Hi Viktor, thanks. Sorry about the missing line breaks. Got that from the sender. :/
Yes, the actual problem is, that the sender can not send mails to the server and as it is with this kind of problems he says it's our problem and I'm relatively confident that the problem is on the sender's side. But I just see the timeout in our logfile. The last two lines have a timeout of 60 seconds as you already mentioned. So, I do not see anything on my side what's preventing the sending server to actually send something. Don't know if it is helping to ask if someone from cleverreach is here on the list and could look at it (or give me a message off the list). 2026-02-25T09:20:21.807Z,edge01\Internet,08DE6A521B0E8C30,0,172.25.0.26:25,194.42.96.40:59854,+,, 2026-02-25T09:20:21.807Z,edge01\Internet,08DE6A521B0E8C30,1,172.25.0.26:25,194.42.96.40:59854,>,"220 edge01.systema-online.de Microsoft ESMTP MAIL Service ready at Wed, 25 Feb 2026 10:20:21 +0100", 2026-02-25T09:20:21.839Z,edge01\Internet,08DE6A521B0E8C30,2,172.25.0.26:25,194.42.96.40:59854,<,EHLO mail.example.com, 2026-02-25T09:20:21.839Z,edge01\Internet,08DE6A521B0E8C30,3,172.25.0.26:25,194.42.96.40:59854,>,250 edge01.systema-online.de Hello [194.42.96.40] SIZE 20971520 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS 8BITMIME BINARYMIME CHUNKING SMTPUTF8, 2026-02-25T09:20:21.870Z,edge01\Internet,08DE6A521B0E8C30,4,172.25.0.26:25,194.42.96.40:59854,<,STARTTLS, 2026-02-25T09:20:21.870Z,edge01\Internet,08DE6A521B0E8C30,5,172.25.0.26:25,194.42.96.40:59854,>,220 2.0.0 SMTP server ready, 2026-02-25T09:20:21.870Z,edge01\Internet,08DE6A521B0E8C30,6,172.25.0.26:25,194.42.96.40:59854,*," CN=edge01.systema-online.de CN=Sectigo Public Server Authentication CA DV R36, O=Sectigo Limited, C=GB 21A6F6C3C7D709617337602BA0FA67D3 5878E90CE2818CF8B7BA5E6085F0128FE8237223 2025-07-08T02:00:00.000Z 2026-08-09T01:59:59.000Z edge01.systema-online.de;www.edge01.systema-online.de",Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names 2026-02-25T09:20:21.948Z,edge01\Internet,08DE6A521B0E8C30,7,172.25.0.26:25,194.42.96.40:59854,*,,"TLS protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 0 bits and key exchange algorithm CALG_ECDH_EPHEM with strength 384 bits" 2026-02-25T09:21:21.996Z,edge01\Internet,08DE6A521B0E8C30,8,172.25.0.26:25,194.42.96.40:59854,>,451 4.7.0 Timeout waiting for client input, 2026-02-25T09:21:21.996Z,edge01\Internet,08DE6A521B0E8C30,9,172.25.0.26:25,194.42.96.40:59854,-,,Local Usually the bounce would tell something, but in this case it's our transactional mail provider (CR) who is sending to anyone but us. 😉 The problem exists since a few month and I'm now at the 3rd ticket with 'em and finally got at least the show logs from their side. Kind regards Norbert -----Ursprüngliche Nachricht----- Von: mailop <[email protected]> Im Auftrag von Viktor Dukhovni via mailop Gesendet: Donnerstag, 26. Februar 2026 15:10 An: [email protected] Cc: Viktor Dukhovni <[email protected]> Betreff: Re: [mailop] Problem: Timeout after starttls On Thu, Feb 26, 2026 at 01:15:35PM +0000, Fehlauer, Norbert via mailop wrote: > Hi John, > > thanks for your answer. > > I got another logfile from the sending side: Removing all the line-breaks from that log dump is extremely unhelpful. And what exactly is a manual connection with `s_client` expected to demonstrate? > # openssl s_client -starttls smtp -connect edge01.systema-online.de:25 > ... > Peer signing digest: SHA256 > Peer signature type: RSA-PSSServer > Temp Key: ECDH, secp384r1, 384 bits > Verification: OK > New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 > Server public key is 2048 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > No ALPN negotiated ... > 250 SMTPUTF8 > ehlo mx.self-hosted.email > 451 4.7.0 Timeout waiting for client input > 40A7BCB1747C0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while > reading:../ssl/record/rec_layer_s3.c:316 Don't know how long the SSL client just sat there sending nothing, but if that "451" from the server was sent in a manner of seconds, perhaps the server's idle timeout is much too aggressive. > Don’t know if you might find that helpful. But at least that’s openssl. Mostly not useful, because not a mail client. But, FWIW, when I repeat the same "test", the ~60s timeout seems mostly reasonable: $ time openssl s_client -starttls smtp -connect edge01.systema-online.de:25 -brief Connecting to 2a00:0:2d41:2:178:15:145:73 depth=1 C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication CA DV R36 verify error:num=20:unable to get local issuer certificate CONNECTION ESTABLISHED Protocol version: TLSv1.2 Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 Peer certificate: CN=edge01.systema-online.de Hash used: SHA256 Signature type: rsa_pss_rsae_sha256 Verification error: unable to get local issuer certificate Peer Temp Key: ECDH, secp384r1, 384 bits 250 XSHADOW 451 4.7.0 Timeout waiting for client input 4057FD39E87F0000:error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:698: 4057FD39E87F0000:error:0A000197:SSL routines:SSL_shutdown:shutdown while in init:ssl/ssl_lib.c:2942: real 1m2.319s user 0m0.008s sys 0m0.006s Is there an actual problem here, with someone unable to deliver email, or is just idle pursuit of oddities in your logs. The usual thing to do is just ignore these... There's always someone probing your site, or doing something odd... If they can't deliver mail, they should be able to tell you that mail to you is bouncing. Otherwise nothing to see here, move along??? -- Viktor. 🇺🇦 Слава Україні! _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
