:03 infra postfix/smtpd[457]: setting up TLS connection from mail2.hays.de[93.188.241.74] Sep 20 13:15:04 infra postfix/smtpd[457]: SSL_accept error from mail2.hays.de[93.188.241.74]: -1 Sep 20 13:15:04 infra postfix/smtpd[457]: warning: TLS library problem: 457:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:293: Sep 20 13:15:04 infra postfix/smtpd[457]: lost connection after STARTTLS from mail2.hays.de[93.188.241.74] Sep 20 13:15:04 infra postfix/smtpd[457]: disconnect from mail2.hays.de[93.188.241.74] Has someone an idea what the problem is here and how I can get a workaround to not offer startssl to the hays mailservers? (infra) [~] grep tls /etc/postfix/main.cf smtpd_tls_key_file = /etc/ssl/private/server.key smtpd_tls_cert_file = /etc/ssl/private/postfix-chain.pem smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtpd_tls_security_level = may smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt smtp_tls_key_file = /etc/ssl/private/server.key smtp_tls_cert_file = /etc/ssl/private/postfix-chain.pem smtp_tls_security_level = may smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtp_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem smtpd_tls_ask_ccert = yes Cheers, Thomas
RE: warning: TLS library problem: 457:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:293:
On Behalf Of Thomas Glanzmann Has someone an idea what the problem is here and how I can get a workaround to not offer startssl to the hays mailservers? smtpd_discard_ehlo_keyword_address_maps Mit freundlichen Grüßen Drießen -- Software Computer Uwe Drießen Lembergstraße 33 67824 Feilbingert Tel.: +49 06708 / 660045 Fax: +49 06708 / 661397