docker-mailserver: SSL_accept error TLS library problem: error:1408A0C1:SSL routines

Hi,

I have some issue with one of my client, the error is :


mail    | Aug 31 14:11:17 mail dovecot: ssl-params: SSL parameters regeneration completed
mail    | Aug 31 14:11:21 mail postfix/smtpd[1285]: connect from pro075001app063.social.gouv.fr[164.131.244.207]
mail    | Aug 31 14:11:21 mail postfix/smtpd[1285]: SSL_accept error from pro075001app063.social.gouv.fr[164.131.244.207]: -1
mail    | Aug 31 14:11:21 mail postfix/smtpd[1285]: warning: TLS library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1417:
mail    | Aug 31 14:11:21 mail postfix/smtpd[1285]: lost connection after STARTTLS from pro075001app063.social.gouv.fr[164.131.244.207]
mail    | Aug 31 14:11:21 mail postfix/smtpd[1285]: disconnect from pro075001app063.social.gouv.fr[164.131.244.207] ehlo=1 starttls=0/1 commands=1/2

But, my email looks ok at https://www.checktls.com/perl/live/TestReceiver.pl ( I use letsencrypt certificat).

MX Server Pref Answer Connect HELO TLS Cert Secure From To
mail.thinkr.fr [178.33.226.186] 10 OK (103ms) OK (322ms) OK (103ms) OK (103ms) OK (231ms) OK (103ms) OK (111ms) OK (656ms)
Average 100% 100% 100% 100% 100% 100% 100% 100%

I found this question : https://github.com/tomav/docker-mailserver/issues/620 , but not sure the answer is correct. (I dont think that the client’s serveur is deprecated…)

Any idea ?

This is the log :

