SSL_accept error when mail client connect to postfix

Question

I've managed to set up postfix and dovecot with self-signed certificate on my server. I can send and receive email using telnet command there. Now I want to connect to my mail server from a Thunderbird client on my laptop but it fails and here's the output of /var/log/mail.log:

postfix/submission/smtpd[11560]: connect from unknown[95.134.50.75]
postfix/submission/smtpd[11439]: SSL_accept error from unknown[95.134.50.75]: lost connection
postfix/submission/smtpd[11439]: lost connection after CONNECT from unknown[95.134.50.75]

Here's a part of /etc/postfix/master.cf that I've changed on setup:

# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
# ==========================================================================
smtp      inet  n       -       -       -       -       smtpd
smtps     inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy


submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=yes
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

And here's my /etc/postfix/main.cf:

myhostname = mail.myserver.com
myorigin = /etc/mailname
mydestination = mail.myserver.com, myserver.com, localhost, localhost.localdomain
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_protocols = !SSLv2, !SSLv3

smtpd_tls_security_level = may
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtpd_tls_loglevel = 1

local_recipient_maps = proxy:unix:passwd.byname $alias_maps

inet_protocols = all

Also, not sure if this can help but both telnet localhost 25 and telnet localhost 465 work on server but only telnet myserver.com 465 works from my laptop, when I try port 25 it says telnet: Unable to connect to remote host: Connection timed out. ufw is inactive on server.

What should I do to fix it?

It is not uncommon for consumer ISP's to block outgoing SMTP traffic and requiring their subscribers to use the ISP's SMTP gateway for all outgoing email traffic in their efforts to combat SPAM. If you want to use your server as the outgoing SMTP server, use SMTP authentication and port 465. — HBruijn, Nov 13 '14 at 14:28
@HBruijn but I do get some response in `mail.log` (`connect from unknown` and `SSL_accept error` a bit later). Does not it mean Thunderbird succeeds connecting and something (presumably SSL related) goes wrong after? — src091, Nov 13 '14 at 14:58
but the response isn't on the regular smtp port but on the mail submission port, port 587 — HBruijn, Nov 13 '14 at 15:53

HBruijn · Accepted Answer · 2017-11-07T09:03:34.507

22

Port 465 is for SMTPS, it uses SSL immediately when establishing the connection and then uses the same SMTP protocol as normally found on port 25 after the secure connection is established. You test from the commandline with:

openssl s_client -connect smtp.example.com:465

Using telnet to connect to port 465 will result in an error message in the log files because the SSL protocol isn't used.

Just for completeness: to test TLS on the normal SMTP port, TCP/25

openssl s_client -starttls smtp -connect  smtp.example.com:25

edited Nov 07 '17 at 09:03

answered Nov 13 '14 at 15:35

HBruijn

72,524
21
127
192

Thanks! More than 1hour looking for `Connection closed by foreign host.` and didn't know why :) – Miquel Jan 24 '17 at 19:03

score 3 · Answer 2 · answered Jul 12 '18 at 20:33

3

The only time I have seen this is when Postfix is blocking the client due to restrictive TLS/SSL settings:

smtpd_tls_protocols = !SSLv2, !SSLv3

If your mail client is trying to use SSL2 or 3 then this would be why. If not it could also be due to a blockage but you'd think the port would be outright blocked and you wouldn't see the client connection normally (for example my ISP blocks port 25 completely and when trying to connect to a mail server you see nothing in the logs).

answered Jul 12 '18 at 20:33

Areeb Soo Yasir

331
3
4

4

If a modern mail client is trying to use SSLv2 or SSLv3, it d- right *should* be rejected by the server. I wouldn't consider a present-day configuration that disallows those two to be "restrictive"; I would consider that a lowest acceptable baseline. I might well have done so even back in 2014, when this question was posted (almost six years after TLSv1.0 was standardized, which happened in RFC 2246 in early 1999). Looks like the plan is to deprecate TLS 1.0 and 1.1 in early 2020, which would leave as the only supported SSL/TLS versions TLS 1.2 and 1.3, and a possible future version. – user Nov 24 '18 at 14:01

SSL_accept error when mail client connect to postfix

2 Answers2

Linked