1 (edited by promexce 2023-03-07 08:20:53)

Topic: SSL_accept error from

Hi, and thank you for the wonderful mail server

The server is refusing email from amazonaws with the following error

Mar  7 10:28:33 mail postfix/submission/smtpd[175632]: connect from (servername).compute.amazonaws.com[IP address]
Mar  7 10:28:33 mail postfix/submission/smtpd[175632]: SSL_accept error from (servername).compute.amazonaws.com[IP address]: -1
Mar  7 10:43:43 mail postfix/submission/smtpd[176492]: warning: TLS library problem: error:03000098:digital envelope routines::invalid digest:crypto/evp/m_sigver.c:343:
Mar  7 10:43:43 mail postfix/submission/smtpd[176492]: warning: TLS library problem: error:0A0C0103:SSL routines::internal error:ssl/statem/statem_srvr.c:2684:
Mar  7 10:28:33 mail postfix/submission/smtpd[175632]: lost connection after STARTTLS from (servername).compute.amazonaws.com[IP address]
10:43:43 mail postfix/submission/smtpd[176492]: disconnect from (servername).compute.amazonaws.com[IP address] ehlo=1 starttls=0/1 commands=1/2

I have let's encrypt certificate and it is valid

OpenSSL 3.0.1

command openssl s_client -connect google.com:443 -tls1_2
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
---
Certificate chain
0 s:CN = *.google.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 20 09:13:15 2023 GMT; NotAfter: May 15 09:13:14 2023 GMT
1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 13 00:00:42 2020 GMT; NotAfter: Sep 30 00:00:42 2027 GMT
2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:42 2020 GMT; NotAfter: Jan 28 00:00:42 2028 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
subject=CN = *.google.com
issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 6968 bytes and written 292 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
Session-ID
   Session-ID-ctx:
    Master-Key: XXXXXXXXX
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 100800 (seconds)
    TLS session ticket:


Start Time: 1678146511
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
80DB7E577A7F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:ssl/record/rec_layer_s3.c:308:


Please assist
----------------------------------------------------------

- iRedMail version (check /etc/iredmail-release): 1.6.2 MARIADB edition.
- Deployed with iRedMail downloadable installer
- Linux/BSD distribution name and version:
NAME="Rocky Linux"
VERSION="9.1 (Blue Onyx)"

- Web server Nginx
- Manage mail accounts with iRedAdmin

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 (edited by Cthulhu 2023-03-07 14:59:12)

Re: SSL_accept error from

RSA-SHA1 problem

try: (@/etc/postfix/main.cf)

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = medium

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_ciphers = medium

lmpt_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmpt_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmpt_tls_mandatory_ciphers = medium

tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

tls_preempt_cipherlist = no


EDIT:

you can try this aswell

update-crypto-policies --set DEFAULT:SHA1

3

Re: SSL_accept error from

Thank you Cthulhu for your reply,
Still not working.
The old email server was using openssl1.0 , Rockylinux 9 is using openssl3.
I believe the issue is with openssl.

I ran the command postconf -d | grep tls_high_cipherlist on both servers
from the new server ( Rockylinux9 ) , the result is
   tls_high_cipherlist = aNULL:-aNULL:HIGH:@STRENGTH
From the old server ( Centos7 ), the result is
  tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH

Tried to add line in main.cf
tls_high_cipherlist=
and
tls_medium_cipherlist =

still not difference
I got no idea where postfix takes the tls_high_cipherlist list from, because it is not from main.cf.


Cthulhu wrote:

RSA-SHA1 problem

try: (@/etc/postfix/main.cf)

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_ciphers = medium

smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_ciphers = medium

lmpt_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmpt_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
lmpt_tls_mandatory_ciphers = medium

tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

tls_preempt_cipherlist = no


EDIT:

you can try this aswell

update-crypto-policies --set DEFAULT:SHA1

4 (edited by Cthulhu 2023-03-09 05:09:17)

Re: SSL_accept error from

The issue is, that RHEL 9 and derivates have deprecated RSA-SHA1 by default, and if the client (in this case amazon) chooses a ciphersuite which is not supported by the server, openssl throws an error

if not set, the cipherlists are hardcoded by default


edit: did you restart postfix after changes?

5 (edited by promexce 2023-03-09 11:37:07)

Re: SSL_accept error from

Thank you Cthulhu,
I restarted postfix and the server as well, as the command "update-crypto-policies --set DEFAULT:SHA1" require restart.

I also noticed that some ciphers are missing as

DH-DSS-AES256-SHA256    TLSv1.2    Kx=DH/DSS    Au=DH    Enc=AES(256)    Mac=SHA256   
ECDH-RSA-AES256-GCM-SHA384    TLSv1.2    Kx=ECDH/RSA    Au=ECDH    Enc=AESGCM(256)    Mac=AEAD   
ECDH-ECDSA-AES256-GCM-SHA384    TLSv1.2    Kx=ECDH/ECDSA    Au=ECDH    Enc=AESGCM(256)    Mac=AEAD   
ECDH-RSA-AES256-SHA384    TLSv1.2    Kx=ECDH/RSA    Au=ECDH    Enc=AES(256)    Mac=SHA384   
ECDH-ECDSA-AES256-SHA384    TLSv1.2    Kx=ECDH/ECDSA    Au=ECDH    Enc=AES(256)    Mac=SHA384   

almost all the ciphers that have Au=DH and Au=ECDH are missing.

not sure if this from postfix or openssl.

And how can I set cipherlists ?

Thank you in advance

Cthulhu wrote:

The issue is, that RHEL 9 and derivates have deprecated RSA-SHA1 by default, and if the client (in this case amazon) chooses a ciphersuite which is not supported by the server, openssl throws an error

if not set, the cipherlists are hardcoded by default


edit: did you restart postfix after changes?