postfix-users May 2014 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: connection cache issue correlated with "

Re: connection cache issue correlated with "SSL23_GET_SERVER_HELLO:tlsv1 alert decode error"?

From: Sahil Tandon <sahil+postfix_at_nospam>
Date: Wed May 07 2014 - 04:26:09 GMT
To: postfix-users@postfix.org

On Tue, 2014-05-06 at 23:57:41 -0400, Sahil Tandon wrote:

> On Wed, 2014-05-07 at 03:31:13 +0000, Viktor Dukhovni wrote:
>
> > On Tue, May 06, 2014 at 10:49:20PM -0400, Sahil Tandon wrote:
> >
> > > We are experiencing a problem that seems to manifest *only* when
> > > delivering to MXs that exhibit the SSL problem described by Viktor[1]
> > > AND connection caching is enabled on demand.
> >
> > That is when TLS handshakes fail and cleartext connections are made
> > to deliver the mail. Such connections may be cached.
>
> Right.
>
> > Have you tried disabling TLS, but not the demand caching?
>
> Not yet, but that is being discussed with the other postmasters; will
> probably give it a shot in a few hours.
>
> > Does the problem *only* lead to erroneous connection re-use via relays
> > that are the result of a cleartext fallback?
>
> I cannot say definitively without more complete log analysis, but that
> is my hunch. And, the issue does not seem to occur as a result of the
> initial cleartext fallback, but later ... once on-demand caching has
> kicked in.

I will parse the last few days worth of logs to verify this, and then
follow-up. No need to waste any more time than you already have on this
"hunch".

-- Sahil Tandon