Terry Barnum | 31 Mar 01:24 2010

TLS library problem

Sorry about the flurry of questions today, I'm still getting my feet wet with postfix.

pflogsumm pointed out these three warnings about TLS:

Mar 28 04:47:54 mail postfix/smtpd[22135]: warning: TLS library problem: 22135:error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:

Mar 29 15:12:39 mail postfix/smtpd[35073]: warning: TLS library problem: 35073:error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1102:SSL alert number 46:

Mar 29 16:54:20 mail postfix/smtpd[35583]: warning: TLS library problem: 35583:error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:

Could these be from my users trying to login with incorrect SSL/TLS/STARTLS settings? There are no
warnings today and I got all my users' MUA settings squared away late yesterday. (I moved us to postfix on
Friday night.)

-Terry
Sahil Tandon | 31 Mar 01:50 2010
Picon

Re: TLS library problem

On Tue, 30 Mar 2010, Terry Barnum wrote:

> Mar 28 04:47:54 mail postfix/smtpd[22135]: warning: TLS library problem: 22135:error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:
> Mar 29 15:12:39 mail postfix/smtpd[35073]: warning: TLS library problem: 35073:error:14094416:SSL
routines:SSL3_READ_BYTES:sslv3 alert certificate unknown:s3_pkt.c:1102:SSL alert number 46:
> Mar 29 16:54:20 mail postfix/smtpd[35583]: warning: TLS library problem: 35583:error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:578:
> 
> Could these be from my users trying to login with incorrect
> SSL/TLS/STARTLS settings? There are no warnings today and I got all my
> users' MUA settings squared away late yesterday. (I moved us to
> postfix on Friday night.)

Search your logs for those smtpd process IDs and try to correlate the
TLS problems with client IPs.  Do you recognize them as your users?  It
is likely a problem on the (badly configured) client side rather than a
mistake in your Postfix configuration.  Perhaps someone more familiar
with the innards of SSL can opine.

--

-- 
Sahil Tandon <sahil <at> tandon.net>


Gmane