Re: letsencrypt and SSL alert number 80
On Mon, Dec 12, 2022 at 01:27:59PM -0500, Alex wrote: > Dec 12 13:12:47 xavier postfix-116/smtpd[1683671]: warning: TLS library > problem: error:0A000438:SSL routines::tlsv1 alert internal > error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80: Some remote client encountered an internal (to it) error and decided to politely abandon the TLS handshake by announcing this fact, rather than just drop the connection. Newsflash: something's broken on the Internet! No, wait, perhaps that's not news... > smtp_tls_cert_file=/etc/letsencrypt/fullchain.pem > smtp_tls_key_file=/etc/letsencrypt/privkey.pem You probably don't need these. > smtp_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL > smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL And don't need to exclude aNULL for either the server or the client. > smtpd_tls_session_cache_database = > btree:${data_directory}/smtpd_tls_session_cache And don't need this either, because session tickets work better. -- Viktor.
Re: letsencrypt and SSL alert number 80
> I'm seeing periodic entries like this in my maillog: > > Dec 12 13:12:47 xavier postfix-116/smtpd[1683671]: warning: TLS library > problem: error:0A000438:SSL routines::tlsv1 alert internal > error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80: [...] > smtp_tls_cert_file=/etc/letsencrypt/fullchain.pem > smtp_tls_key_file=/etc/letsencrypt/privkey.pem usually there is no need for client certificates when sending emails. > smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache > smtp_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL > smtpd_tls_security_level = may > smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL > tls_preempt_cipherlist = yes > smtpd_tls_mandatory_ciphers = high > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/letsencrypt/fullchain.pem > smtpd_tls_key_file = /etc/letsencrypt/privkey.pem Are you sure cert/key_file path is correct? Those filenames look like they are generated by certbot, wich places files (softlinks) in /etc/letsencrypt/live//{fullchain.pem,privkey.pem,...}, not in /etc/letsenrypt/{fullchain.pem,...} on my server. Did you check if the certificate is valid? openssl x509 -text < /etc/letsencrypt/cert.pem openssl x509 -text < /etc/letsencrypt/live//cert.pem // cert.pem contains your public certificate only whereas fullchain.pem // additionally contains letsencrypt's intermediate certificate. // For verification try cert.pem for smtpd_tls_cert_file use fullchain.pem Best regards Gerald
letsencrypt and SSL alert number 80
Hi, I'm seeing periodic entries like this in my maillog: Dec 12 13:12:47 xavier postfix-116/smtpd[1683671]: warning: TLS library problem: error:0A000438:SSL routines::tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80: I've searched quite a bit for more info on this error, including in the letsencrypt and openssl blogs, and haven't been able to find much. I previously was requiring TLS >= TLSv1.0, but have now relaxed that restriction and still seeing these messages. Here are my tls config options. Does anything else stand out as a possible cause that I could troubleshoot further? # grep -E 'tls|ssl' main.cf|grep -v '\#' smtp_tls_security_level = may smtp_tls_loglevel = 1 smtp_tls_cert_file=/etc/letsencrypt/fullchain.pem smtp_tls_key_file=/etc/letsencrypt/privkey.pem smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtp_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL smtpd_tls_security_level = may smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL tls_preempt_cipherlist = yes smtpd_tls_mandatory_ciphers = high smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/letsencrypt/fullchain.pem smtpd_tls_key_file = /etc/letsencrypt/privkey.pem smtpd_tls_received_header = yes smtpd_tls_security_level = may tls_random_source = dev:/dev/urandom smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_tls_session_cache Thanks so much for any ideas. Alex