Hi, thank you for your reply.
This is the output of the tshark - only one line:
{"ports":["465","35308"],"len":"7","tls":{"ct":"21","rv":"0x0303","rl":"2","
ht":null,"hv":null,"sv":null}}
Best regards,
Marko
-----Original Message-----
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On
Behalf Of Viktor Dukhovni
Sent: Friday, February 10, 2023 9:31 PM
To: postfix-users@postfix.org
Subject: Re: SSL3 alert write:fatal:decode error
On Fri, Feb 10, 2023 at 09:22:57AM +0000, Marko ANGELSKI wrote:
> I'm having trouble with one client (iot) not able to send emails via
> postfix. This is the log:
>
> postfix/smtps/smtpd[4420]: initializing the server-side TLS engine
> postfix/smtps/smtpd[4420]: connect from unknown[xxx.xxx.xxx.xxx]
This is the implicit TLS "wrapper mode" TLS service. The client is expected
to send first, starting with a TLS handshake.
> postfix/smtps/smtpd[4420]: SSL3 alert write:fatal:decode error
The server cannot decode the client's initial message. The client sent
garbage.
> postfix/smtps/smtpd[4420]: SSL_accept:error in error
Sending the fatal alert also fails. The client already hung up.
> postfix/smtps/smtpd[4420]: disconnect from unknown[xxx.xxx.xxx.xxx]
> commands=0/0
Not surprising.
> smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
This client might ultimately want to use TLS 1.0, which you've disabled, but
I'd expect that to be an unsupported protocol version, not a decode error,
so that's a possible issue for later...
> Wireshark is showing:
That alert packet is too late. You're showing the symptom, not the cause.
By the time server is sending a fatal alert, all the interesting traffic has
gone by.
Capture a PCAP file with a single connection from that client, then use
"tshark" not wireshark, and (after installing "jq" if need be) report the
output of:
$ tshark -nr /tmp/pkts.pcap -T ek -J "tcp tls" |
jq -c '
.layers
| { tcp, tls }
| select(.tcp and .tcp.tcp_tcp_len != "0")
| { ports:.tcp.tcp_tcp_port
, len:.tcp.tcp_tcp_len
, tls:( .tls
| { ct:.tls_tls_record_content_type
, rv:.tls_tls_record_version
, rl:.tls_tls_record_length
, ht:.tls_tls_handshake_type
, hv:.tls_tls_handshake_version
, sv:.tls_tls_handshake_extensions_supported_version
}
)
}'
Example (Working TLS 1.3 session):
{"ports":["50948","465"],"len":"295","tls":{"ct":"22","rv":"0x0301","rl":"29
0","ht":"1","hv":"0x0303","sv":["0x0304","0x0303","0x0302","0x0301","0x0300"
]}}
{"ports":["465","50948"],"len":"4096","tls":{"ct":["22","20"],"rv":["0x0303"
,"0x0303","0x0303"],"rl":["122","1","23"],"ht":"2","hv":"0x0303","sv":"0x030
4"}}
{"ports":["50948","465"],"len":"80","tls":{"ct":"20","rv":["0x0303","0x0303"
],"rl":["1","69"],"ht":null,"hv":null,"sv":null}}
{"ports":["465","50948"],"len":"255","tls":{"ct":null,"rv":"0x0303","rl":"25
0","ht":null,"hv":null,"sv":null}}
{"ports":["465","50948"],"len":"61","tls":{"ct":null,"rv":"0x0303","rl":"56"
,"ht":null,"hv":null,"sv":null}}
{"ports":["50948","465"],"len":"27","tls":{"ct":null,"rv":"0x0303","rl":"22"
,"ht":null,"hv":null,"sv":null}}
{"ports":["465","50948"],"len":"37","tls":{"ct":null,"rv":"0x0303","rl":"32"
,"ht":null,"hv":null,"sv":null}}
{"ports":["465","50948"],"len":"24","tls":{"ct":null,"rv":"0x0303","rl":"19"
,"ht":null,"hv":null,"sv":null}}
{"ports":["50948","465"],"len":"24","tls":{"ct":null,"rv":"0x0303","rl":"19"
,"ht":null,"hv":null,"sv":null}}
Your client is probably not sending a TLS Client Hello.
--
Viktor.
smime.p7s
Description: S/MIME cryptographic signature
