PMG | match_list_match: xx.xx.xx.102: no match

Xela · Jan 16, 2024

Our PMG is rejecting mails with match_list_match:no match. This error is unknown to us.

Any idea?

Code:

Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: connect from mail2.domain.de[xx.xx.xx.102]
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: smtp_stream_setup: maxtime=300 enable_deadline=0
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_hostname: smtpd_client_event_limit_exceptions: mail2.domain.de ~? 127.0.0.0/8
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_hostaddr: smtpd_client_event_limit_exceptions: xx.xx.xx.102 ~? 127.0.0.0/8
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_hostname: smtpd_client_event_limit_exceptions: mail2.domain.de ~? 11.50.1.20
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_hostaddr: smtpd_client_event_limit_exceptions: xx.xx.xx.102 ~? 11.50.1.20
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_list_match: mail2.domain.de: no match
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_list_match: xx.xx.xx.102: no match
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: send attr request = connect
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: send attr ident = smtpd:xx.xx.xx.102
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: private/anvil: wanted attribute: status
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute name: status
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute value: 0
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: private/anvil: wanted attribute: count
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute name: count
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute value: 1
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: private/anvil: wanted attribute: rate
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute name: rate
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute value: 1
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: private/anvil: wanted attribute: (list terminator)
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute name: (end)
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: name_mask: silent-discard
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: name_mask: dsn
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 220 mx01.ourdomain.eu ESMTP Postfix
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: watchdog_pat: 0x55d05d84c5d0
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: < mail2.domain.de[xx.xx.xx.102]: EHLO mail2.domain.de
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_list_match: mail2.domain.de: no match
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_list_match: xx.xx.xx.102: no match
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 250-mx01.ourdomain.eu
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 250-PIPELINING
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 250-SIZE 104857600
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 250-VRFY
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 250-ETRN
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 250-STARTTLS
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 250-ENHANCEDSTATUSCODES
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 250-8BITMIME
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 250-SMTPUTF8
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 250 CHUNKING
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: watchdog_pat: 0x55d05d84c5d0
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: < mail2.domain.de[xx.xx.xx.102]: STARTTLS
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: > mail2.domain.de[xx.xx.xx.102]: 220 2.0.0 Ready to start TLS
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: auto_clnt_open: connected to private/tlsmgr
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: send attr request = seed
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: send attr size = 32
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: private/tlsmgr: wanted attribute: status
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute name: status
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute value: 0
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: private/tlsmgr: wanted attribute: seed
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute name: seed
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute value: 7Im7oXpNRE8F3bBP9qR7lm+wGBF/1pgn8kfj5RCRKEk=
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: private/tlsmgr: wanted attribute: (list terminator)
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute name: (end)
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: SSL_accept error from mail2.domain.de[xx.xx.xx.102]: -1
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_hostname: smtpd_client_event_limit_exceptions: mail2.domain.de ~? 127.0.0.0/8
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_hostaddr: smtpd_client_event_limit_exceptions: xx.xx.xx.102 ~? 127.0.0.0/8
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_hostname: smtpd_client_event_limit_exceptions: mail2.domain.de ~? 11.50.1.20
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_hostaddr: smtpd_client_event_limit_exceptions: xx.xx.xx.102 ~? 11.50.1.20
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_list_match: mail2.domain.de: no match
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: match_list_match: xx.xx.xx.102: no match
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: send attr request = disconnect
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: send attr ident = smtpd:xx.xx.xx.102
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: private/anvil: wanted attribute: status
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute name: status
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute value: 0
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: private/anvil: wanted attribute: (list terminator)
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: input attribute name: (end)
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: lost connection after STARTTLS from mail2.domain.de[xx.xx.xx.102]
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: disconnect from mail2.domain.de[xx.xx.xx.102] ehlo=1 starttls=0/1 commands=1/2
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: name_mask: no_address_mappings

Stoiko Ivanov · Jan 16, 2024

Xela said:
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: SSL_accept error from mail2.domain.de[xx.xx.xx.102]: -1
Jan 16 16:40:04 mail-gw1 postfix/smtpd[904180]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:

I think this might point to the actual problem - the client (x.x.x.102) wants to use TLS (STARTTLS), but there's no shared ciphers (second line)

my guess - rather old client, that does not support anything newer than TLS 1.0? (or did you maybe modify the tls-parameters as well)?

Xela · Jan 17, 2024

Thank you for your request. The TLS-parameters have been adapted to comply with today's internet standards 100% (https://internet.nl/) to:

Code:

smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
lmtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
lmtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_ciphers = high
smtp_tls_mandatory_ciphers = high
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:TLS_AES_256_GCM_SHA384:ECDHE-RSA-CHACHA20-POLY1305:TLS_CHACHA20_POLY1305_SHA256:ECDHE-RSA-AES128-GCM-SHA256:TLS_AES_128_GCM_SHA256
tls_preempt_cipherlist = yes
smtpd_tls_eecdh_grade = ultra
tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION

Stoiko Ivanov · Jan 17, 2024

Xela said:
Thank you for your request. The TS-parameters have been adapted to comply with today's internet standards 100% (https://internet.nl/) to:

I think you could reuse the lists and shorten this - but anyways - I think the issue here is that the host x.x.x.102 is not 100% compliant with the suggestions from internet.nl

Search

Search

PMG | match_list_match: xx.xx.xx.102: no match

Xela

Well-Known Member

Stoiko Ivanov

Proxmox Staff Member

Xela

Well-Known Member

Stoiko Ivanov

Proxmox Staff Member