TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Andreas
postfix at linuxmaker.de
Do Sep 16 15:41:30 CEST 2021
Hallo zusammen,
ich habe ein Dist-Upgrade von Debian-Buster auf Bullseyes gemacht und nach
einem Reboot melden die Mail-Benutzer, dass an ihren Clients ein Timeout
stattfindet und kein Mailabgleich mehr möglich ist.
Ich konnte soweit eingrenzen, dass nach einem Telnet auf port 587 bei
Authentifizierungsversuch die Verbindung abreißt und im Logfile diese Meldung
auftaucht:
Sep 16 15:13:20 mx postfix/submission/smtpd[11588]: warning: TLS library
problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../
ssl/record/ssl3_record.c:331
Main.cf:
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
compatibility_level = 2
confirm_delay_cleared = yes
delay_warning_time = 60
disable_vrfy_command = yes
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
milter_default_action = tempfail
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
minimal_backoff_time = 5m
mua_client_restrictions = permit_mynetworks permit_sasl_authenticated reject
mua_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated
reject
mua_sender_restrictions = permit_mynetworks reject_non_fqdn_sender
reject_sender_login_mismatch permit_sasl_authenticated reject
mydestination = mx.example.tld, localhost.example.tld, localhost
myhostname = mx.example.tld
mynetworks = 127.0.0.0/8 192.168.1.0/24 192.109.24.0/24 [::ffff:127.0.0.0]/104
[::1]/128
myorigin = /etc/mailname
non_smtpd_milters = inet:localhost:11332
plaintext_reject_code = 550
postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access
postscreen_bare_newline_enable = no
postscreen_blacklist_action = drop
postscreen_cache_cleanup_interval = 24h
postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7
dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5
bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8
dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3
dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2
dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[4..7]*6
zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.2*3
hostkarma.junkemailfilter.com=127.0.0.4*1
hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.
[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2
postscreen_dnsbl_threshold = 8
postscreen_dnsbl_ttl = 5m
postscreen_greet_action = enforce
postscreen_greet_banner = $smtpd_banner
postscreen_greet_ttl = 2d
postscreen_greet_wait = 3s
postscreen_non_smtp_command_enable = no
postscreen_pipelining_enable = no
proxy_read_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf,
proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf, proxy:mysql:/
etc/postfix/sql/mysql_tls_enforce_in_policy.cf, proxy:mysql:/etc/postfix/sql/
sender-login-maps.cf, $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $mynetworks $smtpd_sender_login_maps
queue_run_delay = 5m
readme_directory = /usr/share/doc/postfix
recipient_delimiter = +
relay_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf
relay_recipient_maps = proxy:mysql:/etc/postfix/sql/
mysql_relay_recipient_maps.cf
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = medium
smtp_tls_loglevel = 1
smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname
smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/
postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_error_sleep_time = 10s
smtpd_hard_error_limit = ${stress?1}${stress:5}
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname,
reject_unauth_destination
smtpd_relay_restrictions = reject_non_fqdn_recipient
reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/
mysql_virtual_sender_acl.cf
smtpd_soft_error_limit = 3
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mx.example.tld/fullchain.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams_2048.pem
smtpd_tls_dh512_param_file = /etc/ssl/mail/dhparams_512.pem
smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL
smtpd_tls_key_file = /etc/letsencrypt/live/mx.example.tld/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL
smtpd_tls_mandatory_protocols = !SSLv3
smtpd_tls_protocols = !SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-
SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-
RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = no
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf
virtual_gid_maps = static:5000
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/
mysql_virtual_domains_maps.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/
mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 104
virtual_transport = lmtp:unix:private/dovecot-lmtp
virtual_uid_maps = static:5000
Ich finde gerade nicht die Parameter, die zu ändern sind bzw. welches Paket
eventuell fehlerhaft sein könnte.
Viele Grüße und vielen Dank im Voraus
Andreas
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20210916/c7deaa8c/attachment-0001.htm>
Mehr Informationen über die Mailingliste Postfixbuch-users