TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Andreas postfix at linuxmaker.de
Do Sep 16 15:41:30 CEST 2021


Hallo zusammen,

 

ich habe ein Dist-Upgrade von Debian-Buster auf Bullseyes gemacht und nach 
einem Reboot melden die Mail-Benutzer, dass an ihren Clients ein Timeout 
stattfindet und kein Mailabgleich mehr möglich ist.

 

Ich konnte soweit eingrenzen, dass nach einem Telnet auf port 587 bei 
Authentifizierungsversuch die Verbindung abreißt und im Logfile diese Meldung 
auftaucht:

 

Sep 16 15:13:20 mx postfix/submission/smtpd[11588]: warning: TLS library 
problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../
ssl/record/ssl3_record.c:331

Main.cf:

append_dot_mydomain = no

biff = no

bounce_queue_lifetime = 1h

compatibility_level = 2

confirm_delay_cleared = yes

delay_warning_time = 60

disable_vrfy_command = yes

html_directory = /usr/share/doc/postfix/html

inet_interfaces = all

local_recipient_maps = $virtual_mailbox_maps

mailbox_size_limit = 0

maximal_backoff_time = 15m

maximal_queue_lifetime = 1h

message_size_limit = 52428800

milter_default_action = tempfail

milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}

milter_protocol = 6

minimal_backoff_time = 5m

mua_client_restrictions = permit_mynetworks permit_sasl_authenticated reject

mua_relay_restrictions = reject_non_fqdn_recipient 
reject_unknown_recipient_domain permit_mynetworks permit_sasl_authenticated 
reject

mua_sender_restrictions = permit_mynetworks reject_non_fqdn_sender 
reject_sender_login_mismatch permit_sasl_authenticated reject

mydestination = mx.example.tld, localhost.example.tld, localhost

myhostname = mx.example.tld

mynetworks = 127.0.0.0/8 192.168.1.0/24 192.109.24.0/24 [::ffff:127.0.0.0]/104 
[::1]/128

myorigin = /etc/mailname

non_smtpd_milters = inet:localhost:11332

plaintext_reject_code = 550

postscreen_access_list = permit_mynetworks cidr:/etc/postfix/postscreen_access

postscreen_bare_newline_enable = no

postscreen_blacklist_action = drop

postscreen_cache_cleanup_interval = 24h

postscreen_cache_map = proxy:btree:$data_directory/postscreen_cache

postscreen_dnsbl_action = enforce

postscreen_dnsbl_sites = b.barracudacentral.org=127.0.0.2*7 
dnsbl.inps.de=127.0.0.2*7 bl.mailspike.net=127.0.0.2*5 
bl.mailspike.net=127.0.0.[10;11;12]*4 dnsbl.sorbs.net=127.0.0.10*8 
dnsbl.sorbs.net=127.0.0.5*6 dnsbl.sorbs.net=127.0.0.7*3 
dnsbl.sorbs.net=127.0.0.8*2 dnsbl.sorbs.net=127.0.0.6*2 
dnsbl.sorbs.net=127.0.0.9*2 zen.spamhaus.org=127.0.0.[4..7]*6 
zen.spamhaus.org=127.0.0.3*4 zen.spamhaus.org=127.0.0.2*3 
hostkarma.junkemailfilter.com=127.0.0.2*3 
hostkarma.junkemailfilter.com=127.0.0.4*1 
hostkarma.junkemailfilter.com=127.0.1.2*1 wl.mailspike.net=127.0.0.
[18;19;20]*-2 hostkarma.junkemailfilter.com=127.0.0.1*-2

postscreen_dnsbl_threshold = 8

postscreen_dnsbl_ttl = 5m

postscreen_greet_action = enforce

postscreen_greet_banner = $smtpd_banner

postscreen_greet_ttl = 2d

postscreen_greet_wait = 3s

postscreen_non_smtp_command_enable = no

postscreen_pipelining_enable = no

proxy_read_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_sender_acl.cf, 
proxy:mysql:/etc/postfix/sql/mysql_tls_enforce_out_policy.cf, proxy:mysql:/
etc/postfix/sql/mysql_tls_enforce_in_policy.cf, proxy:mysql:/etc/postfix/sql/
sender-login-maps.cf, $local_recipient_maps $mydestination $virtual_alias_maps 
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains 
$relay_recipient_maps $relay_domains $mynetworks $smtpd_sender_login_maps

queue_run_delay = 5m

readme_directory = /usr/share/doc/postfix

recipient_delimiter = +

relay_domains = proxy:mysql:/etc/postfix/sql/mysql_virtual_mxdomain_maps.cf

relay_recipient_maps = proxy:mysql:/etc/postfix/sql/
mysql_relay_recipient_maps.cf

smtp_dns_support_level = dnssec

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

smtp_tls_ciphers = medium

smtp_tls_loglevel = 1

smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf

smtp_tls_protocols = !SSLv2, !SSLv3

smtp_tls_security_level = dane

smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_banner = $myhostname

smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/
postfix/without_ptr reject_unknown_client_hostname

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_error_sleep_time = 10s

smtpd_hard_error_limit = ${stress?1}${stress:5}

smtpd_helo_required = yes

smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname 
reject_non_fqdn_helo_hostname reject_unknown_helo_hostname

smtpd_milters = inet:localhost:11332

smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, 
reject_invalid_helo_hostname, reject_unknown_reverse_client_hostname, 
reject_unauth_destination

smtpd_relay_restrictions = reject_non_fqdn_recipient 
reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination

smtpd_sender_login_maps = proxy:mysql:/etc/postfix/sql/
mysql_virtual_sender_acl.cf

smtpd_soft_error_limit = 3

smtpd_tls_auth_only = yes

smtpd_tls_cert_file = /etc/letsencrypt/live/mx.example.tld/fullchain.pem

smtpd_tls_ciphers = medium

smtpd_tls_dh1024_param_file = /etc/ssl/mail/dhparams_2048.pem

smtpd_tls_dh512_param_file = /etc/ssl/mail/dhparams_512.pem

smtpd_tls_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL

smtpd_tls_key_file = /etc/letsencrypt/live/mx.example.tld/privkey.pem

smtpd_tls_loglevel = 1

smtpd_tls_mandatory_ciphers = high

smtpd_tls_mandatory_exclude_ciphers = ECDHE-RSA-RC4-SHA, RC4, aNULL

smtpd_tls_mandatory_protocols = !SSLv3

smtpd_tls_protocols = !SSLv3

smtpd_tls_security_level = may

smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-
SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-
CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-
RSA-AES256-GCM-SHA384

tls_preempt_cipherlist = no

tls_ssl_options = NO_COMPRESSION

virtual_alias_maps = proxy:mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, 
proxy:mysql:/etc/postfix/sql/mysql_virtual_spamalias_maps.cf

virtual_gid_maps = static:5000

virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/
mysql_virtual_domains_maps.cf

virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/
mysql_virtual_mailbox_maps.cf

virtual_minimum_uid = 104

virtual_transport = lmtp:unix:private/dovecot-lmtp

virtual_uid_maps = static:5000

 

Ich finde gerade nicht die Parameter, die zu ändern sind bzw. welches Paket 
eventuell fehlerhaft sein könnte.

Viele Grüße und vielen Dank im Voraus

 

Andreas
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20210916/c7deaa8c/attachment-0001.htm>


Mehr Informationen über die Mailingliste Postfixbuch-users