Victor Duchovni wrote: > On Wed, Jun 17, 2009 at 02:51:10PM -0700, Kyle Hamilton wrote: > >> This isn't really an OpenSSL issue, and I'd suggest asking for help >> from people who are more familiar with postfix. However... > > That's what I told him on the Postfix-users list, but he chose > to come here anyway, despite my best efforts. > > http://archives.neohapsis.com/archives/postfix/2009-06/0560.html > >> The log says that none of the names matched: > > Irrelevant. This name matching is something else entirely (Postfix > mynetworks, and similar lookups). > >> I would view this as a postfix ACL configuration issue, since it's >> denying access from your IP. > > No. > >> (Also: TCP FIN means that the connection was closed by close(), not by >> killing the process such as what happens with a segfault or a rebooted >> system. This in turn means that the problem is in the software, not >> the network.) > > > The OP should return to the Postfix users list AFTER working with the > owner of the sending system to find out why they drop the connection > immediately after sending "STARTLS" and receiving a "220" from Postfix: > > > ... SMTP up to and including EHLO req/resp ... > TCP: sepaip2.webish.nl(34538) -> helmwijk.xs4all.nl(25) Seq 1570587417.(10) > ACK 2723884545 PUSH > 0.0934 (0.0180) C>S > --------------------------------------------------------------- > STARTTLS > --------------------------------------------------------------- > > TCP: helmwijk.xs4all.nl(25) -> sepaip2.webish.nl(34538) Seq 2723884545.(30) > ACK 1570587427 PUSH > 0.0935 (0.0001) S>C > --------------------------------------------------------------- > 220 2.0.0 Ready to start TLS > --------------------------------------------------------------- > > TCP: sepaip2.webish.nl(34538) -> helmwijk.xs4all.nl(25) Seq 1570587427.(0) > ACK 2723884575 FIN > 1 0.1111 (0.0176) C>S TCP FIN > TCP: helmwijk.xs4all.nl(25) -> sepaip2.webish.nl(34538) Seq 2723884575.(0) > ACK 1570587428 FIN > 1 0.1117 (0.0005) S>C TCP FIN > TCP: sepaip2.webish.nl(34538) -> helmwijk.xs4all.nl(25) Seq 1570587428.(0) > ACK 2723884576 > > > The client drops the TCP connection without sending an SSL HELO, of any > kind and before receiving any other traffic from the server. This is a > client-side issue, with either the client software broken/misconfigured, > or an unhappy firewall in between. > > Because ZERO actual SSL protocol messages are exchanged, if there is an > SSL library problem it is entirely in the client session initialization > code. The OP is operating the server, and so has no questions, related > to the SSL-library or protocol, to ask here. >
Thank you Victor and Kyle for your answers, sorry for being offtopic on the openssl list. I will try to move the discussion back to the posftix-user list, my apologies. I thought I should try asking here because I made SSL dumps and tested my network, I also waited a day to see if somebody responded to the postfix users list. See: http://archives.neohapsis.com/archives/postfix/2009-06/0579.html These two answers on the openssl list are one of the most helpful responses so far. I thank you for that. I just wanted to figure out what is going wrong. Who is the client is this case, the webish server contacts my server? Is there an issue with my postfix software or firewall? I will try again to see if teh webish people want to help by sending ssldumps and smtpd logs. Still wondering if the webish certificate could be causing the issues since there is not a singe line of information in there that could connect the certificate to there server its all localhost and other generic stuff. Best regards, Jelle ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
