SSL_accept:error in SSLv3/TLS write server done

Discussion in 'ISPConfig 3 Priority Support' started by pvanthony, Apr 25, 2021.

Tags:
Page 1 of 2
  1. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Getting the following error and not receiving emails from merck.com.
    Set the tls log to 3.
    Tried deactivating mediam ciphers by commenting it out.
    I got the feeling merck.com is using some old protocols and not compatable with ispconfig 3.2.
    What can I do in postfix to at least get the emails coming in then hardern postfix after that. Then inform merck.com about it.
    All this is assuming the problem is with merck.com.
    All other emails are coming through and working alright so far.
    Need advice.
    Code:
    pr 25 23:08:07 mail postfix/smtpd[4190976]: connect from barvie.merck.com[155.91.38.100]
Apr 25 23:08:08 mail postfix/smtpd[4190976]: setting up TLS connection from barvie.merck.com[155.91.38.100]
Apr 25 23:08:08 mail postfix/smtpd[4190976]: barvie.merck.com[155.91.38.100]: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!RC4:!aNULL"
Apr 25 23:08:08 mail postfix/smtpd[4190976]: SSL_accept:before SSL initialization
Apr 25 23:08:08 mail postfix/smtpd[4190976]: read from 5624457F66B0 [5624457FD523] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Apr 25 23:08:08 mail postfix/smtpd[4190976]: read from 5624457F66B0 [5624457FD523] (5 bytes => 5 (0x5))
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 0000 16 03 01 00 e4                                   .....
Apr 25 23:08:08 mail postfix/smtpd[4190976]: read from 5624457F66B0 [5624457FD528] (228 bytes => 228 (0xE4))
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 0000 01 00 00 e0 03 03 a7 47|d9 0a cd fe da 93 0e 83  .......G ........
removed some lines to fit into the 2000 limit
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 00d0 02 04 03 03 01 03 02 03|03 02 01 02 02 02 03 00  ........ ........
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 00e0 0f 00 01 01                                      ....
Apr 25 23:08:08 mail postfix/smtpd[4190976]: SSL_accept:before SSL initialization
Apr 25 23:08:08 mail postfix/smtpd[4190976]: SSL_accept:SSLv3/TLS read client hello
Apr 25 23:08:08 mail postfix/smtpd[4190976]: SSL_accept:SSLv3/TLS write server hello
Apr 25 23:08:08 mail postfix/smtpd[4190976]: SSL_accept:SSLv3/TLS write certificate
Apr 25 23:08:08 mail postfix/smtpd[4190976]: SSL_accept:SSLv3/TLS write key exchange
Apr 25 23:08:08 mail postfix/smtpd[4190976]: write to 5624457F66B0 [5624458066E0] (3396 bytes => 3396 (0xD44))
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 0000 16 03 03 00 3d 02 00 00|39 03 03 92 ac 3a 91 78  ....=... 9....:.x
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 0010 c6 d4 16 cb 2a 09 04 1c|ed f5 30 22 46 12 94 bf  ....*... ..0"F...
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 0020 df 4f da 44 4f 57 4e 47|52 44 01 00 c0 30 00 00  .O.DOWNG RD...0..
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 0030 11 ff 01 00 01 00 00 0b|00 04 03 00 01 02 00 23  ........ .......#
removed some lines to fit into the 2000 limit
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 0d30 37 39 81 d3 b2 44 e4 72|1c 01 6b 16 03 03 00 04  79...D.r ..k.....
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 0d40 0e                                               .
Apr 25 23:08:08 mail postfix/smtpd[4190976]: 0d41 - <SPACES/NULLS>
Apr 25 23:08:08 mail postfix/smtpd[4190976]: SSL_accept:SSLv3/TLS write server done
Apr 25 23:08:08 mail postfix/smtpd[4190976]: read from 5624457F66B0 [5624457FD523] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Apr 25 23:08:08 mail postfix/smtpd[4190976]: read from 5624457F66B0 [5624457FD523] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Apr 25 23:08:08 mail postfix/smtpd[4190976]: SSL_accept:error in SSLv3/TLS write server done
Apr 25 23:08:08 mail postfix/smtpd[4190976]: SSL_accept error from barvie.merck.com[155.91.38.100]: Connection reset by peer
Apr 25 23:08:08 mail postfix/smtpd[4190976]: lost connection after STARTTLS from barvie.merck.com[155.91.38.100]
     
    pvanthony, Apr 25, 2021
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    In postfix main,cf, you find several SSL related config options that contain the value:

    !SSLv2,!SSLv3

    change that to:

    !SSLv2

    to allow SSLv3 again and then restart postfix.
     
    till, Apr 25, 2021
    #2
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Just a note, this change would be lost when updating ISPConfig.

