| View previous topic :: View next topic |
| Author |
Message |
Zubziro
Apprentice
Joined: 21 Sep 2005
Posts: 248
Location: Sweden
|
 Posted: Fri Oct 20, 2017 6:21 pm Post subject: SSL_accept:failed in SSLv3 read client key [SOLVED] |
 |
|
Hi all,
Recently (don't know for sure 1 month ago) users of hotmail.com is no longer able to send mail messages to my postfix server.
For everybody else it's perfectly working (google, yahoo, facebook... etc... etc...)
(I'm using STARTTLS)
(I'm using self sign certificate)
In my mail logs I can see: | Code: | Oct 20 19:25:50 nas postfix/smtpd[8326]: SSL_accept:SSLv3 flush data
Oct 20 19:25:50 nas postfix/smtpd[8326]: SSL_accept:SSLv3 read client certificate A
Oct 20 19:25:50 nas postfix/smtpd[8326]: read from 55AA0CC7E850 [55AA0CC8E573] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Oct 20 19:25:50 nas postfix/smtpd[8326]: read from 55AA0CC7E850 [55AA0CC8E573] (5 bytes => 0 (0x0))
Oct 20 19:25:50 nas postfix/smtpd[8326]: SSL_accept:failed in SSLv3 read client key exchange A
Oct 20 19:25:50 nas postfix/smtpd[8326]: SSL_accept error from mail-oln040092069025.outbound.protection.outlook.com[40.92.69.25]: lost connection
Oct 20 19:25:50 nas postfix/smtpd[8326]: lost connection after STARTTLS from mail-oln040092069025.outbound.protection.outlook.com[40.92.69.25]
Oct 20 19:25:50 nas postfix/smtpd[8326]: disconnect from mail-oln040092069025.outbound.protection.outlook.com[40.92.69.25] ehlo=1 starttls=0/1 commands=1/2
|
I don't even know where to begin digging, any clue? (yes I tried google)
Postfix TLS config is pretty standard:
| Code: |
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_key_file = /etc/ssl/bla/private/bla.pem
smtpd_tls_cert_file = /etc/ssl/bla/cert-bla.pem
smtpd_tls_CAfile = /etc/ssl/bla/cert-root-bla.pem
smtpd_tls_loglevel = 9
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
|
Thanks for advice.
/zubziro
Last edited by Zubziro on Sat Oct 21, 2017 5:23 pm; edited 1 time in total |
|
| Back to top |
|
 |
cdstealer
Guru
Joined: 30 Oct 2005
Posts: 431
Location: Leeds
|
| Posted: Sat Oct 21, 2017 2:07 pm Post subject: |
|
|
Hi, I may be wrong here, but when I have dealt with this error in the (recent) past, it was to do with the version of TLS in use.
eg. "An App" using TLSv1.2 connecting to "A Server" using TLSv1
So it *could* be Hotmail running an old (unsupported) version of TLS. You may be able to work around it by enabling TLSv1 support in Postfix as I suspect it will be disabled due to security reasons.
CD
_________________
# touch it
touch: cannot touch `it': Permission denied |
|
| Back to top |
|
|
toralf
Developer
Joined: 01 Feb 2004
Posts: 3943
Location: Hamburg
|
| Posted: Sat Oct 21, 2017 3:03 pm Post subject: |
|
|
| Code: | | SSL_accept:SSLv3 flush data |
sslv3 (aka TLS 1.0) is long deprecated - is switching to a newer TLS at least 1.1 an option ? |
|
| Back to top |
|
|
Zubziro
Apprentice
Joined: 21 Sep 2005
Posts: 248
Location: Sweden
|
| Posted: Sat Oct 21, 2017 5:22 pm Post subject: |
|
|
| cdstealer wrote: | Hi, I may be wrong here, but when I have dealt with this error in the (recent) past, it was to do with the version of TLS in use.
eg. "An App" using TLSv1.2 connecting to "A Server" using TLSv1
So it *could* be Hotmail running an old (unsupported) version of TLS. You may be able to work around it by enabling TLSv1 support in Postfix as I suspect it will be disabled due to security reasons.
CD |
Thanks!
I'm got it working by specifically enabling TLSv1.
| Code: |
smtpd_tls_protocols = !SSLv2, !SSLv3, TLSv1
|
Still strange that hotmail uses this old version.
/bye
Last edited by Zubziro on Sat Oct 21, 2017 7:03 pm; edited 1 time in total |
|
| Back to top |
|
|
cdstealer
Guru
Joined: 30 Oct 2005
Posts: 431
Location: Leeds
|
| Posted: Sat Oct 21, 2017 5:31 pm Post subject: |
|
|
Nice one 
_________________
# touch it
touch: cannot touch `it': Permission denied |
|
| Back to top |
|
|
|
Networking & Security
