On Monday 04 December 2017 13:19:41 Giovanni Bechis wrote: > On 11/10/17 17:46, Joel Sing wrote: > [...] > > > I suspect this is going to be difficult to track down without being able > > to see what is on the wire (tcpdump or 'smtpd_tls_loglevel = 3' in > > postfix) or being able to reproduce/trigger TLS sessions from the client. > > postfix log file with 'smtpd_tls_loglevel = 3' attached. > Thanks & Cheers > Giovanni
Looking at this more closely, it is actually a different problem from the originally reported issue (wrong version number): Dec 4 13:09:30 thor postfix/smtpd[91646]: connect from sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42] Dec 4 13:09:31 thor postfix/smtpd[91646]: setting up TLS connection from sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42] Dec 4 13:09:31 thor postfix/smtpd[91646]: sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH" Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:before/accept initialization ... Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 read client hello B Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write server hello A Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write certificate A Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write key exchange A Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 write server done A ... Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 flush data Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:SSLv3 read client certificate A Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900 [4F6048AA003] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF)) Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900 [4F6048AA003] (5 bytes => 5 (0x5)) Dec 4 13:09:31 thor postfix/smtpd[91646]: 0000 15 03 03 00 02 ..... Dec 4 13:09:31 thor postfix/smtpd[91646]: read from 4F66840F900 [4F6048AA008] (2 bytes => 2 (0x2)) Dec 4 13:09:31 thor postfix/smtpd[91646]: 0000 02 2e .. Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL3 alert read:fatal:certificate unknown Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept:failed in SSLv3 read client key exchange A Dec 4 13:09:31 thor postfix/smtpd[91646]: SSL_accept error from sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42]: 0 Dec 4 13:09:31 thor postfix/smtpd[91646]: warning: TLS library problem: error:14037416:SSL routines:ACCEPT_SR_KEY_EXCH:sslv3 alert certificate unknown:/usr/src/lib/libssl/ssl_pkt.c:1205:SSL alert number 46: Dec 4 13:09:31 thor postfix/smtpd[91646]: lost connection after STARTTLS from sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42] Dec 4 13:09:31 thor postfix/smtpd[91646]: disconnect from sonic301-3.consmr.mail.bf2.yahoo.com[74.6.129.42] ehlo=1 starttls=0/1 commands=1/2 In this case the client hello has been received and the server hello/certificate/key exchange/done has been sent, before the other side responds with a "certificate unknown" alert - this suggests that the TLS client is actually expecting to do some form of certificate verification and this is failing. Was this working prior to OpenBSD 6.2?