    In my opinion any mailserver that does not even support TLSv1 has no place on the internet. Most mail servers have dropped support for SSLv2 and SSLv3, So you can temporarily re-enable SSLv3 and get in touch with them to resolve this, but it would be very reasonable to let it go... In my own experience: you can't solve everyone elses mailserver problems.

    Weird thing is, I just did a test on that hostname, port 25, and SSLv3 seems disabled. So they should be able to contact your server...
     
    Th0m, Apr 25, 2021
    #3
  4. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Trying now. Will report back.
     
    pvanthony, Apr 25, 2021
    #4
  5. pvanthony

    pvanthony Active Member HowtoForge Supporter

    What other setting can be de-activated for testing?
     
    pvanthony, Apr 25, 2021
    #5
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share your main.cf?
     
    Th0m, Apr 25, 2021
    #6
  7. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Code:
    compatibility_level = 2
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
mail_owner = postfix
inet_interfaces = all
inet_protocols = ipv4
mydestination = mail.example.com, localhost, localhost.localdomain
unknown_local_recipient_reject_code = 550
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
debug_peer_level = 2
debugger_command =
     PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
     ddd $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
html_directory = no
manpage_directory = /usr/share/man
sample_directory = /usr/share/doc/postfix/samples
readme_directory = /usr/share/doc/postfix/README_FILES

smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_security_level = may
smtp_tls_CApath = /etc/pki/tls/certs
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_tls_security_level = may
meta_directory = /etc/postfix
shlib_directory = /usr/lib64/postfix
virtual_alias_domains = proxy:mysql:/etc/postfix/mysql-virtual_alias_domains.cf
virtual_alias_maps = hash:/etc/mailman/virtual-mailman, proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf, proxy:mysql:/etc/postfix/mysql-virtual_alias_maps.cf, proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_mailbox_base = /var/vmail
virtual_uid_maps = proxy:mysql:/etc/postfix/mysql-virtual_uids.cf
virtual_gid_maps = proxy:mysql:/etc/postfix/mysql-virtual_gids.cf
sender_bcc_maps = proxy:mysql:/etc/postfix/mysql-virtual_outgoing_bcc.cf
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_restriction_classes = greylisting
greylisting = check_policy_service inet:127.0.0.1:10023
smtpd_recipient_restrictions = permit_mynetworks, reject_unknown_recipient_domain, reject_unlisted_recipient, check_recipient_access proxy:mysql:/etc/postfix/mysql-verify_recipients.cf, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unauth_destination, check_recipient_access proxy:mysql:/etc/postfix/mysql-virtual_recipient.cf, check_policy_service unix:private/quota-status
smtpd_use_tls = yes
transport_maps = hash:/var/lib/mailman/data/transport-mailman, proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
relay_domains = proxy:mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/mysql-virtual_relayrecipientmaps.cf
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender_login_maps.cf
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $sender_bcc_maps $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $smtpd_sender_login_maps $virtual_uid_maps $virtual_gid_maps $smtpd_client_restrictions $smtpd_sender_restrictions $smtpd_recipient_restrictions $smtp_sasl_password_maps $sender_dependent_relayhost_maps
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, permit
smtpd_sender_restrictions = check_sender_access proxy:mysql:/etc/postfix/mysql-virtual_sender.cf, reject_authenticated_sender_login_mismatch, permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unlisted_sender
smtpd_reject_unlisted_sender = no
smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_data_restrictions = permit_mynetworks, reject_unauth_pipelining, reject_multi_recipient_bounce, permit
smtpd_client_message_rate_limit = 100
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
virtual_transport = lmtp:unix:private/dovecot-lmtp
header_checks = regexp:/etc/postfix/header_checks
mime_header_checks = regexp:/etc/postfix/mime_header_checks
nested_header_checks = regexp:/etc/postfix/nested_header_checks
body_checks = regexp:/etc/postfix/body_checks
smtpd_tls_loglevel = 3
smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_protocols = !SSLv2
smtp_tls_protocols = !SSLv2
smtpd_tls_exclude_ciphers = RC4, aNULL
smtp_tls_exclude_ciphers = RC4, aNULL
tls_preempt_cipherlist = yes
address_verify_negative_refresh_time = 60s
enable_original_recipient = yes
myhostname = mail.example.com
mynetworks = 127.0.0.0/8 [::1]/128
dovecot_destination_recipient_limit = 1
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
mailbox_size_limit = 0
message_size_limit = 31457280
smtpd_milters = inet:localhost:11332
non_smtpd_milters = inet:localhost:11332
milter_protocol = 6
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_default_action = accept
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayauth.cf, texthash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous, noplaintext
sender_dependent_relayhost_maps = proxy:mysql:/etc/postfix/mysql-virtual_sender-relayhost.cf
smtp_sender_dependent_authentication = yes
smtp_sasl_tls_security_options = noanonymous
     
