On Mon, Jan 25, 2021 at 10:38:46PM +0100, Jörg Backschues wrote:
> can someone explain me why the 1st connection to the remote MX fails and
> the 2nd connection is successful?
Both delivery attempts fail to establish a TLS session on the first TCP
connection.
> Jan 25 21:14:56 mx00 postfix/smtp[212676]: SSL_connect error to
> mxin.upcmail.net[213.46.255.45]:25: -1
> Jan 25 21:14:56 mx00 postfix/smtp[212676]: warning: TLS library problem:
> error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
> failure:../ssl/record/rec_layer_s3.c:1543:SSL alert number 40:
> Jan 25 21:14:56 mx00 postfix/smtp[212676]: 4DPh17737gz9rxf:
> to=<us...@unity-mail.de>, relay=mxin.upcmail.net[213.46.255.45]:25,
> delay=4.9, delays=4.1/0.24/0.6/0, dsn=4.7.5, status=deferred (Cannot start
> TLS: handshake failure)
To avoid being to easily downgraded from TLS to cleartext, Postfix does
not immediately fall back to cleartext for messages that have not been
sitting around in the queue for at least one backoff time.
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: SSL_connect error to
> mxin.upcmail.net[213.46.255.45]:25: -1
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: warning: TLS library problem:
> error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
> failure:../ssl/record/rec_layer_s3.c:1543:SSL alert number 40:
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: 4DPh17737gz9rxf: Cannot start TLS:
> handshake failure
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: Host offered STARTTLS:
> [mxin.upcmail.net]
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: 4DPh17737gz9rxf:
> to=<us...@unity-mail.de>, relay=mxin.upcmail.net[213.46.255.45]:25,
> delay=511, delays=510/0.05/0.23/0.38, dsn=2.0.0, status=sent (250 2.0.0
> MXIN650 mail accepted for delivery
> ;id=48OQluXZa2HRF48OQlKqf2;sid=48OQluXZa2HRF;mta=vie01a-pemc-pmxin-pe11;dt=2021-01-25T21:23:22+01:00;ipsrc=85.183.142.13;)
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: 4DPh17737gz9rxf:
> to=<us...@unity-mail.de>, relay=mxin.upcmail.net[213.46.255.45]:25,
> delay=511, delays=510/0.05/0.23/0.38, dsn=2.0.0, status=sent (250 2.0.0
> MXIN650 mail accepted for delivery
> ;id=48OQluXZa2HRF48OQlKqf2;sid=48OQluXZa2HRF;mta=vie01a-pemc-pmxin-pe11;dt=2021-01-25T21:23:22+01:00;ipsrc=85.183.142.13;)
On the second delivery attempt, after the TLS handshake fails, the
message is delivered in the clear.
> Is this a kind of fallback?
Yes. Per the TLS specs, alert #40 is a generic "handshake_failure", so
unfortunately, it is not easy to say why the server is unhappy, it works
when I try it:
$ posttls-finger -c -lmay "[mxin.upcmail.net]"
posttls-finger: mxin.upcmail.net[213.46.255.45]:25:
subject_CN=mailcloud.upcmail.net, issuer_CN=GlobalSign RSA OV SSL CA 2018,
fingerprint=62:1A:23:0C:17:79:56:EC:33:2C:17:80:2C:55:00:7C:36:B6:C1:36:22:64:94:1C:86:08:E2:6B:70:2B:F6:2A,
pkey_fingerprint=E5:5E:EA:D1:EE:43:CF:F3:7E:0B:74:0E:9E:62:2B:22:51:65:FE:5F:5F:33:A8:BE:39:8E:E3:76:69:52:11:D3
posttls-finger: Untrusted TLS connection established to
mxin.upcmail.net[213.46.255.45]:25: TLSv1.2 with cipher AES128-SHA (128/128
bits)
---
On Mon, Jan 25, 2021 at 05:06:53PM -0500, Wietse Venema wrote:
> > can someone explain me why the 1st connection to the remote MX fails and
>
> Because the TLS handshake fails.
>
> > the 2nd connection is successful?
>
> Because the TLS handshake succeeds. :-)
Actually, it failed, but with opportunistic TLS, we retried in the clear
on the second delivery attempt.
--
Viktor.