STARTUP LOG WITH DEBUG MOD ```

Recreating mail Attaching to mail mail | 2017-08-31 14:53:29,487 CRIT Supervisor running as root (no user in config file) mail | 2017-08-31 14:53:29,487 WARN Included extra file “/etc/supervisor/conf.d/saslauth.conf” during parsing mail | 2017-08-31 14:53:29,487 WARN Included extra file “/etc/supervisor/conf.d/supervisor-app.conf” during parsing mail | 2017-08-31 14:53:29,492 INFO RPC interface ‘supervisor’ initialized mail | 2017-08-31 14:53:29,492 CRIT Server ‘unix_http_server’ running without any HTTP authentication checking mail | 2017-08-31 14:53:29,492 INFO supervisord started with pid 7 mail | 2017-08-31 14:53:30,496 INFO spawned: ‘mailserver’ with pid 10 mail | mail | 2017-08-31 14:53:30,509 INFO success: mailserver entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) mail | # mail | # mail | # ENV mail | # mail | # mail | mail | HOSTNAME=mail.thinkr.fr mail | SASLAUTHD_MECHANISMS=pam mail | SASLAUTHD_MECH_OPTIONS= mail | DMS_DEBUG=1 mail | VIRUSMAILS_DELETE_DELAY=7 mail | ENABLE_SASLAUTHD=0 mail | ENABLE_CLAMAV=0 mail | ENABLE_FAIL2BAN=1 mail | PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin mail | SUPERVISOR_GROUP_NAME=mailserver mail | ENABLE_SPAMASSASSIN=1 mail | PWD=/ mail | POSTGREY_DELAY=300 mail | SUPERVISOR_ENABLED=1 mail | SHLVL=1 mail | HOME=/root mail | POSTGREY_TEXT=Delayed by postgrey mail | ONE_DIR=1 mail | SSL_TYPE=letsencrypt mail | SUPERVISOR_PROCESS_NAME=mailserver mail | DEBIAN_FRONTEND=noninteractive mail | SUPERVISOR_SERVER_URL=unix:///var/run/supervisor.sock mail | ENABLE_POSTGREY=0 mail | POSTGREY_MAX_AGE=35 mail | _=/usr/bin/printenv mail | mail | # mail | # mail | # docker-mailserver mail | # mail | # mail | mail | Initializing setup mail | Registering check,setup,fix,misc and start-daemons functions mail | * _check_environment_variables() registered mail | * _check_hostname() registered mail | * _setup_default_vars() registered mail | * _setup_dovecot() registered mail | * _setup_dovecot_local_user() registered mail | * _setup_dkim() registered mail | * _setup_ssl() registered mail | * _setup_docker_permit() registered mail | * _setup_mailname() registered mail | * _setup_amavis() registered mail | * _setup_dmarc_hostname() registered mail | * _setup_postfix_hostname() registered mail | * _setup_dovecot_hostname() registered mail | * _setup_postfix_sasl() registered mail | * _setup_postfix_override_configuration() registered mail | * _setup_postfix_sasl_password() registered mail | * _setup_security_stack() registered mail | * _setup_postfix_aliases() registered mail | * _setup_postfix_vhost() registered mail | * _setup_environment() registered mail | * _fix_var_mail_permissions() registered mail | * _fix_var_amavis_permissions() registered mail | * _fix_cleanup_clamav() registered mail | * _misc_save_states() registered mail | * _start_daemons_cron() registered mail | * _start_daemons_rsyslog() registered mail | * _start_daemons_dovecot() registered mail | * _start_daemons_opendkim() registered mail | * _start_daemons_opendmarc() registered mail | * _start_daemons_postfix() registered mail | * _start_daemons_fail2ban() registered mail | * _start_daemons_amavis() registered mail | Checking configuration mail | Check that there are no conflicts with env variables [_check_environment_variables] mail | Check that hostname/domainname is provided or overidden (no default docker hostname/kubernetes) [_check_hostname] mail | * Domain has been set to thinkr.fr mail | * Hostname has been set to mail.thinkr.fr mail | Configuring mail server mail | Setting up default variables [_setup_default_vars] mail | * Set ENABLE_LDAP=0 mail | * Set ENABLE_FETCHMAIL=0 mail | * Set OVERRIDE_HOSTNAME= mail | * Set ENABLE_MANAGESIEVE=0 mail | * Set DMS_DEBUG=1 mail | * Set ENABLE_POP3=0 mail | * Set ENABLE_SASLAUTHD=0 mail | * Set ENABLE_CLAMAV=0 mail | * Set SMTP_ONLY=0 mail | * Set ENABLE_FAIL2BAN=1 mail | * Set ENABLE_SPAMASSASSIN=1 mail | * Set POSTGREY_DELAY=300 mail | * Set POSTGREY_TEXT=Delayed by postgrey mail | * Set ENABLE_POSTGREY=0 mail | * Set POSTGREY_MAX_AGE=35 mail | Setting up Dovecot mail | Setting up Dovecot Local User mail | * Checking file line endings mail | * Regenerating postfix user list mail | * user ‘banana’ for domain ‘thinkr.fr’ with password ‘********’ mail | Setting up DKIM mail | * DKIM keys added for: allstat.fr guyader.pro legum.fr thinkpy.fr thinkr.fr mail | * Changing permissions on /etc/opendkim mail | Setting up SSL mail | * Adding mail.thinkr.fr SSL certificate mail | * SSL configured with ‘letsencrypt’ certificates mail | Setting up PERMIT_DOCKER Option mail | * Adding container ip in my networks mail | Setting up Mailname mail | * Creating /etc/mailname mail | Setting up Amavis mail | * Applying hostname to /etc/amavis/conf.d/05-node_id mail | Setting up dmarc mail | * Applying hostname to /etc/opendmarc.conf mail | Applying hostname and domainname to Postfix mail | * Applying hostname to /etc/postfix/main.cf mail | Applying hostname to Dovecot mail | * Applying hostname to /etc/dovecot/conf.d/15-lda.conf mail | Setting up Postfix Override configuration mail | * No extra postfix settings loaded because optional ‘/tmp/docker-mailserver/postfix-main.cf’ not