Problem using TLS: lost connection after STARTTLS

Fri, 14 Jun 2013 03:26:05 -0700 

Hi,

currently we are experiencing problems with an incoming SMTP/TLS
connection. Remote side is an Ironport device, we are using postfix
2.8.13 on solaris 10. The problem exists only for incoming mails
(ironport to postfix), the other direction works fine. It happens for
both opportunistic (which cisco calls "preferred") and mandatory TLS. As
soon as they switch to plaintext, the mails pass through. The problem
exists with both of their and both of our relays.

On our side we are using TLS since several years (2005/2006) with a lot
of partners (some of them have ironports too) and it is the first time
that we have such an issue. So the problem seems to be on their side,
but I'd prefer to be sure and ideally give them a hint on what's going
wrong here:

Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] connect from mail.dgverlag.de[145.253.80.6]
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] setting up TLS connection from mail.dgverlag.de[145.253.80.6]
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] certificate verification failed for
mail.dgverlag.de[145.253.80.6]: untrusted issuer
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] mail.dgverlag.de[145.253.80.6]: Untrusted:
subject_CN=DGVDEX.DGVERLAG.DE, issuer=VR IDENT SSL CA 2011,
fingerprint=3D:5A:B2:71:E2:62:07:88:E5:68:BC:AB:85:9A:55:6D
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] Untrusted TLS connection established from
mail.dgverlag.de[145.253.80.6]: TLSv1 with cipher RC4-SHA (128/128 bits)
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 947731
mail.warning] warning: TLS library problem: 5847:error:0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown message digest
algorithm:a_verify.c:146:
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] lost connection after STARTTLS from
mail.dgverlag.de[145.253.80.6]
Jun 14 10:24:47 rv-smtpext-101 postfix/smtpd[5847]: [ID 197553
mail.info] disconnect from mail.dgverlag.de[145.253.80.6]

Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] connect from mail2.dgverlag.de[145.253.80.47]
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] setting up TLS connection from mail2.dgverlag.de[145.253.80.47]
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] certificate verification failed for
mail2.dgverlag.de[145.253.80.47]: untrusted issuer
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] SSL_accept error from mail2.dgverlag.de[145.253.80.47]: -1
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 947731
mail.warning] warning: TLS library problem: 22673:error:0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown message digest
algorithm:a_verify.c:146:
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] lost connection after STARTTLS from
mail2.dgverlag.de[145.253.80.47]
Jun 14 00:31:58 rv-smtpext-201 postfix/smtpd[22673]: [ID 197553
mail.info] disconnect from mail2.dgverlag.de[145.253.80.47]

Does the message

TLS library problem: 22673:error:0D0C50A1:asn1 encoding
routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:146

indicate a problem on our side?

Please let me know if you need any further information. Below the log
output with debug_peer_list:

  Jan

Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] connect from mail.dgverlag.de[145.253.80.6]
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 127.0.0.1/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 127.0.0.1/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.37/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.37/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.38/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.38/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.13/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.13/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.14/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.14/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: mail.dgverlag.de: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: 145.253.80.6: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr request = connect
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr ident = smtp:145.253.80.6
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value: 0
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: count
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: count
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value: 1
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: rate
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: rate
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value: 1
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: (list terminator)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: (end)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 220 mail.ruv.de ESMTP
Mailservice
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] watchdog_pat: 1f7df0
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] < mail.dgverlag.de[145.253.80.6]: EHLO mail1.dgverlag.de
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-mail.ruv.de
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-PIPELINING
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-SIZE 56000000
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-ETRN
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: mail.dgverlag.de: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: 145.253.80.6: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-STARTTLS
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-ENHANCEDSTATUSCODES
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250-8BITMIME
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 250 DSN
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] watchdog_pat: 1f7df0
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] < mail.dgverlag.de[145.253.80.6]: STARTTLS
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] > mail.dgverlag.de[145.253.80.6]: 220 2.0.0 Ready to start TLS
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] setting up TLS connection from mail.dgverlag.de[145.253.80.6]
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] auto_clnt_open: connected to private/tlsmgr
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr request = seed
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr size = 32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/tlsmgr: wanted attribute: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value: 0
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/tlsmgr: wanted attribute: seed
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: seed
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value:
giSoP2fCUG+iOLAWUWNKWqftNv1pJeqK3SoJ5/eNH1c=
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/tlsmgr: wanted attribute: (list terminator)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: (end)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] certificate verification failed for
mail.dgverlag.de[145.253.80.6]: untrusted issuer
/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] SSL_accept error from mail.dgverlag.de[145.253.80.6]: -1
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 947731
mail.warning] warning: TLS library problem: 16654:error:0D0C50A1:asn1
encoding routines:ASN1_item_verify:unknown message digest
algorithm:a_verify.c:146:
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 127.0.0.1/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 127.0.0.1/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.37/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.37/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.221.2.38/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.221.2.38/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.13/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.13/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostname: mail.dgverlag.de ~? 10.198.68.14/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_hostaddr: 145.253.80.6 ~? 10.198.68.14/32
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: mail.dgverlag.de: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] match_list_match: 145.253.80.6: no match
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr request = disconnect
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] send attr ident = smtp:145.253.80.6
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: status
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute value: 0
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] private/anvil: wanted attribute: (list terminator)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] input attribute name: (end)
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] lost connection after STARTTLS from
mail.dgverlag.de[145.253.80.6]
Jun 14 11:44:21 rv-smtpext-201 postfix/smtpd[16654]: [ID 197553
mail.info] disconnect from mail.dgverlag.de[145.253.80.6]

Reply via email to