SSL_accept error with TLS

Discussion in 'Server Operation' started by popper2001, Jul 23, 2007.

  1. popper2001

    popper2001 New Member

    Hi,

    I used the following tutorials for installaing a postfix mailserver with TLS and SPAM prevention on Etch:

    I used CACert.org as Authority for my certificates, so this is my current configuration:

    Code:
    alias_database = hash:/etc/aliases
    alias_maps = hash:/etc/aliases
    append_dot_mydomain = no
    biff = no
    broken_sasl_auth_clients = yes
    config_directory = /etc/postfix
    disable_vrfy_command = yes
    home_mailbox = Maildir/
    inet_interfaces = all
    inet_protocols = all
    mailbox_command =
    mailbox_size_limit = 0
    mydestination = /etc/postfix/local-host-names
    myhostname = mail.example.com
    mynetworks = 127.0.0.0/8
    myorigin = /etc/mailname
    recipient_delimiter = +
    relayhost =
    smtpd_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt
    smtpd_tls_key_file = /etc/postfix/ssl/cacert.org/server.key
    smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtpd_use_tls = yes
    smtpd_tls_auth_only = no
    smtpd_tls_loglevel = 2
    smtpd_tls_received_header = yes
    smtpd_tls_session_cache_timeout = 3600s
    smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
    smtp_tls_cert_file = /etc/postfix/ssl/cacert.org/server.crt
    smtp_tls_key_file = /etc/postfix/ssl/cacert.org/server.key
    smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
    smtp_use_tls = yes
    smtp_tls_loglevel = 2
    smtp_tls_note_starttls_offer = yes
    smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
    smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
    smtpd_helo_required = yes
    smtpd_helo_restrictions = 
        permit_mynetworks,
        reject_invalid_hostname,
        regexp:/etc/postfix/helo.regexp,
        permit
    smtpd_recipient_restrictions =
        permit_sasl_authenticated,
        reject_invalid_hostname,
        reject_non_fqdn_hostname,
        reject_non_fqdn_sender,
        reject_non_fqdn_recipient,
        reject_unknown_sender_domain,
        reject_unknown_recipient_domain,
        reject_unauth_pipelining,
        permit_mynetworks,
        reject_unauth_destination,
        reject_rbl_client bl.spamcop.net,
        reject_rbl_client zen.spamhaus.org,
        reject_rbl_client ix.dnsbl.manitu.net,
        check_policy_service unix:private/policy,
        check_policy_service inet:127.0.0.1:60000,
        permit
    smtpd_sasl_auth_enable = yes
    smtpd_sasl_local_domain =
    smtpd_sasl_security_options = noanonymous
    strict_rfc821_envelopes = yes
    unknown_address_reject_code = 554
    unknown_client_reject_code = 554
    unknown_hostname_reject_code = 554
    
    Now I get the following connection error if I use TLS or "TLS if possible) in Thunderbird:

    Code:
    Jul 23 13:18:02 hXXXXXX postfix/smtpd[7885]: connect from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Jul 23 13:18:02 hXXXXXX postfix/smtpd[7885]: setting up TLS connection from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Jul 23 13:18:33 hXXXXXX postfix/smtpd[7885]: SSL_accept error from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: -1
    Jul 23 13:18:33 hXXXXXX postfix/smtpd[7885]: lost connection after STARTTLS from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    
    If I use SSL over port 465 in Thunderbird it works without any problems and postfix seems to establish a TLS connection:

    Code:
    Jul 23 13:32:40 hXXXXXX postfix/smtpd[8281]: connect from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Jul 23 13:32:40 hXXXXXX postfix/smtpd[8281]: setting up TLS connection from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Jul 23 13:32:57 hXXXXXX postfix/smtpd[8281]: TLS connection established from dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Jul 23 13:33:01 hXXXXXX postfix/smtpd[8281]: CA0611B4152: client=dslb-XXX.pools.arcor-ip.net[XXX.XXX.XXX.XXX], sasl_method=PLAIN, sasl_username=web2
    Jul 23 13:33:01 hXXXXXX postfix/cleanup[8286]: CA0611B4152: message-id=<[email protected]>
    
    Postfix is also listening on both ports (25 and 465) so this doesn't seem to be the problem:

    Code:
    tcp        0      0 *:smtp                  *:*                     LISTEN     32626/master
    tcp6       0      0 *:imaps                 *:*                     LISTEN     5121/couriertcpd
    tcp6       0      0 *:pop3s                 *:*                     LISTEN     5102/couriertcpd
    tcp6       0      0 *:pop3                  *:*                     LISTEN     955/couriertcpd
    tcp6       0      0 *:imap2                 *:*                     LISTEN     933/couriertcpd
    tcp6       0      0 *:ssmtp                 *:*                     LISTEN     32626/master
    tcp6       0      0 *:smtp                  *:*                     LISTEN     32626/master
    