provided. mail | * No extra postfix settings loaded because optional ‘/tmp/docker-mailserver/postfix-master.cf’ not provided. mail | Setting up Postfix SASL Password mail | * Warning: ‘SASL_PASSWD’ is not provided. /etc/postfix/sasl_passwd not created. mail | Setting up Security Stack mail | * Enabling and configuring spamassassin mail | * Clamav is disabled. You can enable it with ‘ENABLE_CLAMAV=1’ mail | * Fail2ban enabled mail | Setting up Postfix Aliases mail | * Adding regexp alias file postfix-regexp.cf mail | Setting up Postfix vhost mail | Setting up /etc/environment mail | Checking /var/mail permissions mail | * Permissions in /var/mail look OK mail | Checking $amavis_state_dir permissions mail | * Permissions in /var/mail-state/lib-amavis look OK mail | Cleaning up disabled Clamav mail | Starting Misc mail | * Consolidating all state onto /var/mail-state mail | * Destination /var/mail-state/spool-postfix exists, linking /var/spool/postfix to it mail | * Destination /var/mail-state/lib-postfix exists, linking /var/lib/postfix to it mail | * Destination /var/mail-state/lib-amavis exists, linking /var/lib/amavis to it mail | * Destination /var/mail-state/lib-clamav exists, linking /var/lib/clamav to it mail | * Destination /var/mail-state/lib-spamassasin exists, linking /var/lib/spamassasin to it mail | * Destination /var/mail-state/lib-fail2ban exists, linking /var/lib/fail2ban to it mail | * Destination /var/mail-state/lib-postgrey exists, linking /var/lib/postgrey to it mail | * Fixing /var/mail-state/* permissions mail | Starting mail server mail | Starting cron2017-08-31 14:53:33,177 INFO spawned: ‘cron’ with pid 285 mail | 2017-08-31 14:53:33,177 INFO success: cron entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) mail | cron: started mail | Starting rsyslog 2017-08-31 14:53:33,245 INFO spawned: ‘rsyslog’ with pid 287 mail | 2017-08-31 14:53:33,245 INFO success: rsyslog entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) mail | rsyslog: started mail | Starting dovecot services2017-08-31 14:53:33,311 INFO spawned: ‘dovecot’ with pid 291 mail | 2017-08-31 14:53:33,311 INFO success: dovecot entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) mail | dovecot: started mail | Starting opendkim 2017-08-31 14:53:33,378 INFO spawned: ‘opendkim’ with pid 294 mail | 2017-08-31 14:53:33,378 INFO success: opendkim entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) mail | opendkim: started mail | Starting opendmarc 2017-08-31 14:53:33,447 INFO spawned: ‘opendmarc’ with pid 308 mail | 2017-08-31 14:53:33,447 INFO success: opendmarc entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) mail | opendmarc: started mail | Starting postfix2017-08-31 14:53:33,513 INFO spawned: ‘postfix’ with pid 315 mail | 2017-08-31 14:53:33,514 INFO success: postfix entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) mail | postfix: started mail | Starting fail2ban 2017-08-31 14:53:33,581 INFO spawned: ‘fail2ban’ with pid 325 mail | 2017-08-31 14:53:33,581 INFO success: fail2ban entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) mail | fail2ban: started mail | Starting amavis2017-08-31 14:53:33,652 INFO spawned: ‘amavis’ with pid 329 mail | 2017-08-31 14:53:33,652 INFO success: amavis entered RUNNING state, process has stayed up for > than 0 seconds (startsecs) mail | amavis: started mail | mail | # mail | # mail.thinkr.fr is up and running mail | # mail | mail | Aug 31 14:53:33 mail amavis[329]: starting. /usr/sbin/amavisd-new at mail.thinkr.fr amavisd-new-2.10.1 (20141025), Unicode aware mail | Aug 31 14:53:34 mail amavis[329]: Net::Server: Group Not Defined. Defaulting to EGID ‘117 117’ mail | Aug 31 14:53:34 mail amavis[329]: Net::Server: User Not Defined. Defaulting to EUID ‘113’ mail | Aug 31 14:53:34 mail amavis[329]: Module Amavis::Conf 2.404 mail | Aug 31 14:53:34 mail amavis[329]: Module Archive::Zip 1.56 mail | Aug 31 14:53:34 mail amavis[329]: Module BerkeleyDB 0.55 mail | Aug 31 14:53:34 mail amavis[329]: Module Compress::Raw::Zlib 2.068 mail | Aug 31 14:53:34 mail amavis[329]: Module Compress::Zlib 2.068 mail | Aug 31 14:53:34 mail amavis[329]: Module Crypt::OpenSSL::RSA 0.28 mail | Aug 31 14:53:34 mail amavis[329]: Module DB_File 1.835 mail | Aug 31 14:53:34 mail amavis[329]: Module Digest::MD5 2.54 mail | Aug 31 14:53:34 mail amavis[329]: Module Digest::SHA 5.95 mail | Aug 31 14:53:34 mail amavis[329]: Module Encode 2.72 mail | Aug 31 14:53:34 mail amavis[329]: Module File::Temp 0.2304 mail | Aug 31 14:53:34 mail amavis[329]: Module IO::Socket::INET6 2.72 mail | Aug 31 14:53:34 mail amavis[329]: Module IO::Socket::IP 0.37 mail | Aug 31 14:53:34 mail amavis[329]: Module MIME::Entity 5.507 mail | Aug 31 14:53:34 mail amavis[329]: Module MIME::Parser 5.507 mail | Aug 31 14:53:34 mail amavis[329]: Module MIME::Tools 5.507 mail | Aug 31 14:53:34 mail amavis[329]: Module Mail::DKIM::Signer 0.4 mail | Aug 31 14:53:34 mail amavis[329]: Module Mail::DKIM::Verifier 0.4 mail | Aug 31 14:53:34 mail amavis[329]: Module Mail::Header 2.13 mail | Aug 31 14:53:34 mail amavis[329]: Module Mail::Internet 2.13 mail | Aug 31 14:53:34 mail amavis[329]: Module Mail::SPF v2.009 mail | Aug 31 14:53:34 mail amavis[329]: Module Mail::SpamAssassin 