TLS Handshake Problems

Tue, 28 Nov 2017 11:29:35 -0800 

Hello,
I have just started using in production a mail server running Postfix 3.2.4 on CentOS 7.4 (fully patched) with openssl 1.0.2k. 


This is a new server, replacing an old CentOS 5.11 with Postfix 2.6.11 
and OpenSSL 0.9.8e.



On the new server I see errors on particular servers as follows; the 
mail is finally delivered but with delay, after being deferred:



Nov 28 12:55:43 vmail2 postfix/submission/smtpd[31782]: 4623A80004F2F: 
client=zeus.admin.noa.gr[195.251.204.18], sasl_method=login, 
sasl_username=elke.rescom
Nov 28 12:55:43 vmail2 postfix/cleanup[30388]: 4623A80004F2F: 
message-id=<20171128105543.4623a80004...@vmail2.noa.gr>
Nov 28 12:55:43 vmail2 opendkim[4708]: 4623A80004F2F: DKIM-Signature 
field added (s=default, d=noa.gr)
Nov 28 12:55:43 vmail2 postfix/qmgr[6529]: 4623A80004F2F: 
from=<elkefina...@admin.noa.gr>, size=747, nrcpt=1 (queue active)
Nov 28 12:55:43 vmail2 postfix/smtp[782]: SSL_connect error to 
rcs12.rc.auth.gr[155.207.51.12]:25: lost connection
Nov 28 12:55:43 vmail2 postfix/smtp[782]: 4623A80004F2F: Cannot start 
TLS: handshake failure
Nov 28 12:55:43 vmail2 postfix/smtp[782]: SSL_connect error to 
rcs13.rc.auth.gr[155.207.144.13]:25: lost connection
Nov 28 12:55:43 vmail2 postfix/smtp[782]: 4623A80004F2F: Cannot start 
TLS: handshake failure
Nov 28 12:55:44 vmail2 postfix/smtp[782]: 4623A80004F2F: host 
mailsrv1.ccf.auth.gr[155.207.1.1] said: 450 4.7.1 try again later (in 
reply to DATA command)
Nov 28 12:55:45 vmail2 postfix/smtp[782]: 4623A80004F2F: 
to=<rescomc...@rc.auth.gr>, relay=mailsrv2.ccf.auth.gr[155.207.1.2]:25, 
delay=2.4, delays=0.096/0.001/1
.8/0.52, dsn=4.7.1, status=deferred (host 
mailsrv2.ccf.auth.gr[155.207.1.2] said: 450 4.7.1 try again later (in 
reply to DATA command))

...

Nov 28 13:01:22 vmail2 postfix/qmgr[6529]: 4623A80004F2F: 
from=<elkefina...@admin.noa.gr>, size=747, nrcpt=1 (queue active)
Nov 28 13:01:22 vmail2 postfix/smtp[782]: SSL_connect error to 
rcs12.rc.auth.gr[155.207.51.12]:25: lost connection
Nov 28 13:01:22 vmail2 postfix/smtp[782]: 4623A80004F2F: Cannot start 
TLS: handshake failure
Nov 28 13:01:22 vmail2 postfix/smtp[782]: 4623A80004F2F: 
to=<rescomc...@rc.auth.gr>, relay=rcs12.rc.auth.gr[155.207.51.12]:25, 
delay=340, delays=339/0.002/0.15/0.35, dsn=2.6.0, status=sent (250 2.6.0 
<20171128105543.4623a80004...@vmail2.noa.gr> Queued mail for delivery)

Nov 28 13:01:22 vmail2 postfix/qmgr[6529]: 4623A80004F2F: removed

On the older server, I didn't see such errors.


Can you please help me understand why this happens and if I can resolve 
it by using specific settings?


