From owner-freebsd-questions@FreeBSD.ORG Fri Dec 30 22:01:36 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6BE611065672 for ; Fri, 30 Dec 2011 22:01:36 +0000 (UTC) (envelope-from mokomull@gmail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 04B918FC1B for ; Fri, 30 Dec 2011 22:01:35 +0000 (UTC) Received: by werb13 with SMTP id b13so12586971wer.13 for ; Fri, 30 Dec 2011 14:01:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=voU+PHvNHY0UT+sF6YUlnvEhnwSnQIlgV9ghPwcBcKg=; b=QSsuyJLtmZZum/eVnCNxLH0bScLa/d6Xn8mOnPrVDCwmXrgX4ZLeio2jIVdH4SP9Eu ux8/PKhNmwggP3iseN3nAqtinqtpfoItjRcc7nbBF7IHnbDnwDKYQbIs3TQCS3bt+dq4 QBGAMCIs99rV5eFDL3936sq8U73Rq9EwGYAyk= MIME-Version: 1.0 Received: by 10.216.131.29 with SMTP id l29mr722842wei.5.1325282494187; Fri, 30 Dec 2011 14:01:34 -0800 (PST) Received: by 10.223.156.65 with HTTP; Fri, 30 Dec 2011 14:01:34 -0800 (PST) In-Reply-To: <4EFDEC79.9070403@msen.com> References: <4EFDEC79.9070403@msen.com> Date: Fri, 30 Dec 2011 14:01:34 -0800 Message-ID: From: Matt Mullins To: Mark Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org, Postfix users Subject: Re: SSL/TLS suddenly stopped working for postfix X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Dec 2011 22:01:36 -0000 On Fri, Dec 30, 2011 at 8:53 AM, Mark wrote: > My apologies for the cross-posting but I believe it is relevant. That's still typically frowned upon, IMHO. > =A0 =A0I have been running postfix for 8+ months without problems. =A0Rec= ently ( a > week or two) I had a user complain that he could no longer send. =A0It ap= pears > that postfix is no longer accepting SSL/TLS connections. =A0STARTTLS is > working on port 587 (and possibly 25, still testing) =A0I am trying to fi= gure > out why the change. > > =A0 =A0If I try and open an openssl connection manually, this is what I g= et: > > openssl s_client -connect mail.myServer.net:587 > CONNECTED(00000003) > 44829:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.= c:478: This command starts speaking the SSL protocol immediately at the beginning of the connection, which is wrong for STARTTLS cases. You need to do this instead: $ openssl s_client -connect mail.myserver.net:587 -starttls smtp The most common SSL-just-stops-working issue is that your certificate expired. Check that by looking for "Not After" in the output of: root@mailserver# openssl x509 -noout -text -in /path/to/server.crt -- Matt Mullins