Project

General

Profile

Actions
Copy link

tickets #151999

open

SSL_accept error from metrics.infra.opensuse.org

Added by pjessen 5 months ago. Updated 5 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Email
Target version:
-
Start date:
2023-12-04
Due date:
% Done:

0%

Estimated time:

Description

2023-12-04T10:10:03.618170+00:00 mx2 postfix/smtpd[31243]: connect from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141]
2023-12-04T10:10:03.629903+00:00 mx2 postfix/smtpd[31243]: SSL_accept error from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141]: -1
2023-12-04T10:10:03.629992+00:00 mx2 postfix/smtpd[31243]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42:
2023-12-04T10:10:03.630045+00:00 mx2 postfix/smtpd[31243]: lost connection after STARTTLS from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141]
2023-12-04T10:10:03.630086+00:00 mx2 postfix/smtpd[31243]: disconnect from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141] ehlo=1 starttls=0/1 commands=1/2

Bad certificate? Expired or otherwise invalid.

Actions
Copy link
 #1

Updated by crameleon 5 months ago

  • Category set to Email
  • Private changed from Yes to No

Is it saying metrics.i.o.o attempts STARTTLS against mx{1,2}? Don't we use plain text SMTP internally?

Actions
Copy link
 #2

Updated by pjessen 5 months ago

crameleon wrote in #note-1:

Is it saying metrics.i.o.o attempts STARTTLS against mx{1,2}?

Yes, that has to be it.

Don't we use plain text SMTP internally?

I thought so too. Right:

# 20200714 do not offer tls for internal connections.
smtpd_discard_ehlo_keyword_address_maps = lmdb:/etc/postfix/no-internal-tls

However, that file only recognises 192.168.x.x as being internal :-)

Actions
Copy link
 #3

Updated by crameleon 5 months ago

However, that file only recognises 192.168.x.x as being internal :-)

I don't think we should not offer TLS internally and did not know we previously had such a map.
I more thought that clients would in our default configuration not attempt TLS (something I would like to change at some point).
Will need to check what's different on metrics.i.o.o.

Actions
Copy link
 #4

Updated by pjessen 5 months ago

crameleon wrote in #note-3:

However, that file only recognises 192.168.x.x as being internal :-)

I don't think we should not offer TLS internally and did not know we previously had such a map.

I don't mind, but for internal traffic, it seems like a waste of cycles.

I more thought that clients would in our default configuration not attempt TLS (something I would like to change at some point).

The postfix default is not to use TLS, but I think it should be used when offered, so I generally add smtp_use_tls = yes. I think our default config is also smtp_use_tls = no

Will need to check what's different on metrics.i.o.o.

I expect you'll find smtp_use_tls = yes.

Actions
Copy link
 #5

Updated by pjessen 5 months ago

pjessen wrote in #note-4:

Will need to check what's different on metrics.i.o.o.

I expect you'll find smtp_use_tls = yes.

Hmm, no : 

metrics (metrics.o.o):~ # postconf -n  smtp_use_tls
smtp_use_tls = no

Checking the log, metrics.i.o.o has not sent an email since 2022-02-17T15:18:00 - and here is no log activity from today.

Actions
Copy link

Also available in: Atom PDF