Here is postconf -n:

# postconf -n

alias_database = hash:/etc/postfix/aliases, 
hash:/etc/postfix/aliases.d/virtual_aliases

alias_maps = hash:/etc/aliases

allowed_gein = check_client_access 
cidr:/etc/postfix/gein_admin_ips.cidr,reject
allowed_iaasars = check_client_access 
cidr:/etc/postfix/iaasars_admin_ips.cidr,reject
allowed_list1 = check_sasl_access 
hash:/etc/postfix/allowed_groupmail_users,reject

allowed_list2 = permit_sasl_authenticated,reject

allowed_meteo = check_client_access 
cidr:/etc/postfix/meteo_admin_ips.cidr,reject

broken_sasl_auth_clients = yes
command_directory = /usr/sbin
controlled_senders = check_sender_access hash:/etc/postfix/blocked_senders
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2

debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin 
xxgdb $daemon_directory/$process_name $process_id & sleep 5

default_process_limit = 25
delay_logging_resolution_limit = 3
deliver_lock_attempts = 40
gwcheck = reject_unverified_recipient, reject_unauth_destination
home_mailbox = Maildir/
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_header_rewrite_clients = static:all
mail_name = IC-XC-NI-KA
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 41943040
meta_directory = /etc/postfix
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = noa.gr
myhostname = vmail2.noa.gr

mynetworks = 195.251.204.0/24, 195.251.202.0/23, 194.177.194.0/23, 
127.0.0.0/8, 10.201.0.0/16, [2001:648:2011::]/48, 83.212.5.24/29, 
[2001:648:2ffc:1115::]/64, 62.217.124.0/29, [2001:648:2ffc:126::]/64

myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
non_smtpd_milters = $smtpd_milters
parent_domain_matches_subdomains =
postfwdcheck = check_policy_service inet:127.0.0.1:10040
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix3-3.2.4/README_FILES
recipient_canonical_maps = hash:/etc/postfix/domainrecipientmap
relay_domains = $mydestination
sample_directory = /usr/share/doc/postfix3-3.2.4/samples
sender_canonical_maps = hash:/etc/postfix/domainsendermap
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
shlib_directory = /usr/lib/postfix
smtp_tls_security_level = may

smtpd_client_restrictions = 
permit_mynetworks,permit_sasl_authenticated,reject

smtpd_delay_reject = yes

smtpd_end_of_data_restrictions = check_client_access 
cidr:/etc/postfix/postfwdpolicy.cidr

smtpd_milters = inet:127.0.0.1:8891

smtpd_recipient_restrictions = check_recipient_access 
hash:/etc/postfix/protected_destinations permit_sasl_authenticated 
reject_unverified_recipient reject_unauth_destination
smtpd_restriction_classes = 
controlled_senders,allowed_list1,allowed_list2, 
allowed_iaasars,allowed_meteo,allowed_gein,postfwdcheck,gwcheck

smtpd_sasl_auth_enable = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/pki/tls/certs/DigiCertCA.crt
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/star_noa_gr-1243437.crt
smtpd_tls_exclude_ciphers = DES,3DES,MD5,aNULL,AES128,CAMELLIA128
smtpd_tls_key_file = /etc/pki/tls/private/star_noa_gr-1243437.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
tls_preempt_cipherlist = yes
tls_random_source = dev:/dev/urandom
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_recipient_reject_code = 550

virtual_alias_maps = hash:/etc/postfix/aliases, 
hash:/etc/postfix/aliases.d/virtual_aliases, 
proxy:ldap:/etc/postfix/ldap-alias-vacation.cf, 
proxy:ldap:/etc/postfix/ldap-aliases.cf

virtual_gid_maps = static:500
virtual_mailbox_base = /home/vmail/

virtual_mailbox_domains = $mydomain, space.$mydomain, admin.$mydomain, 
nestor.$mydomain, gein.$mydomain, meteo.$mydomain, technet.$mydomain, 
astro.$mydomain, hesperia-space.eu

virtual_mailbox_limit = 0
virtual_mailbox_maps = proxy:ldap:/etc/postfix/ldap-users.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:500

postconf: warning: /etc/postfix/main.cf: unused parameter: 
127.0.0.1:10040_time_limit=3600


Thanks in advance,
Nick
























					Reply via email to