|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Cannot start TLS: handshake failure / network_biopair_interop
From: /dev/rob0 (rob0
gmx.co.uk)
Date: Mon May 30 2005 - 09:13:29 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The mail topography is a remote MX which uses relay_domains to forward
mail to my mailbox server (Linux) at home. Routing is handled via
transport_maps. Both ends are under my control and are running Postfix
2.2.3.
All worked well with my home Linux firewall, but alas, hardware problems
brought it down last week, and I'm still hurting.
Formerly I used openvpn (SSL-based VPN) to pass the mail securely. I'm
having problems with openvpn getting through the D-Link router, so I
tried TLS. TLS is tested with a MUA and working on both the MX and the
home (mailbox) server. It was configured with the "Quick and dirty"
instructions in the TLS_README.
I set up smtp_tls_per_site maps on both ends, and that much seems to be
working, because they're trying TLS, but TLS fails. My theory is to
continue blaming all my troubles on the router, but I am not sure. I
understand little of the TLS specifics, unfortunately.
Here was a test message coming in at the MX:
May 30 13:23:33 sorry postfix/smtpd[2254]: 4860F1F157:
client=mail.gmx.net[213.165.64.20]
May 30 13:23:33 sorry postfix/cleanup[2259]: 4860F1F157:
message-id=<429B13CF.3090703gmx.co.uk>
May 30 13:23:33 sorry postfix/qmgr[2253]: 4860F1F157:
from=<rob0gmx.co.uk>, size=966, nrcpt=1 (queue active)
May 30 13:23:33 sorry postfix/smtpd[2254]: disconnect from
mail.gmx.net[213.165.64.20]
May 30 13:23:34 sorry postfix/smtp[2260]: certificate verification
failed for rob0.dynamic.nodns4.us: num=19:self signed certificate in
certificate chain
May 30 13:23:34 sorry postfix/smtp[2260]: SSL_connect error to
rob0.dynamic.nodns4.us: -1
May 30 13:23:34 sorry postfix/smtp[2260]: warning: TLS library problem:
2260:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed:s3_clnt.c:842:
May 30 13:23:34 sorry postfix/smtp[2260]: 4860F1F157:
to=<usermy.domain>, relay=rob0.dynamic.nodns4.us[68.62.173.11],
delay=1, status=deferred (Cannot start TLS: handshake failure)
And here's the same message (clocks are off by 5 hours due to time
zones, and 1-2 seconds due to ... can't get NTP through that stupid
router either) arriving at the mailbox server:
May 30 08:23:35 whn postfix/smtpd[8672]: connect from
sorry.no-ip-here.net[66.226.201.55]
May 30 08:23:35 whn postfix/smtpd[8672]: match_hostname:
sorry.no-ip-here.net ~? 127.0.0.0/8
May 30 08:23:35 whn postfix/smtpd[8672]: match_hostaddr: 66.226.201.55
~? 127.0.0.0/8
May 30 08:23:35 whn postfix/smtpd[8672]: match_hostname:
sorry.no-ip-here.net ~? 192.168.0.0/16
May 30 08:23:35 whn postfix/smtpd[8672]: match_hostaddr: 66.226.201.55
~? 192.168.0.0/16
May 30 08:23:35 whn postfix/smtpd[8672]: match_list_match:
sorry.no-ip-here.net: no match
May 30 08:23:35 whn postfix/smtpd[8672]: match_list_match:
66.226.201.55: no match
May 30 08:23:35 whn postfix/smtpd[8672]: attr_clnt_connect: connected to
private/anvil
May 30 08:23:35 whn postfix/smtpd[8672]: send attr request = connect
May 30 08:23:35 whn postfix/smtpd[8672]: send attr ident =
smtp:66.226.201.55
May 30 08:23:35 whn postfix/smtpd[8672]: private/anvil: wanted
attribute: status
May 30 08:23:35 whn postfix/smtpd[8672]: input attribute name: status
May 30 08:23:35 whn postfix/smtpd[8672]: input attribute value: 0
May 30 08:23:35 whn postfix/smtpd[8672]: private/anvil: wanted
attribute: count
May 30 08:23:35 whn postfix/smtpd[8672]: input attribute name: count
May 30 08:23:35 whn postfix/smtpd[8672]: input attribute value: 1
May 30 08:23:35 whn postfix/smtpd[8672]: private/anvil: wanted
attribute: rate
May 30 08:23:35 whn postfix/smtpd[8672]: input attribute name: rate
May 30 08:23:35 whn postfix/smtpd[8672]: input attribute value: 1
May 30 08:23:35 whn postfix/smtpd[8672]: private/anvil: wanted
attribute: (list terminator)
May 30 08:23:35 whn postfix/smtpd[8672]: input attribute name: (end)
May 30 08:23:35 whn postfix/smtpd[8672]: >
sorry.no-ip-here.net[66.226.201.55]: 220 room101.nodns4.us NO UCE ESMTP
Postfix
May 30 08:23:35 whn postfix/smtpd[8672]: watchdog_pat: 0x80a2dc0
