tickets #151999
open
SSL_accept error from metrics.infra.opensuse.org
Added by pjessen 5 months ago.
Updated 5 months ago.
Description
2023-12-04T10:10:03.618170+00:00 mx2 postfix/smtpd[31243]: connect from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141]
2023-12-04T10:10:03.629903+00:00 mx2 postfix/smtpd[31243]: SSL_accept error from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141]: -1
2023-12-04T10:10:03.629992+00:00 mx2 postfix/smtpd[31243]: warning: TLS library problem: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42:
2023-12-04T10:10:03.630045+00:00 mx2 postfix/smtpd[31243]: lost connection after STARTTLS from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141]
2023-12-04T10:10:03.630086+00:00 mx2 postfix/smtpd[31243]: disconnect from metrics.infra.opensuse.org[2a07:de40:b27e:1203::141] ehlo=1 starttls=0/1 commands=1/2
Bad certificate? Expired or otherwise invalid.
- Category set to Email
- Private changed from Yes to No
Is it saying metrics.i.o.o attempts STARTTLS against mx{1,2}? Don't we use plain text SMTP internally?
crameleon wrote in #note-1:
Is it saying metrics.i.o.o attempts STARTTLS against mx{1,2}?
Yes, that has to be it.
Don't we use plain text SMTP internally?
I thought so too. Right:
# 20200714 do not offer tls for internal connections.
smtpd_discard_ehlo_keyword_address_maps = lmdb:/etc/postfix/no-internal-tls
However, that file only recognises 192.168.x.x
as being internal :-)
However, that file only recognises 192.168.x.x as being internal :-)
I don't think we should not offer TLS internally and did not know we previously had such a map.
I more thought that clients would in our default configuration not attempt TLS (something I would like to change at some point).
Will need to check what's different on metrics.i.o.o.
crameleon wrote in #note-3:
However, that file only recognises 192.168.x.x as being internal :-)
I don't think we should not offer TLS internally and did not know we previously had such a map.
I don't mind, but for internal traffic, it seems like a waste of cycles.
I more thought that clients would in our default configuration not attempt TLS (something I would like to change at some point).
The postfix default is not to use TLS, but I think it should be used when offered, so I generally add smtp_use_tls = yes
. I think our default config is also smtp_use_tls = no
Will need to check what's different on metrics.i.o.o.
I expect you'll find smtp_use_tls = yes
.
pjessen wrote in #note-4:
Will need to check what's different on metrics.i.o.o.
I expect you'll find smtp_use_tls = yes
.
Hmm, no :
metrics (metrics.o.o):~ # postconf -n smtp_use_tls
smtp_use_tls = no
Checking the log, metrics.i.o.o has not sent an email since 2022-02-17T15:18:00 - and here is no log activity from today.
Also available in: Atom
PDF