Many SSL_accept error

C

cglmicro

Member
Oct 12, 2020
101
11
23
51
Hi.
Just want to make sure the problem is not on my side, since all my PMG are reporting me the same errors... is it AIRCANADA.COM SSL that is expired? Anyway to accept the connexions anyway?
Code: 
Dec 26 11:57:43 pmg10 postfix/smtpd[1773713]: connect from r121.mail.aircanada.com[172.82.216.121]
Dec 26 11:57:44 pmg10 postfix/smtpd[1773713]: SSL_accept error from r121.mail.aircanada.com[172.82.216.121]: -1
Dec 26 11:57:44 pmg10 postfix/smtpd[1773713]: lost connection after STARTTLS from r121.mail.aircanada.com[172.82.216.121]
Dec 26 11:57:44 pmg10 postfix/smtpd[1773713]: disconnect from r121.mail.aircanada.com[172.82.216.121] ehlo=1 starttls=0/1 commands=1/2
Dec 26 11:57:45 pmg10 postfix/smtpd[1773713]: connect from r119.mail.aircanada.com[172.82.216.119]
Dec 26 11:57:46 pmg10 postfix/smtpd[1773713]: SSL_accept error from r119.mail.aircanada.com[172.82.216.119]: -1
Dec 26 11:57:46 pmg10 postfix/smtpd[1773713]: lost connection after STARTTLS from r119.mail.aircanada.com[172.82.216.119]
Dec 26 11:57:46 pmg10 postfix/smtpd[1773713]: disconnect from r119.mail.aircanada.com[172.82.216.119] ehlo=1 starttls=0/1 commands=1/2
Dec 26 11:57:52 pmg10 postfix/smtpd[1773713]: connect from r121.mail.aircanada.com[172.82.216.121]
Dec 26 11:57:53 pmg10 postfix/smtpd[1773713]: SSL_accept error from r121.mail.aircanada.com[172.82.216.121]: lost connection
Dec 26 11:57:53 pmg10 postfix/smtpd[1773713]: lost connection after STARTTLS from r121.mail.aircanada.com[172.82.216.121]
Dec 26 11:57:53 pmg10 postfix/smtpd[1773713]: disconnect from r121.mail.aircanada.com[172.82.216.121] ehlo=1 starttls=0/1 commands=1/2
The only TLS error I get is with *.AIRCANADA.COM servers, so I don't think this problem is on my side of the fence, am I right?
Thanks.
 
Not sure if this is related to an expired certificate on aircanada.com:
* the logs indicate that aircanada.com tries to connect to your server - and then terminates the connection (and since it is the mail-client in this transaction - this usually impiies that its own certificate is not used)

* do you have any specific setup on your PMG - certificate/TLS setting-wise?

see:
https://community.letsencrypt.org/t/ssl-accept-error-postfix/85423/5
for one potential explanation

one thing that might be at fault here as well are ssl-proxies or firewalls which try to analyze ssl-traffic as well

I hope this helps!
 
Thanks Stoiko.

Nothing particular:
1640613264603.png
1640613386803.png

I've tested with TESTTLS.COM and it's good:

1640613189395.png
I think the problem is not with my servers so I won't loose more of your time, thank you for your help.
 
The problem is that debian 10 and even 11 include the deprecated ISRG X3 root key which has been expired - and a default certbot install will use that CA. (Or you have not generated legitimate keys and are using snakeoil.pem still).

You need to install an updated certbot via install instrux on the eff website, and use --force-renew --preferred-chain "ISRG Root X1" to reissue your keys.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back