    And also a test of the certificates works as far as I can see:

    Code:
    openssl s_client -showcerts -cert /etc/postfix/ssl/cacert.org/server.crt -key /etc/postfix/ssl/cacert.org/server.key -starttls smtp -CAfile /etc/postfix/ssl/ca-certificates.crt -connect mail.example.com:25
    Code:
    CONNECTED(00000003)
    depth=1 /O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing [email protected]
    verify return:1
    depth=0 /CN=mail.example.com
    verify return:1
    ---
    Certificate chain
     0 s:/CN=mail.example.com
       i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing [email protected]
    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----
    ---
    Server certificate
    subject=/CN=mail.example.com
    issuer=/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing [email protected]
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 3623 bytes and written 326 bytes
    ---
    New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
    Server public key is 1024 bit
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : DHE-RSA-AES256-SHA
        Session-ID: DD1EEB0D5A7DA044323DC7EFD2DE3A3C011CDC87B27170B299F42CE58977C426
        Session-ID-ctx:
        Master-Key: 5D9D544852CC74103C2EAD880F1B7E2ABBDCAB3633BE75940F32A6EE13DEE070C08B09E8B2F32C50CD4366010741A0CC
        Key-Arg   : None
        Start Time: 1185190942
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    220 mail.example.com ESMTP Postfix (Debian/GNU)
    
    I sure there are some TLS/SSL/Postfix experts aroud here so can anybody tell me, what to do in order to make TLS work over port 25 without SSL?

    Thanks for your help!
     
  2. falko

    falko Super Moderator ISPConfig Developer

    How exactly did you configure Thunderbird?
     
  3. popper2001

    popper2001 New Member

    Hi Falko,

    thanks for your reply.

    It's only postfix which is making problems. If I log into POP3 or over TLS it works as you can see below.

    Code:
    Jul 25 10:05:35 hXXXXXX courierpop3login: Connection, ip=[::ffff:XXX.XXX.XXX.XXX]
    Jul 25 10:05:39 hXXXXXX courierpop3login: LOGIN, user=web1, ip=[::ffff:XXX.XXX.XXX.XXX]
    Jul 25 10:05:49 hXXXXXX courierpop3login: LOGOUT, user=web1, ip=[::ffff:XXX.XXX.XXX.XXX], top=0, retr=574131, rcvd=609, sent=587893, time=10, stls=1
    I use a CACert.org certificate for postfix/courier with the CN mail.example.com .So I also use this hostname as POP3/IMAPSMTP-Server in Thunderbird.

    If I tell Thunderbird to use SSL over Port 465 for SMTP I also get SSL_accept:error but can send messages withour any problems:

    Code:
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: initializing the server-side TLS engine
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: connect from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: setting up TLS connection from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:before/accept initialization
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv2/v3 read client hello A
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv3 read client hello B
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv3 read client hello B
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 read client hello B
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write server hello A
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write certificate A
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write key exchange A
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write server done A
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 flush data
    Jul 25 10:13:27 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv3 read client certificate A
    Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv3 read client certificate A
    Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 read client key exchange A
    Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:error in SSLv3 read certificate verify A
    Jul 25 10:13:32 hXXXXXX last message repeated 3 times
    Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 read finished A
    Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write change cipher spec A
    Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 write finished A
    Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: SSL_accept:SSLv3 flush data
    Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: save session A3FD667668303AE494671603A75EB6AF56C386655A8A69DD29FFB4864AFB7D5E to smtpd cache
    Jul 25 10:13:32 hXXXXXX postfix/tlsmgr[4286]: put smtpd session id=A3FD667668303AE494671603A75EB6AF56C386655A8A69DD29FFB4864AFB7D5E [data 127 bytes]
    Jul 25 10:13:32 hXXXXXX postfix/tlsmgr[4286]: write smtpd TLS cache entry A3FD667668303AE494671603A75EB6AF56C386655A8A69DD29FFB4864AFB7D5E: time=1185351212 [data 127 bytes]
    Jul 25 10:13:32 hXXXXXX postfix/smtpd[18355]: TLS connection established from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    Jul 25 10:13:37 hXXXXXX postfix/smtpd[18355]: 3E5EA1B4177: client=dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX], sasl_method=PLAIN, sasl_username=web1
    Jul 25 10:13:37 hXXXXXX postfix/cleanup[18359]: 3E5EA1B4177: message-id=<[email protected]>
    Jul 25 10:13:37 hXXXXXX postfix/qmgr[4209]: 3E5EA1B4177: from=<[email protected]>, size=691, nrcpt=1 (queue active)
    Jul 25 10:13:37 hXXXXXX postfix/smtp[18360]: initializing the client-side TLS engine
    Jul 25 10:13:37 hXXXXXX postfix/smtpd[18355]: disconnect from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Jul 25 10:13:37 hXXXXXX postfix/smtp[18360]: 3E5EA1B4177: to=<[email protected]>, relay=gmail-smtp-in.l.google.com[209.85.129.27]:25, delay=0.53, delays=0.2/0.05/0.05/0.22, dsn=2.0.0, status=sent (250 2.0.0 OK 1185351217 v23si64519fkd)
    Jul 25 10:13:37 hXXXXXX postfix/qmgr[4209]: 3E5EA1B4177: removed
    
