postfix getting SSL_accept error

Kernels & Hardware, configuring network, installing services

postfix getting SSL_accept error

Postby gacuxz » 2019-10-23 18:00

Hello all. I'm sort of beginner so sorry for possible stupid questions.
Mailserver I inherited suddenly can't get mails from wetransfer.com. I'm seeing continuous following errors in /var/log/mail.info:
Code: Select all
Oct 23 23:42:06 mail postfix/smtpd[31441]: connect from o2.email.wetransfer.com[192.254.118.54]
Oct 23 23:42:06 mail postfix/smtpd[31441]: setting up TLS connection from o2.email.wetransfer.com[192.254.118.54]
Oct 23 23:42:06 mail postfix/smtpd[31441]: o2.email.wetransfer.com[192.254.118.54]: TLS cipher list "ALL:+RC4:@STRENGTH"
Oct 23 23:42:06 mail postfix/smtpd[31441]: SSL_accept:before/accept initialization
Oct 23 23:42:06 mail postfix/smtpd[31441]: read from 7F517996A0E0 [7F5179977890] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Oct 23 23:42:06 mail postfix/smtpd[31441]: read from 7F517996A0E0 [7F5179977890] (11 bytes => 11 (0xB))
Oct 23 23:42:06 mail postfix/smtpd[31441]: 0000 16 03 01 00 84 01 00 00|80 03 03                 ........ ...
Oct 23 23:42:06 mail postfix/smtpd[31441]: read from 7F517996A0E0 [7F517997789B] (126 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Oct 23 23:42:06 mail postfix/smtpd[31441]: read from 7F517996A0E0 [7F517997789B] (126 bytes => 126 (0x7E))
Oct 23 23:42:06 mail postfix/smtpd[31441]: 0000 5d b0 bb 1e b4 c2 f0 8e|7a 92 80 50 a9 43 de 64  ]....... z..P.C.d
Oct 23 23:42:06 mail postfix/smtpd[31441]: 0010 4a 22 1d e5 e2 17 14 50|e8 91 ca ce 3a b1 a3 ad  J".....P ....:...
Oct 23 23:42:06 mail postfix/smtpd[31441]: 0020 00 00 1a c0 2c c0 30 c0|2b c0 2f c0 24 c0 28 c0  ....,.0. +./.$.(.
Oct 23 23:42:06 mail postfix/smtpd[31441]: 0030 23 c0 27 00 9d 00 9c 00|3d 00 3c 00 ff 01 00 00  #.'..... =.<.....
Oct 23 23:42:06 mail postfix/smtpd[31441]: 0040 3d 00 0b 00 04 03 00 01|02 00 0a 00 08 00 06 00  =....... ........
Oct 23 23:42:06 mail postfix/smtpd[31441]: 0050 19 00 18 00 17 00 0d 00|20 00 1e 06 01 06 02 06  ........  .......
Oct 23 23:42:06 mail postfix/smtpd[31441]: 0060 03 05 01 05 02 05 03 04|01 04 02 04 03 03 01 03  ........ ........
Oct 23 23:42:06 mail postfix/smtpd[31441]: 0070 02 03 03 02 01 02 02 02|03 00 0f 00 01 01        ........ ......
Oct 23 23:42:06 mail postfix/smtpd[31441]: write to 7F517996A0E0 [7F5179985A50] (7 bytes => 7 (0x7))
Oct 23 23:42:06 mail postfix/smtpd[31441]: 0000 15 03 01 00 02 02 28                             ......(
Oct 23 23:42:06 mail postfix/smtpd[31441]: SSL3 alert write:fatal:handshake failure
Oct 23 23:42:06 mail postfix/smtpd[31441]: SSL_accept:error in SSLv3 read client hello C
Oct 23 23:42:06 mail postfix/smtpd[31441]: SSL_accept error from o2.email.wetransfer.com[192.254.118.54]: -1
Oct 23 23:42:06 mail postfix/smtpd[31441]: warning: TLS library problem: 31441:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1077:
Oct 23 23:42:06 mail postfix/smtpd[31441]: lost connection after STARTTLS from o2.email.wetransfer.com[192.254.118.54]
Oct 23 23:42:06 mail postfix/smtpd[31441]: disconnect from o2.email.wetransfer.com[192.254.118.54]

This server's Debian version is 6.0 (Squeeze) and openssl version is 0.9.8o 01 Jun 2010 (i know it must be upgraded, but it's really not an option for me right now). Following command gives me results:
Code: Select all
# openssl ciphers
DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA

Do I understand correctly, that *.wetransfer.com is asking me to support "ALL:+RC4:@STRENGTH" cipher which is other version than RC4 (https://en.wikipedia.org/wiki/RC4#RC4+) and that my old openssl working alongside with postfix doesn't support this one? I'm confused and didn't had much practice about secure communications. I couldn't find solution related to my problem for hours (I believe it's because of the age of the software).
* Can this problem be because of old openssl version? Does it make sense to compile it from source?
* How could I debug this problem further if opensll is not the case?
Could someone point me at the right direction? Any help appreciated. Thank you.
gacuxz
 
Posts: 2
Joined: 2019-10-23 16:24

Re: postfix getting SSL_accept error

Postby gacuxz » 2019-10-26 06:05

I'm getting e-mails from wetransfer.com again. Think it's because it had kind of same compatibility issues with other mail servers wetransfer.com encountered and made mail protocols less hardened again. I didn't moved much further resolving my issues:
    Official Debian says it may be because my old openssl can't generate and understand strong keys: https://wiki.debian.org/SSLkeys. One of the solution may be recompile these from source, but I think it can awake chain of other problems.
Right now I'm working on installing new mailserver from scratch while wetransfer.com e-mails are working.
gacuxz
 
Posts: 2
Joined: 2019-10-23 16:24


Return to System configuration

Who is online

Users browsing this forum: No registered users and 12 guests

fashionable