3.004001 mail | Aug 31 14:53:34 mail amavis[329]: Module Net::DNS 0.81 mail | Aug 31 14:53:34 mail amavis[329]: Module Net::LibIDN 0.12 mail | Aug 31 14:53:34 mail amavis[329]: Module Net::Server 2.008 mail | Aug 31 14:53:34 mail amavis[329]: Module NetAddr::IP 4.078 mail | Aug 31 14:53:34 mail amavis[329]: Module Razor2::Client::Version 2.84 mail | Aug 31 14:53:34 mail amavis[329]: Module Scalar::Util 1.41 mail | Aug 31 14:53:34 mail amavis[329]: Module Socket 2.018 mail | Aug 31 14:53:34 mail amavis[329]: Module Socket6 0.25 mail | Aug 31 14:53:34 mail amavis[329]: Module Time::HiRes 1.9726 mail | Aug 31 14:53:34 mail amavis[329]: Module URI 1.71 mail | Aug 31 14:53:34 mail amavis[329]: Module Unix::Syslog 1.1 mail | Aug 31 14:53:34 mail amavis[329]: Amavis::ZMQ code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: Amavis::DB code loaded mail | Aug 31 14:53:34 mail amavis[329]: SQL base code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: SQL::Log code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: SQL::Quarantine NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: Lookup::SQL code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: Lookup::LDAP code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: AM.PDP-in proto code loaded mail | Aug 31 14:53:34 mail amavis[329]: SMTP-in proto code loaded mail | Aug 31 14:53:34 mail amavis[329]: Courier proto code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: SMTP-out proto code loaded mail | Aug 31 14:53:34 mail amavis[329]: Pipe-out proto code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: BSMTP-out proto code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: Local-out proto code loaded mail | Aug 31 14:53:34 mail amavis[329]: OS_Fingerprint code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: ANTI-VIRUS code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: ANTI-SPAM code loaded mail | Aug 31 14:53:34 mail amavis[329]: ANTI-SPAM-EXT code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: ANTI-SPAM-C code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: ANTI-SPAM-SA code loaded mail | Aug 31 14:53:34 mail amavis[329]: Unpackers code loaded mail | Aug 31 14:53:34 mail amavis[329]: DKIM code loaded mail | Aug 31 14:53:34 mail amavis[329]: Tools code NOT loaded mail | Aug 31 14:53:34 mail amavis[329]: Found $file at /usr/bin/file mail | Aug 31 14:53:34 mail amavis[329]: No $altermime, not using it mail | Aug 31 14:53:34 mail amavis[329]: Internal decoder for .mail mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .Z at /bin/uncompress mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .gz at /bin/gzip -d mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .bz2 at /bin/bzip2 -d mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .xz at /usr/bin/xz -dc mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .lzma at /usr/bin/xz -dc --format=lzma mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .lrz at /usr/bin/lrzip -q -k -d -o - mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .lzo at /usr/bin/lzop -d mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .lz4 at /usr/bin/lz4c -d mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .rpm at /usr/bin/rpm2cpio mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .cpio at /bin/pax mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .tar at /bin/pax mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .deb at /usr/bin/ar mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .rar at /usr/bin/unrar-free mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .arj at /usr/bin/arj mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .arc at /usr/bin/nomarch mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .zoo at /usr/bin/zoo mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .doc at /usr/bin/ripole mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .cab at /usr/bin/cabextract mail | Aug 31 14:53:34 mail amavis[329]: Internal decoder for .tnef mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .zip at /usr/bin/7za mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .kmz at /usr/bin/7za mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .7z at /usr/bin/7za mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .jar at /usr/bin/7z mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .swf at /usr/bin/7z mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .lha at /usr/bin/7z mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .iso at /usr/bin/7z mail | Aug 31 14:53:34 mail amavis[329]: Found decoder for .exe at /usr/bin/unrar-free; /usr/bin/arj mail | Aug 31 14:53:34 mail amavis[329]: No decoder for .F mail | Aug 31 14:53:34 mail amavis[329]: Deleting db files __db.002,__db.003,__db.001,nanny.db,snmp.db in /var/lib/amavis/db mail | Aug 31 14:53:34 mail amavis[329]: Creating db in /var/lib/amavis/db/; BerkeleyDB 0.55, libdb 5.3 mail | Aug 31 14:53:35 mail postfix[1151]: Postfix is running with backwards-compatible default settings mail | Aug 31 14:53:35 mail postfix[1151]: See http://www.postfix.org/COMPATIBILITY_README.html for details mail | Aug 31 14:53:35 mail postfix[1151]: To disable backwards compatibility use “postconf compatibility_level=2” and “postfix reload”

