On 2025-12-11 at 16:00:26 UTC-0500 (Thu, 11 Dec 2025 16:00:26 -0500)
Greg Klanderman via Postfix-users <[email protected]>
is rumored to have said:
Hi all,
Running Debian 10.13, postfix 3.4.23 (I will upgrade to current
Debian and postfix this winter).
In the last week I noticed 500+ errors of this form in my logs:
| Dec 7 06:01:23 smtp2 postfix/postscreen[27408]: CONNECT from
[65.118.213.130]:41127 to [10.10.0.5]:25
| Dec 7 06:01:23 smtp2 postfix/postscreen[27408]: PASS OLD
[65.118.213.130]:41127
| Dec 7 06:01:23 smtp2 postfix/smtpd[27409]: connect from
drvpn.ezdrivema.com[65.118.213.130]
| Dec 7 06:01:23 smtp2 postfix/smtpd[27409]: SSL_accept error from
drvpn.ezdrivema.com[65.118.213.130]: Connection reset by peer
| Dec 7 06:01:23 smtp2 postfix/smtpd[27409]: lost connection after
STARTTLS from drvpn.ezdrivema.com[65.118.213.130]
| Dec 7 06:01:23 smtp2 postfix/smtpd[27409]: disconnect from
drvpn.ezdrivema.com[65.118.213.130] ehlo=1 starttls=0/1 commands=1/2
in all cases that same IP/hostname connecting to my postfix server.
I expect this is a notification of my monthly statement for my toll
pass, so an email I'd like to receive. Though they seem to have given
up as I have not had an attempt to connect since the 7th.
Is there any chance this could be a problem on my side?
Yes. It is quite possible that they are seeing what your host is
offering for TLS and deeming it inadequate.
I have never
seen this error before, and have had no problem with my monthly
statement and off cycle emails from them until now.
Systems usually get more restrictive/fastidious/picky with their TLS
norms over time.
It seems likely a problem on their end, but I wanted to ask here just
in case.
I also have a small number of SSL_accept errors of this form, always
from mailgun.net, mailjet.com, or shopify.com hosts:
| Dec 7 20:10:38 smtp2 postfix/postscreen[29019]: CONNECT from
[143.55.230.35]:61314 to [10.10.0.5]:25
| Dec 7 20:10:44 smtp2 postfix/postscreen[29019]: PASS NEW
[143.55.230.35]:61314
| Dec 7 20:10:44 smtp2 postfix/smtpd[29026]: connect from
a230-35.mailgun.net[143.55.230.35]
| Dec 7 20:10:45 smtp2 postfix/smtpd[29026]: SSL_accept error from
a230-35.mailgun.net[143.55.230.35]: -1
| Dec 7 20:10:45 smtp2 postfix/smtpd[29026]: warning: TLS library
problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad
certificate:../ssl/record/rec_layer_s3.c:1544:SSL alert number 42:
| Dec 7 20:10:45 smtp2 postfix/smtpd[29026]: lost connection after
STARTTLS from a230-35.mailgun.net[143.55.230.35]
| Dec 7 20:10:45 smtp2 postfix/smtpd[29026]: disconnect from
a230-35.mailgun.net[143.55.230.35] ehlo=1 starttls=0/1 commands=1/2
These I have not been concerned with as they immediately retry and
succeed.
But it would be nice to understand the issue, and if there is anything
I can do on my side to keep down the log noise.
This one is interesting because it is explicit about the problem. It
does not like something about your certificate. which could be one or
more of:
1. The Subject CN in the cert offered by smtp.klanderman.net is
smtp2.klanderman.net and it includes no Subject Alternate Name field.
2. The certificate is a self-signed "root" certificate, lacking any
external trust root.
3. The certificate is valid for 10 years, from 2020 to 2030.
Each of those MIGHT cause a client to refuse to talk to you using TLS.
--
Bill Cole
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
