On Mon, May 11, 2020 at 09:17:16PM -0700, Alexander Vasarab wrote: > On 11/05/20 23:35 -0400, Viktor Dukhovni wrote: > >Attaching it is fine, if you're willing to disclose the IP addresses and > >hostnames of the two servers. > > Okay, I've attached two files; the PCAP and the postfix log.
Indeed the server slams the TCP socket closed after receiving the client's RCPT command. Unclear why. You might try debug_peer_list next, to see whether the server can log enough cleartext traffic to expose the SMTP traffic inside TLS. May 11 19:29:06 vasaconsulting postfix/smtpd[14174]: 80D73102C036: client=mail1.bemta23.messagelabs.com[67.219.246.1] May 11 19:29:06 vasaconsulting postfix/smtpd[14174]: lost connection after RCPT from mail1.bemta23.messagelabs.com[67.219.246.1] May 11 19:29:06 vasaconsulting postfix/smtpd[14174]: disconnect from mail1.bemta23.messagelabs.com[67.219.246.1] ehlo=2 starttls=1 mail=1 rcpt=1 commands=5 The server opened a queue file, which by default happens only after the first recipient is accepted. Is there really no other logging for this process at that time? -- Viktor. -- 3-way TCP -- Server greeting -- Client EHLO -- Server EHLO reply -- Client STARTTLS -- Server go-ahead -- Client TLS HELLO [Time since reference or first frame: 0.574920000 seconds] Transmission Control Protocol, Src Port: 59453, Dst Port: 25, Seq: 47, Ack: 251, Len: 201 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1 Record Layer: Handshake Protocol: Client Hello -- Server TLS HELLO [Time since reference or first frame: 0.575167000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 251, Ack: 248, Len: 1448 Flags: 0x010 (ACK) Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Server Hello -- Server Certificate and key excahnge [Time since reference or first frame: 0.637786000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 1699, Ack: 248, Len: 1448 Flags: 0x018 (PSH, ACK) [Time since reference or first frame: 0.700283000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 3147, Ack: 248, Len: 1448 Flags: 0x010 (ACK) [Time since reference or first frame: 0.762836000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 4595, Ack: 248, Len: 1448 Flags: 0x018 (PSH, ACK) [Time since reference or first frame: 0.762845000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 6043, Ack: 248, Len: 452 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Certificate Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Server Key Exchange TLSv1.2 Record Layer: Handshake Protocol: Server Hello Done -- Client key exchange, CCS and Finished [Time since reference or first frame: 0.826362000 seconds] Transmission Control Protocol, Src Port: 59453, Dst Port: 25, Seq: 248, Ack: 6495, Len: 126 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: Client Key Exchange TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message -- Server Session ticket, CCS and Finished [Time since reference or first frame: 0.827649000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 6495, Ack: 374, Len: 226 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Handshake Protocol: New Session Ticket TLSv1.2 Record Layer: Change Cipher Spec Protocol: Change Cipher Spec TLSv1.2 Record Layer: Handshake Protocol: Encrypted Handshake Message -- Client EHLO inside TLS [Time since reference or first frame: 0.890215000 seconds] Transmission Control Protocol, Src Port: 59453, Dst Port: 25, Seq: 374, Ack: 6721, Len: 65 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Application Data Protocol: smtp -- Server EHLO reply [Time since reference or first frame: 0.890582000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 6721, Ack: 439, Len: 213 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Application Data Protocol: smtp -- Client MAIL [Time since reference or first frame: 0.953134000 seconds] Transmission Control Protocol, Src Port: 59453, Dst Port: 25, Seq: 439, Ack: 6934, Len: 62 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Application Data Protocol: smtp -- Server MAIL reply [Time since reference or first frame: 0.955403000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 6934, Ack: 501, Len: 43 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Application Data Protocol: smtp -- Client RCPT [Time since reference or first frame: 1.017831000 seconds] Transmission Control Protocol, Src Port: 59453, Dst Port: 25, Seq: 501, Ack: 6977, Len: 56 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Application Data Protocol: smtp -- Server RCPT reply, with ~1s delay, perhaps the hard error sleep -- time? (was it a 421 or 521 reply?) [Time since reference or first frame: 2.159092000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 6977, Ack: 557, Len: 43 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Application Data Protocol: smtp -- Server slams the TCP connection closed, no SSL close-notify. [Time since reference or first frame: 2.161183000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 7020, Ack: 557, Len: 0 Flags: 0x011 (FIN, ACK) -- Client continues (DATA?, QUIT? ...) [Time since reference or first frame: 2.221487000 seconds] Transmission Control Protocol, Src Port: 59453, Dst Port: 25, Seq: 557, Ack: 7020, Len: 35 Flags: 0x018 (PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Application Data Protocol: smtp -- But the socket is closed. [Time since reference or first frame: 2.221518000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 7020, Len: 0 Flags: 0x004 (RST) -- Client also closes, including close-notify [Time since reference or first frame: 2.223734000 seconds] Transmission Control Protocol, Src Port: 59453, Dst Port: 25, Seq: 592, Ack: 7021, Len: 66 Flags: 0x019 (FIN, PSH, ACK) Transport Layer Security TLSv1.2 Record Layer: Application Data Protocol: smtp TLSv1.2 Record Layer: Encrypted Alert -- Server already closed [Time since reference or first frame: 2.223750000 seconds] Transmission Control Protocol, Src Port: 25, Dst Port: 59453, Seq: 7021, Len: 0 Flags: 0x004 (RST)