Score:1

Postfix - lost connection after STARTTLS - SSL_accept error from unknown

ke flag

I have set up a mail server on my Debian 10 VPS with Postfix and Dovecot. I can send email and receive email from some servers, but not all.

When I test my mailserver at internet.nl I get the following message:

enter image description here

The mail.log shows the following:

Dec 26 21:01:20 mail postfix/smtpd[24531]: lost connection after STARTTLS from internet.nl[62.204.66.10]
Dec 26 21:01:20 mail postfix/smtpd[24531]: disconnect from internet.nl[62.204.66.10] ehlo=1 starttls=0/1 commands=1/2
Dec 26 21:01:20 mail postfix/smtpd[24531]: connect from internet.nl[62.204.66.10]
Dec 26 21:01:20 mail postfix/smtpd[24531]: SSL_accept error from internet.nl[62.204.66.10]: -1
Dec 26 21:01:20 mail postfix/smtpd[24531]: warning: TLS library problem: error:142090FC:SSL routines:tls_early_post_process_client_hello:unknown protocol:../ssl/statem/statem_srvr.c:1636:

postconf -n contains this:

append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 1h
disable_vrfy_command = yes
inet_interfaces = 127.0.0.1, ::1, ***, ***::1
local_recipient_maps = $virtual_mailbox_maps
mailbox_size_limit = 0
maximal_backoff_time = 15m
maximal_queue_lifetime = 1h
message_size_limit = 52428800
milter_default_action = accept
milter_mail_macros = i {mail_addr} {client_addr} {client_name} {auth_authen}
milter_protocol = 6
minimal_backoff_time = 5m
mua_client_restrictions = permit_mynetworks,permit_sasl_authenticated,reject
mua_relay_restrictions = reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_mynetworks,permit_sasl_authenticated,reject
mua_sender_restrictions = permit_mynetworks,reject_non_fqdn_sender,reject_sender_login_mismatch,permit_sasl_authenticated,reject
myhostname = mail.***.com
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
non_smtpd_milters = inet:localhost:11332
proxy_read_maps = proxy:mysql:/etc/postfix/sql/aliases.cf proxy:mysql:/etc/postfix/sql/accounts.cf proxy:mysql:/etc/postfix/sql/domains.cf proxy:mysql:/etc/postfix/sql/recipient-access.cf proxy:mysql:/etc/postfix/sql/sender-login-maps.cf proxy:mysql:/etc/postfix/sql/tls-policy.cf
queue_run_delay = 5m
recipient_delimiter = +
smtp_dns_support_level = dnssec
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = medium
smtp_tls_policy_maps = proxy:mysql:/etc/postfix/sql/tls-policy.cf
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_client_restrictions = permit_mynetworks check_client_access hash:/etc/postfix/without_ptr reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_milters = inet:localhost:11332
smtpd_recipient_restrictions = check_recipient_access proxy:mysql:/etc/postfix/sql/recipient-access.cf
smtpd_relay_restrictions = reject_non_fqdn_recipient reject_unknown_recipient_domain permit_mynetworks reject_unauth_destination
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.***.com/fullchain.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh4096.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.***.com/privkey.pem
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = yes
tls_ssl_options = NO_RENEGOTIATION
virtual_alias_maps = proxy:mysql:/etc/postfix/sql/aliases.cf
virtual_mailbox_domains = proxy:mysql:/etc/postfix/sql/domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/sql/accounts.cf
virtual_transport = lmtp:unix:private/dovecot-lmtp

You can find the full main.cf here: https://pastebin.com/TnDhUZka

I assume that my server blocks some TLS, I have also tried some methods and also searched on serverfault - however, none of them have helped me so far.

Ginnungagap avatar
gu flag
internet.nl will test multiple TLS versions. OpenSSL dropped support for SSLv2/3 so having an unknown version in the logs isn't an issue by itself. Do you maybe have an overly aggressive fail2ban setup?
Tristan avatar
ke flag
@Ginnungagap Thanks for your reply, I have SSLv2 and SSLv3 disabled too as it is insecure. I'm just surprised that internet.nl completely with STARTTLS shows the error. The subchecks are not executed at all. fail2ban I have not installed / configured.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.