Hello,
I just got a support case from customer telling us they are unable to
get mail from some sender, and according to the logs, it seems to be
related to TLS/DH issues.
It "only" concern about 2-3% of the incoming messages (for 27000
"sslserver: ok", 747 "unable to accept TLS" and 400 "unable to speak
TLS"), and I first thought it was mostly for spam senders, but a more
detailed check today made me realise it was also for many legitimate
servers *.outbound.protection.outlook.com, from AWS (kajabimail.net,
mailgun.net) and some other smaller servers .
There are 2 kinds of case I saw in the logfiles: the connection is
dropped before the mail was transmitted (no delivery, hard fail I suppose):
2021-07-02 08:32:05.365745500 sslserver: pid 45604 from 194.124.x.y
2021-07-02 08:32:05.365829500 sslserver: ok 45604 ...
2021-07-02 08:32:05.652421500 sslserver: tls 45604 accept
2021-07-02 08:32:05.720689500 mailfront[45604]: MAIL FROM:<xyz> SIZE=305303
2021-07-02 08:32:05.720724500 mailfront[45604]: RCPT TO:<xyz2>
2021-07-02 08:32:05.844225500 mailfront[45604]: Connection dropped
2021-07-02 08:32:05.844226500 sslserver: error: (111) unable to speak
TLS for pid: 45604 DH lib
2021-07-02 08:32:05.844246500 mailfront[45604]: bytes in: 113 bytes out: 453
2021-07-02 08:32:05.844660500 sslserver: ended by 45484 status 28416
2021-07-02 08:32:05.844661500 sslserver: status: 2/150/0
And the connection drops after the mail transmission (local delivery OK
but sender server receive an error):
2021-07-05 10:49:21.264113500 sslserver: pid 30424 from 40.107.24.x
2021-07-05 10:49:21.264219500 sslserver: ok 30424 ...
2021-07-05 10:49:21.536082500 mailfront[30141]: bytes in: 26 bytes out: 224
2021-07-05 10:49:21.536327500 sslserver: tls 30141 accept
2021-07-05 10:49:21.665265500 mailfront[30424]: MAIL FROM:<x> SIZE=26371
2021-07-05 10:49:21.665293500 mailfront[30424]: RCPT TO:<y>
2021-07-05 10:49:21.767925500 mailfront[30424]: 2.6.0 Accepted message
qp 30775 bytes 16474
2021-07-05 10:49:21.772455500 mailfront[30424]: bytes in: 16755 bytes
out: 523
2021-07-05 10:50:41.329824500 sslserver: error: (111) unable to speak
TLS for pid: 30424 DH lib
2021-07-05 10:50:41.330320500 sslserver: ended by 30376 status 28416
2021-07-05 10:50:41.330322500 sslserver: status: 1/150/0
As important messages were failing to arrive, I had to switch back to
tcpserver for a few hours now.
Do you also notice this kind of "unable to speak TLS" in your smtp logs?
It is not happening all the time for a specific sender server,
sometimes I get the error from IP, sometimes not.
What I did to try to solve the issue:
- recompile + reinstall fehQlibs-17 + ucspi-ssl 0.12.2 (both already ok)
- restart everything (reboot too)
- make sure OS/libs are up to date (OpenSSL 1.1.1h-freebsd 22 Sep 2020)
- switched from a 512 bits dhparam file to 2048
- checked key, certificate (ok)
- upgraded my ciphers line to:
CIPHERS="TLSv1.2+HIGH:TLSv1.1+HIGH:!TLSv1+HIGH:!aNULL:!eNULL:@STRENGTH"
- tested with testssl.ch (mostly happy, just "Has server cipher order?:
no" and a "Grade capped to T. Encryption via STARTTLS is not
mandatory".
After that (probably mostly due to the dh512 -> dh2048) switch, there
were less "unable to accept TLS" (47/29000) and "unable to speak TLS
(80/29000) cases, but still the most annoying ones with legitimate
servers (Microsoft/Outlook), so it is still a big issue that I need to
solve asap.
What would you recommend me to try next ? Having more details about the
error ("DH lib") now would also be quite nice. I wish I could reproduce
the issue but I still have not been yet. Happy to join any
IRC/Slack/Telegram channel to discuss this live too.
