SSL_accept error

6 posts / 0 new
Last post
#1 Wed, 02/06/2019 - 05:35
applejack

SSL_accept error

Hi

I am getting lots of SSL_accept errors when trying to receive mail from certain mail servers. I am using Let's Encrypt SSL on Postfix and I think it may have something to do with the ciphers. I'm not sure if there is anything I can do to fix at my end or whether the issue is with the sending servers.

Any help, pointers would be much appreciated.

Feb  6 10:40:33 server postfix/smtpd[10633]: setting up TLS connection from eu2.mailsphere.mx[54.229.40.39]
Feb  6 10:40:33 server postfix/smtpd[10633]: eu2.mailsphere.mx[54.229.40.39]: TLS cipher list "ALL:+RC4:@STRENGTH:!EXP:!MEDIUM:!LOW:!DES:!3DES:!SSLv2"
Feb  6 10:40:33 server postfix/smtpd[10633]: SSL_accept error from eu2.mailsphere.mx[54.229.40.39]: -1
Feb  6 10:40:33 server postfix/smtpd[10633]: lost connection after STARTTLS from eu2.mailsphere.mx[54.229.40.39]
Thu, 02/07/2019 - 05:52
Jfro

Please read forumguides also for posting versions you use

https://www.virtualmin.com/node/53663

BUT the docs VIRTUALMIN and more have to be updated while to old PCI Compliance setting so to old unsecure ciphers and more.

https://www.virtualmin.com/documentation/id%2Cpci_compliant

https://www.virtualmin.com/documentation/security/pci

You can though find some info here where those settings are

For the readers  who have a subscription they can open ofcourse a support ticket in issues i presume?  .

+RC4 way to old ...... ;)

Yours ? eu2.mailsphere.mx

Thu, 02/07/2019 - 09:06 (Reply to #2)
applejack

eu2.mailsphere.mx is the sending server.

Mine is Postfix version 2.6.6 Centos 6.10 Postfix TLS settings are

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_tls_auth_only = no
smtp_tls_note_starttls_offer = yes
smtpd_use_tls = yes
smtpd_tls_loglevel = 2
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s

smtpd_tls_cert_file = /etc/letsencrypt/live/snapto.co.uk/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/live/snapto.co.uk/privkey.pem
smtpd_tls_CAfile = /etc/letsencrypt/live/snapto.co.uk/fullchain.pem
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

I also tried commenting out the tls_high_cipherlist and also using

tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES
Thu, 02/07/2019 - 09:19
Jfro

eu2.mailsphere.mx is the sending server.

That one is using old things, i can't help you,

But check your server is updated for new and the most secure and so on, then look at log files, if missing mails contact the sender/ receiver that they have to contact their mailhoster to have things updated to.

That is the only way to go, in my eyes to get the web and mail more secure at all.

So everyone forget and disable old / to old protocols, and ciphers then it is more difficult for hackers and spammers.

Also force using correct DKIM, SPF, DMARC.

I hope Virtualmin is updating their docs and things soon also. ? ;)

Thu, 02/07/2019 - 09:26
applejack

Hi Jfro

Sure I just wanted confirmation really that the issue was at their end as I hadn't come across that SSL_accept error previously and was just trying to understand it.

Ta.

Thu, 02/07/2019 - 09:34
Jfro

On port 465 smtp they support so you can check:

Versions TLS 1.0, TLS 1.1, TLS 1.2
Fallback SCSV Not supported
Ciphers

    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2
    TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
    TLS_RSA_WITH_AES_128_CBC_SHA TLS 1.0, TLS 1.1, TLS 1.2
    TLS_RSA_WITH_AES_128_CBC_SHA256 TLS 1.2

Cipher order Client
Compression

    NULL TLS 1.0, TLS 1.1, TLS 1.2

Support for Triple DES cipher
Trigger The server supports a cipher suite containing the 3DES cipher.
Context

Three-key-3DES is a cipher with 168-bit keys but an effective key length of 112 bits because of a meet-in-the-middle attack. This is considered enough only for legacy

Support for RC4 cipher
Trigger The server doesn't support any cipher suites containing the RC4 cipher.

i don't understand the + rc4 out of your first post

You can try start test mailserver here for example https://en.internet.nl/

Topic locked