Hi Viktor,
thanks. Sorry about the missing line breaks. Got that from the sender. :/
Yes, the actual problem is, that the sender can not send mails to the server
and as it is with this kind of problems he says it's our problem and I'm
relatively confident that the problem is on the sender's side. But I just see
the timeout in our logfile. The last two lines have a timeout of 60 seconds as
you already mentioned. So, I do not see anything on my side what's preventing
the sending server to actually send something. Don't know if it is helping to
ask if someone from cleverreach is here on the list and could look at it (or
give me a message off the list).
2026-02-25T09:20:21.807Z,edge01\Internet,08DE6A521B0E8C30,0,172.25.0.26:25,194.42.96.40:59854,+,,
2026-02-25T09:20:21.807Z,edge01\Internet,08DE6A521B0E8C30,1,172.25.0.26:25,194.42.96.40:59854,>,"220
edge01.systema-online.de Microsoft ESMTP MAIL Service ready at Wed, 25 Feb 2026 10:20:21
+0100",
2026-02-25T09:20:21.839Z,edge01\Internet,08DE6A521B0E8C30,2,172.25.0.26:25,194.42.96.40:59854,<,EHLO
mail.example.com,
2026-02-25T09:20:21.839Z,edge01\Internet,08DE6A521B0E8C30,3,172.25.0.26:25,194.42.96.40:59854,>,250
edge01.systema-online.de Hello [194.42.96.40] SIZE 20971520 PIPELINING DSN
ENHANCEDSTATUSCODES STARTTLS 8BITMIME BINARYMIME CHUNKING SMTPUTF8,
2026-02-25T09:20:21.870Z,edge01\Internet,08DE6A521B0E8C30,4,172.25.0.26:25,194.42.96.40:59854,<,STARTTLS,
2026-02-25T09:20:21.870Z,edge01\Internet,08DE6A521B0E8C30,5,172.25.0.26:25,194.42.96.40:59854,>,220
2.0.0 SMTP server ready,
2026-02-25T09:20:21.870Z,edge01\Internet,08DE6A521B0E8C30,6,172.25.0.26:25,194.42.96.40:59854,*,"
CN=edge01.systema-online.de CN=Sectigo Public Server Authentication CA DV R36, O=Sectigo
Limited, C=GB 21A6F6C3C7D709617337602BA0FA67D3 5878E90CE2818CF8B7BA5E6085F0128FE8237223
2025-07-08T02:00:00.000Z 2026-08-09T01:59:59.000Z
edge01.systema-online.de;www.edge01.systema-online.de",Sending certificate Subject
Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2026-02-25T09:20:21.948Z,edge01\Internet,08DE6A521B0E8C30,7,172.25.0.26:25,194.42.96.40:59854,*,,"TLS
protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm
CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 0 bits
and key exchange algorithm CALG_ECDH_EPHEM with strength 384 bits"
2026-02-25T09:21:21.996Z,edge01\Internet,08DE6A521B0E8C30,8,172.25.0.26:25,194.42.96.40:59854,>,451
4.7.0 Timeout waiting for client input,
2026-02-25T09:21:21.996Z,edge01\Internet,08DE6A521B0E8C30,9,172.25.0.26:25,194.42.96.40:59854,-,,Local
Usually the bounce would tell something, but in this case it's our
transactional mail provider (CR) who is sending to anyone but us. 😉
The problem exists since a few month and I'm now at the 3rd ticket with 'em and
finally got at least the show logs from their side.
Kind regards
Norbert
-----Ursprüngliche Nachricht-----
Von: mailop <[email protected]> Im Auftrag von Viktor Dukhovni via
mailop
Gesendet: Donnerstag, 26. Februar 2026 15:10
An: [email protected]
Cc: Viktor Dukhovni <[email protected]>
Betreff: Re: [mailop] Problem: Timeout after starttls
On Thu, Feb 26, 2026 at 01:15:35PM +0000, Fehlauer, Norbert via mailop wrote:
Hi John,
thanks for your answer.
I got another logfile from the sending side:
Removing all the line-breaks from that log dump is extremely unhelpful.
And what exactly is a manual connection with `s_client` expected to
demonstrate?
# openssl s_client -starttls smtp -connect edge01.systema-online.de:25
...
Peer signing digest: SHA256
Peer signature type: RSA-PSSServer
Temp Key: ECDH, secp384r1, 384 bits
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
...
250 SMTPUTF8
ehlo mx.self-hosted.email
451 4.7.0 Timeout waiting for client input
40A7BCB1747C0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while
reading:../ssl/record/rec_layer_s3.c:316
Don't know how long the SSL client just sat there sending nothing, but
if that "451" from the server was sent in a manner of seconds, perhaps
the server's idle timeout is much too aggressive.
Don’t know if you might find that helpful. But at least that’s openssl.
Mostly not useful, because not a mail client. But, FWIW, when I repeat the
same "test", the ~60s timeout seems mostly reasonable:
$ time openssl s_client -starttls smtp -connect
edge01.systema-online.de:25 -brief
Connecting to 2a00:0:2d41:2:178:15:145:73
depth=1 C=GB, O=Sectigo Limited, CN=Sectigo Public Server Authentication
CA DV R36
verify error:num=20:unable to get local issuer certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384
Peer certificate: CN=edge01.systema-online.de
Hash used: SHA256
Signature type: rsa_pss_rsae_sha256
Verification error: unable to get local issuer certificate
Peer Temp Key: ECDH, secp384r1, 384 bits
250 XSHADOW
451 4.7.0 Timeout waiting for client input
4057FD39E87F0000:error:0A000126:SSL routines::unexpected eof while
reading:ssl/record/rec_layer_s3.c:698:
4057FD39E87F0000:error:0A000197:SSL routines:SSL_shutdown:shutdown while
in init:ssl/ssl_lib.c:2942:
real 1m2.319s
user 0m0.008s
sys 0m0.006s
Is there an actual problem here, with someone unable to deliver email,
or is just idle pursuit of oddities in your logs. The usual thing to
do is just ignore these... There's always someone probing your site,
or doing something odd... If they can't deliver mail, they should
be able to tell you that mail to you is bouncing. Otherwise nothing
to see here, move along???
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
