tickets #151999
openSSL_accept error from metrics.infra.opensuse.org
0%
Description
2023-12-04T10:10:03.618170+00:00 mx2 postfix/smtpd[31243]: connect from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141]
2023-12-04T10:10:03.629903+00:00 mx2 postfix/smtpd[31243]: SSL_accept error from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141]: -1
2023-12-04T10:10:03.629992+00:00 mx2 postfix/smtpd[31243]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42:
2023-12-04T10:10:03.630045+00:00 mx2 postfix/smtpd[31243]: lost connection after STARTTLS from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141]
2023-12-04T10:10:03.630086+00:00 mx2 postfix/smtpd[31243]: disconnect from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141] ehlo=1 starttls=0/1 commands=1/2
Bad certificate? Expired or otherwise invalid.
Updated by pjessen 5 months ago
crameleon wrote in #note-1:
Is it saying metrics.i.o.o attempts STARTTLS against mx{1,2}?
Yes, that has to be it.
Don't we use plain text SMTP internally?
I thought so too. Right:
# 20200714 do not offer tls for internal connections.
smtpd_discard_ehlo_keyword_address_maps = lmdb:/etc/postfix/no-internal-tls
However, that file only recognises 192.168.x.x
as being internal :-)
Updated by crameleon 5 months ago
However, that file only recognises 192.168.x.x as being internal :-)
I don't think we should not offer TLS internally and did not know we previously had such a map.
I more thought that clients would in our default configuration not attempt TLS (something I would like to change at some point).
Will need to check what's different on metrics.i.o.o.
Updated by pjessen 5 months ago
crameleon wrote in #note-3:
However, that file only recognises 192.168.x.x as being internal :-)
I don't think we should not offer TLS internally and did not know we previously had such a map.
I don't mind, but for internal traffic, it seems like a waste of cycles.
I more thought that clients would in our default configuration not attempt TLS (something I would like to change at some point).
The postfix default is not to use TLS, but I think it should be used when offered, so I generally add smtp_use_tls = yes
. I think our default config is also smtp_use_tls = no
Will need to check what's different on metrics.i.o.o.
I expect you'll find smtp_use_tls = yes
.
Updated by pjessen 5 months ago
pjessen wrote in #note-4:
Will need to check what's different on metrics.i.o.o.
I expect you'll find
smtp_use_tls = yes
.
Hmm, no :
metrics (metrics.o.o):~ # postconf -n smtp_use_tls
smtp_use_tls = no
Checking the log, metrics.i.o.o has not sent an email since 2022-02-17T15:18:00 - and here is no log activity from today.