Postfix TLS library error

Discussion in 'ISPConfig 3 Priority Support' started by MaxT, Jun 18, 2019.

Tags:
  1. MaxT

    MaxT Member HowtoForge Supporter

    I have this daily error in mail.log: (TLS library problem: error:1420918C:SSL routines:tls_early_post...)

    Code:
    Jun 18 09:48:03 host postfix/smtps/smtpd[16226]: disconnect from unknown[x.x.x.x] commands=0/0
    Jun 18 09:48:03 host postfix/smtps/smtpd[16226]: connect from unknown[x.x.x.x]
    Jun 18 09:48:03 host postfix/smtps/smtpd[16226]: SSL_accept error from unknown[x.x.x.x]: -1
    Jun 18 09:48:03 host postfix/smtps/smtpd[16226]: warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../ssl/statem/statem_srvr.c:1663:
    Jun 18 09:48:03 host postfix/smtps/smtpd[16226]: lost connection after CONNECT from unknown[x.x.x.x]
    Jun 18 09:48:03 host postfix/smtps/smtpd[16226]: disconnect from unknown[x.x.x.x] commands=0/0
    Jun 18 09:48:03 host postfix/smtps/smtpd[16226]: connect from unknown[x.x.x.x]
    
    
    from what I can see, it seems this belongs to one user who is using a mail software perhaps strange or I don't know. He told me he is using a mail software named "Aqua mail".. I don't have idea about that software but it iseems this is no old.

    I have searched in internet about this error but I'm not sure if this belongs to Postfix or to Debian libraries. Also in this forum there are some threads pointing to the main.cf and master.cf configuration.

    I have file main.cf configured to allow low TLS versions:
    Code:
    #nano /etc/postfix/main.cf
    
    smtp_tls_security_level = may
    smtpd_tls_mandatory_protocols = !SSLv2
    
    although the error appears.

    Do you know some solution for this problem?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It might be that this mail client tries to use SSLv3 and that SSLv3 is disabled even when you have just !SSLv2 in the config as recent openssl versions (starting with 1.1.0 if I remember correctly) disable SSLv3 by default at build time.

    You can see the openssl version with the command:

    openssl version
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    MaxT likes this.
  4. MaxT

    MaxT Member HowtoForge Supporter

    oh ok.. thank you. Then that bug can be the cause. I have OpenSSL 1.1.1b.
    Maybe I will forget it and I will wait for next Postfix update in Debian.

    In that thread they say the cause is Postfix. However, while searching about this error I have not seen this bug in non Debian distros.
    I wonder if this can be a failure when they low the OpenSSL strength and suppress ciphers (openssl ciphers -v) .

    Don't know what they are doing with OpenSSL, and why they don't include OpenSSL completely. Really strange, although I don't have enough knowledge.

    thanks! :)
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    That's what I would do :)
     

Share This Page