    If I tell Thunderbird to use TLS or TLS if possible ober port 25 I get an unable to connect error in Thunderbird and the following problem on the server mail log.

    Code:
    Jul 25 10:10:53 hXXXXXX postfix/smtpd[18222]: connect from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Jul 25 10:10:54 hXXXXXX postfix/smtpd[18222]: setting up TLS connection dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Jul 25 10:10:54 hXXXXXX postfix/smtpd[18222]: SSL_accept:before/accept initialization
    Jul 25 10:10:54 hXXXXXX postfix/smtpd[18222]: SSL_accept:error in SSLv2/v3 read client hello A
    Jul 25 10:11:25 hXXXXXX postfix/smtpd[18222]: SSL_accept error from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]: -1
    Jul 25 10:11:25 hXXXXXX postfix/smtpd[18222]: lost connection after STARTTLS from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Jul 25 10:11:25 hXXXXXX postfix/smtpd[18222]: disconnect from dslb.pools.arcor-ip.net[XXX.XXX.XXX.XXX]
    Very strange is the fact, that with SSL Thunderbird asks me for validating the server certificate while with TLS I don't get any promts.

    Another question: I thought it would be enough, to install the CACert.org root certificate in IE and Firefox, so that Thunderbird is able to validate the server cert automatically. But I allways get these promts. Is there another way of avoiding them than clicking on "always allow", e.g. something like to import the server cert into Firefox?

    Thank your for your help. I really tried everything I could find and don't know any further.
     
  4. falko

    falko Super Moderator ISPConfig Developer

    What's the output of
    Code:
    telnet localhost 25
    ehlo localhost
    ? Do you see TLS in the output?

    I don't know if Firefox and Thunderbird share their certs, but I'd say you have to import it into Thunderbird, too.
     
  5. popper2001

    popper2001 New Member

    OK, here we go:

    Code:
    telnet localhost 25
    Code:
    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.
    220 mail.example.com ESMTP Postfix (Debian/GNU)
    ehlo localhost
    250-mail.example.com
    250-PIPELINING
    250-SIZE 10240000
    250-ETRN
    250-STARTTLS
    250-AUTH PLAIN LOGIN
    250-AUTH=PLAIN LOGIN
    250-ENHANCEDSTATUSCODES
    250-8BITMIME
    250 DSN
    At least the server tries to STARTTLS if you meant that.

    mail.info:
    Code:
    Jul 26 22:15:10 hXXXXXX postfix/smtpd[4962]: connect from localhost[127.0.0.1]
    Jul 26 22:15:40 hXXXXXX postfix/smtpd[5053]: initializing the server-side TLS engine
    Jul 26 22:15:40 hXXXXXX postfix/smtpd[5053]: connect from localhost[127.0.0.1]
    Jul 26 22:15:40 hXXXXXX postfix/smtpd[5053]: lost connection after CONNECT from localhost[127.0.0.1]
    Jul 26 22:15:40 hXXXXXX postfix/smtpd[5053]: disconnect from localhost[127.0.0.1]
    No idea beside that?
     
  6. hereinoz

    hereinoz New Member HowtoForge Supporter

    Interestingly I have just completed a "Perfect Server 14.04" build with ISPConfig, and I get the same message in the logs but the best I can do with Telnet localhost 25 is:

    Trying 127.0.0.1...
    Connected to localhost.
    Escape character is '^]'.

    That is as far as it gets.

    Is there a config file I could post which would give some clue? Hope you can assist.
     
  7. hereinoz

    hereinoz New Member HowtoForge Supporter

    Worry not - I left one line commented out in master.cf :-(

    I will be more careful next time!!
     
    Last edited: May 9, 2014

Share This Page