</details>

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 35 (15 by maintainers)

Most upvoted comments

I can confirm, that the following works now, with TLS_LEVEL=intermediate:

openssl s_client -starttls smtp -crlf -connect SERVER:587 -tls1
openssl s_client -starttls smtp -crlf -connect SERVER:587 -tls1_1

And: my nextcloud 13 container can send mails.

Thanks for the quick fix!

+3
boldt on Mar 28, 2018

@boldt @johansmitsnl @17Halbe
I found a little bug in the processing of TLS_LEVEL. Will provide a fix today. But I would also like to change the default to intermediate and whoever wants to be more modern can optin! in June 2018 TLSv1 is going to be deprecated (https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls). I would add a third TLS_LEVEL “good” excluding TLSv1 and setting that as the default level than.

+2
mwlczk on Mar 24, 2018

The openssl command would be like:

$ openssl s_client -starttls smtp -crlf -connect mail.thinkr.fr:587

Output should contain:
...
-----END CERTIFICATE-----
subject=/CN=mail.xxx.net
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 4167 bytes and written 491 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: C1513D9ABC427B711C4AD9D4213934A31EC3D5AC0AD2331AEDC77E539E44A2F8
    Session-ID-ctx:
    Master-Key: C0FCA42F089710A5895AD44D9AD2530DCF5E8424311796BF11D49991A0AD3DB022C1C9276686E7B5599FB2DBAD6473DC
    Key-Arg   : None
    Start Time: 1505031554
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 SMTPUTF8

Notice the Verify return code: 0 (ok)

This command should fail because we block sslv3: openssl s_client -starttls smtp -crlf -connect mail.smitsmail.net:587 -ssl3

Could you post you openssl output?

+1
johansmitsnl on Sep 10, 2017

thanks for your answer.

Any idea how I can allow ssl3… maybe just for this sender ?

+1
VincentGuyader on Sep 7, 2017
Read more comments on GitHub
← docker-mailserver: SSL_accept error server won't sent anymore
docker-mailserver: Sudden amavis crashed →