Date: Fri, 30 Dec 2011 14:01:34 -0800 From: Matt Mullins <mokomull@gmail.com> To: Mark <mark@msen.com> Cc: freebsd-questions@freebsd.org, Postfix users <postfix-users@postfix.org> Subject: Re: SSL/TLS suddenly stopped working for postfix Message-ID: <CAPyT1SEsfbd52kYZNMXD9ZsjgNjHuqZ0qE0hi_90U%2BfCxba_Vw@mail.gmail.com> In-Reply-To: <4EFDEC79.9070403@msen.com> References: <4EFDEC79.9070403@msen.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 30, 2011 at 8:53 AM, Mark <mark@msen.com> wrote: > My apologies for the cross-posting but I believe it is relevant. That's still typically frowned upon, IMHO. > =A0 =A0I have been running postfix for 8+ months without problems. =A0Rec= ently ( a > week or two) I had a user complain that he could no longer send. =A0It ap= pears > that postfix is no longer accepting SSL/TLS connections. =A0STARTTLS is > working on port 587 (and possibly 25, still testing) =A0I am trying to fi= gure > out why the change. > > =A0 =A0If I try and open an openssl connection manually, this is what I g= et: > > openssl s_client -connect mail.myServer.net:587 > CONNECTED(00000003) > 44829:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.= c:478: This command starts speaking the SSL protocol immediately at the beginning of the connection, which is wrong for STARTTLS cases. You need to do this instead: $ openssl s_client -connect mail.myserver.net:587 -starttls smtp The most common SSL-just-stops-working issue is that your certificate expired. Check that by looking for "Not After" in the output of: root@mailserver# openssl x509 -noout -text -in /path/to/server.crt -- Matt Mullins
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyT1SEsfbd52kYZNMXD9ZsjgNjHuqZ0qE0hi_90U%2BfCxba_Vw>