SSL_accept:error in SSLv3/TLS write server done

Discussion in 'ISPConfig 3 Priority Support' started by pvanthony, Apr 25, 2021.

  1. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Could this be a Centos 8 problem?
    Can we lower the security in postfix until the email comes in? Then increase the security one by one.
     
  2. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Did the following and emails are coming in.
    We can confirm it is the tls.
    What else can we do to increase the security a bit at a time?
    Code:
    smtp_tls_security_level = none
    smtpd_tls_security_level = none
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Does
    Code:
    smtp_tls_security_level = may
    smtpd_tls_security_level = may
    work?
     
  4. pvanthony

    pvanthony Active Member HowtoForge Supporter

    This was the initial setting and it did not work.
    Is there some setting that we can do where we can set like merck.com domains will not do tls but the rest will do tls?
     
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    No. If you really must support the brokenness on their side (of course my wording alludes to the opinion of fixing the problem at the source), you'll probably have to do something based on multiple smtpd's.

    My first question is how do you identify "merck.com domains"? If by ip address, you might setup iptables to forward connections from their ip's to the insecure smtpd, and everyone else to the secure smtpd (script the lookup/setup to keep it updated). If by sender domain, you could try setting up the two smtpd's on different ip addresses, use a higher preference mx priority for the secure smtpd config, and configure the insecure smtpd to temp reject mail from any sender but the "merck.com domains"; it may or may not work, but the idea is everyone delivers to the primary fine except merck.com servers, which would fail there and retry your second ip/config, where they should succeed, and everyone else who might connect on the lower mx host should get back to the correct one soon/next time around.
     
    ahrasis and Th0m like this.
  6. pvanthony

    pvanthony Active Member HowtoForge Supporter

    I agree with you that the problem need to be solved at the source. It is just that the logs do not give enough information about the actual problem. Like is it because of SSLv3 or the ciphers list?

    Tried setting the smtpd_tls_loglevel = 3 but still does not show the actual issue. Without the actual issue how to report to merck.com.
    In some other posts in this forum, it seems openssl new version does not allow old SSL versions. The current version is OpenSSL 1.1.1g FIPS 21 Apr 2020.

    Any advice on how to get more details about the SSL/TLS errors?
     
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

  8. pvanthony

    pvanthony Active Member HowtoForge Supporter

    Here is a working solution but does not solve the problem because it looks like the sending server has an issue. Got the work around from the postfix mailling list. Hope it helps others.
    ----------- start -------------------------
    On Tue, Apr 27, 2021 at 01:49:03PM +0800, P.V.Anthony wrote:
    ------- start ---------------
    Apr 27 13:38:06 mail postfix/smtpd[383580]: connect from hubie.merck.com[155.91.37.10]
    Apr 27 13:38:07 mail postfix/smtpd[383580]: SSL_accept error from hubie.merck.com[155.91.37.10]: Connection reset by peer
    Apr 27 13:38:07 mail postfix/smtpd[383580]: lost connection after STARTTLS from hubie.merck.com[155.91.37.10]
    Apr 27 13:38:07 mail postfix/smtpd[383580]: disconnect from hubie.merck.com[155.91.37.10] ehlo=1 starttls=0/1 commands=1/2
    ------- end -----------------
    http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
    http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keywords

    smtpd-ehlo-discard.cidr:
    # NetName: MERCK1
    # NetHandle: NET-155-91-0-0-1
    155.91.0.0/16 starttls

    main.cf:
    cidr = cidr:${config_directory}/
    smtpd_discard_ehlo_keyword_address_maps = ${cidr}smtpd-ehlo-discard.cidr

    You should also reach out to the merck.com postmaster and try to resolve
    the underlying issue. Why is their MTA closing the connection in the
    middle of STARTTLS?
    --
    Viktor.
    ----------- end --------------------------
     
    Th0m, Jesse Norell and till like this.

Share This Page