May 30 08:23:35 whn postfix/smtpd[8672]: <
sorry.no-ip-here.net[66.226.201.55]: EHLO sorry.no-ip-here.net
May 30 08:23:35 whn postfix/smtpd[8672]: >
sorry.no-ip-here.net[66.226.201.55]: 250-room101.nodns4.us
May 30 08:23:35 whn postfix/smtpd[8672]: >
sorry.no-ip-here.net[66.226.201.55]: 250-PIPELINING
May 30 08:23:35 whn postfix/smtpd[8672]: >
sorry.no-ip-here.net[66.226.201.55]: 250-SIZE 10240000
May 30 08:23:35 whn postfix/smtpd[8672]: >
sorry.no-ip-here.net[66.226.201.55]: 250-VRFY
May 30 08:23:35 whn postfix/smtpd[8672]: >
sorry.no-ip-here.net[66.226.201.55]: 250-ETRN
May 30 08:23:35 whn postfix/smtpd[8672]: match_list_match:
sorry.no-ip-here.net: no match
May 30 08:23:35 whn postfix/smtpd[8672]: match_list_match:
66.226.201.55: no match
May 30 08:23:35 whn postfix/smtpd[8672]: >
sorry.no-ip-here.net[66.226.201.55]: 250-STARTTLS
May 30 08:23:35 whn postfix/smtpd[8672]: >
sorry.no-ip-here.net[66.226.201.55]: 250 8BITMIME
May 30 08:23:35 whn postfix/smtpd[8672]: watchdog_pat: 0x80a2dc0
May 30 08:23:36 whn postfix/smtpd[8672]: <
sorry.no-ip-here.net[66.226.201.55]: STARTTLS
May 30 08:23:36 whn postfix/smtpd[8672]: >
sorry.no-ip-here.net[66.226.201.55]: 220 Ready to start TLS
May 30 08:23:36 whn postfix/smtpd[8672]: setting up TLS connection from
sorry.no-ip-here.net[66.226.201.55]
May 30 08:23:36 whn postfix/smtpd[8672]: send attr request = seed
May 30 08:23:36 whn postfix/smtpd[8672]: send attr size = 32
May 30 08:23:36 whn postfix/smtpd[8672]: private/tlsmgr: wanted
attribute: status
May 30 08:23:36 whn postfix/smtpd[8672]: input attribute name: status
May 30 08:23:36 whn postfix/smtpd[8672]: input attribute value: 0
May 30 08:23:36 whn postfix/smtpd[8672]: private/tlsmgr: wanted
attribute: seed
May 30 08:23:36 whn postfix/smtpd[8672]: input attribute name: seed
May 30 08:23:36 whn postfix/smtpd[8672]: input attribute value:
XEMSCL0kbhtKIBMkUaK725bJgu1CB0XpwW2w1prqX2c=
May 30 08:23:36 whn postfix/smtpd[8672]: private/tlsmgr: wanted
attribute: (list terminator)
May 30 08:23:36 whn postfix/smtpd[8672]: input attribute name: (end)
May 30 08:23:36 whn postfix/smtpd[8672]: warning:
network_biopair_interop: error reading 5 bytes from the network:
Connection reset by peer
[log paused]
Hmmm:
http://archives.neohapsis.com/archives/postfix/2005-01/1510.html
These are both Postfix 2.2.3. In the interest of full disclosure, I did
apply the dovecot-auth patch, but I don't think that would affect TLS
negotiations.
[log continued]
May 30 08:23:36 whn postfix/smtpd[8672]: SSL_accept error from
sorry.no-ip-here.net[66.226.201.55]: -1
May 30 08:23:36 whn postfix/smtpd[8672]: match_hostname:
sorry.no-ip-here.net ~? 127.0.0.0/8
May 30 08:23:36 whn postfix/smtpd[8672]: match_hostaddr: 66.226.201.55
~? 127.0.0.0/8
May 30 08:23:36 whn postfix/smtpd[8672]: match_hostname:
sorry.no-ip-here.net ~? 192.168.0.0/16
May 30 08:23:36 whn postfix/smtpd[8672]: match_hostaddr: 66.226.201.55
~? 192.168.0.0/16
May 30 08:23:36 whn postfix/smtpd[8672]: match_list_match:
sorry.no-ip-here.net: no match
May 30 08:23:36 whn postfix/smtpd[8672]: match_list_match:
66.226.201.55: no match
May 30 08:23:36 whn postfix/smtpd[8672]: send attr request = disconnect
May 30 08:23:36 whn postfix/smtpd[8672]: send attr ident =
smtp:66.226.201.55
May 30 08:23:36 whn postfix/smtpd[8672]: private/anvil: wanted
attribute: status
May 30 08:23:36 whn postfix/smtpd[8672]: input attribute name: status
May 30 08:23:36 whn postfix/smtpd[8672]: input attribute value: 0
May 30 08:23:36 whn postfix/smtpd[8672]: private/anvil: wanted
attribute: (list terminator)
May 30 08:23:36 whn postfix/smtpd[8672]: input attribute name: (end)
May 30 08:23:36 whn postfix/smtpd[8672]: lost connection after STARTTLS
from sorry.no-ip-here.net[66.226.201.55]
May 30 08:23:36 whn postfix/smtpd[8672]: disconnect from
sorry.no-ip-here.net[66.226.201.55]
(CC:'s of this thread will be appreciated. I don't have my regular email
available until I get this worked out. :( Disregard the warning in .sig.)
--
mail to this address MIGHT BE discarded unless "/dev/rob0"
or "not-spam" is in Subject: header
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]