Thanks a lot for your attention & best regards,
Olivier
I just got a support case from customer telling us they are unable to
get mail from some sender, and according to the logs, it seems to be
related to TLS/DH issues.
It "only" concern about 2-3% of the incoming messages (for 27000
"sslserver: ok", 747 "unable to accept TLS" and 400 "unable to speak
TLS"), and I first thought it was mostly for spam senders, but a more
detailed check today made me realise it was also for many legitimate
servers *.outbound.protection.outlook.com, from AWS (kajabimail.net,
mailgun.net) and some other smaller servers .
There are 2 kinds of case I saw in the logfiles: the connection is
dropped before the mail was transmitted (no delivery, hard fail I suppose):
2021-07-02 08:32:05.365745500 sslserver: pid 45604 from 194.124.x.y
2021-07-02 08:32:05.365829500 sslserver: ok 45604 ...
2021-07-02 08:32:05.652421500 sslserver: tls 45604 accept
2021-07-02 08:32:05.720689500 mailfront[45604]: MAIL FROM:<xyz> SIZE=305303
2021-07-02 08:32:05.720724500 mailfront[45604]: RCPT TO:<xyz2>
2021-07-02 08:32:05.844225500 mailfront[45604]: Connection dropped
2021-07-02 08:32:05.844226500 sslserver: error: (111) unable to speak
TLS for pid: 45604 DH lib
2021-07-02 08:32:05.844246500 mailfront[45604]: bytes in: 113 bytes out: 453
2021-07-02 08:32:05.844660500 sslserver: ended by 45484 status 28416
2021-07-02 08:32:05.844661500 sslserver: status: 2/150/0
And the connection drops after the mail transmission (local delivery OK
but sender server receive an error):
2021-07-05 10:49:21.264113500 sslserver: pid 30424 from 40.107.24.x
2021-07-05 10:49:21.264219500 sslserver: ok 30424 ...
2021-07-05 10:49:21.536082500 mailfront[30141]: bytes in: 26 bytes out: 224
2021-07-05 10:49:21.536327500 sslserver: tls 30141 accept
2021-07-05 10:49:21.665265500 mailfront[30424]: MAIL FROM:<x> SIZE=26371
2021-07-05 10:49:21.665293500 mailfront[30424]: RCPT TO:<y>
2021-07-05 10:49:21.767925500 mailfront[30424]: 2.6.0 Accepted message
qp 30775 bytes 16474
2021-07-05 10:49:21.772455500 mailfront[30424]: bytes in: 16755 bytes
out: 523
2021-07-05 10:50:41.329824500 sslserver: error: (111) unable to speak
TLS for pid: 30424 DH lib
2021-07-05 10:50:41.330320500 sslserver: ended by 30376 status 28416
2021-07-05 10:50:41.330322500 sslserver: status: 1/150/0
As important messages were failing to arrive, I had to switch back to
tcpserver for a few hours now.
Do you also notice this kind of "unable to speak TLS" in your smtp logs?
It is not happening all the time for a specific sender server,
sometimes I get the error from IP, sometimes not.
What I did to try to solve the issue:
- recompile + reinstall fehQlibs-17 + ucspi-ssl 0.12.2 (both already ok)
- restart everything (reboot too)
- make sure OS/libs are up to date (OpenSSL 1.1.1h-freebsd 22 Sep 2020)
- switched from a 512 bits dhparam file to 2048
- checked key, certificate (ok)
- upgraded my ciphers line to:
CIPHERS="TLSv1.2+HIGH:TLSv1.1+HIGH:!TLSv1+HIGH:!aNULL:!eNULL:@STRENGTH"
- tested with testssl.ch (mostly happy, just "Has server cipher order?:
no" and a "Grade capped to T. Encryption via STARTTLS is not
mandatory".
After that (probably mostly due to the dh512 -> dh2048) switch, there
were less "unable to accept TLS" (47/29000) and "unable to speak TLS
(80/29000) cases, but still the most annoying ones with legitimate
servers (Microsoft/Outlook), so it is still a big issue that I need to
solve asap.
What would you recommend me to try next ? Having more details about the
error ("DH lib") now would also be quite nice. I wish I could reproduce
the issue but I still have not been yet. Happy to join any
IRC/Slack/Telegram channel to discuss this live too.
Thanks a lot for your attention & best regards,
Olivier