    pvanthony, Apr 25, 2021
    #7
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This config is much different from the one that is created by ISPConfig, did you reconfigure services at your last update?
     
    Th0m, Apr 25, 2021
    #8
  9. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Some of the options are commented out for testing of the current problem.
    I will backup this config and do a reconfigure of services. Will report back.
     
    pvanthony, Apr 25, 2021
    #9
  10. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Just did the reconfigure services. Here is the diff between the new main.cf and old main.cf.
    Code:
    diff main.cf main.cf.20210426
761c761
< smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, , permit
---
> smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, check_helo_access regexp:/etc/postfix/blacklist_helo, permit
764c764
< smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining , permit
---
> smtpd_client_restrictions = check_client_access proxy:mysql:/etc/postfix/mysql-virtual_client.cf, permit_inet_interfaces, permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, permit
782,784c782,784
< smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
< smtpd_tls_protocols = !SSLv2,!SSLv3
< smtp_tls_protocols = !SSLv2,!SSLv3
---
> smtpd_tls_mandatory_protocols = !SSLv2
> smtpd_tls_protocols = !SSLv2
> smtp_tls_protocols = !SSLv2
812,813d811
< smtpd_tls_mandatory_ciphers = medium
< tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
     
    pvanthony, Apr 25, 2021
    #10
  11. pvanthony

    pvanthony Active Member HowtoForge Supporter

    please note I removed all the comments.
     
    pvanthony, Apr 25, 2021
    #11
  12. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Really need some advice on how to solve this problem.
     
    pvanthony, Apr 26, 2021
    #12
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If they send you a new email now, does it arrive?
     
    Th0m, Apr 26, 2021
    #13
  14. pvanthony

    pvanthony Active Member HowtoForge Supporter

    No new email from merck.com.
    Same error. This after reconfiguring the service to the default ispconfig.
    Shall we start again with de-activating some features for testing?
     
    pvanthony, Apr 26, 2021
    #14
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so you have not removed the !SSLv3 that I mentioned above? If that#s in place, the system will not communicate over SSLv3.
     
    till, Apr 26, 2021
    #15
  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I think you misunderstood. Ask them to send a new email from that server - and see if that works.

    It was disabled before, but it is not now. But as said, their system seems to support TLSv1, 1.1, and 1.2...
     
    Th0m, Apr 26, 2021
    #16
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    The debug output in the first post looks to me as if it tries to use SSLv3.
     
    till, Apr 26, 2021
    #17
  18. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Just changed this settings again. Since we are testing from the start.
    Code:
    smtpd_tls_mandatory_protocols = !SSLv2
smtpd_tls_protocols = !SSLv2
smtp_tls_protocols = !SSLv2
     
    pvanthony, Apr 26, 2021
    #18
  19. pvanthony

    pvanthony Active Member HowtoForge Supporter

    For this type of errors involving TLS, only the tls and cipher settings are involved correct? Is there any other settings to look at?
     
    pvanthony, Apr 26, 2021
    #19
  20. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Got the following errors.
    Apr 26 20:22:32 mail postfix/smtpd[443848]: connect from taz.merck.com[155.91.38.113]
    Apr 26 20:22:33 mail postfix/smtpd[443848]: SSL_accept error from taz.merck.com[155.91.38.113]: Connection reset by peer
    Apr 26 20:22:33 mail postfix/smtpd[443848]: lost connection after STARTTLS from taz.merck.com[155.91.38.113]
    Apr 26 20:22:33 mail postfix/smtpd[443848]: disconnect from taz.merck.com[155.91.38.113] ehlo=1 starttls=0/1 commands=1/2
     
    pvanthony, Apr 26, 2021
    #20
Page 1 of 2

Share This Page