TLS errors with latest version (2.5.0) of spiderd
M-Stenzel opened this issue · comments
Hi team,
this is related to spiderd 2.50 for Linux (non docker!).
With this version I receive
2023-09-11T19:30:21.406368+03:00 terve postfix/smtp[2169776]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
2023-09-11T19:41:41.426378+03:00 terve postfix/smtp[2210704]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
2023-09-11T19:49:50.802709+03:00 terve postfix/smtp[2240292]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
2023-09-11T19:50:21.416730+03:00 terve postfix/smtp[2240292]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
2023-09-11T19:52:58.670161+03:00 terve postfix/smtp[2251618]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
2023-09-11T19:55:21.441502+03:00 terve postfix/smtp[2260294]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
2023-09-11T20:00:01.543445+03:00 terve postfix/smtp[2277422]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
2023-09-11T20:00:21.415750+03:00 terve postfix/smtp[2277422]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
2023-09-11T20:02:05.903023+03:00 terve postfix/smtp[2302390]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
2023-09-11T20:05:21.440219+03:00 terve postfix/smtp[2341321]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
2023-09-11T20:10:21.442043+03:00 terve postfix/smtp[2368577]: warning: TLS library problem: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:ssl/record/rec_layer_s3.c:1562:SSL alert number 80:
and so on.... in my postfix warning level logs.
This did not happen with version 2.4.2 (non docker!)
Postfix version is 3.8.1. (not changed) from opensuse (not iRedMail!). Version was not changed, configuration was not changed, so this must be related to the new spiderd version.
OpenSSL is version 1.1.1v (latest).
Sincerely,
Martin.
P. S. The Spiderd log does not give any warnings or errors (INFO level) related to this.
Hi Martin,
I can not reproduce this issue. Did you request free ssl cert with Spider (Settings -> SSL Cert)?
Hi Martin,
I can not reproduce this issue. Did you request free ssl cert with Spider (Settings -> SSL Cert)?
Hi,
no without a certificate, it is run behind an apache reverse proxy.
This is the settings.json
{ "admin_emails": ["admin art mail.xy-space.de"], "archiving_username": "archive", "archiving_domain": "mailarchive.xy-space.de", "archiving_with_host_ip": true, "license_key": "redacted", "log_level": "info", "log_target": "file", "log_rotate_interval": "1w", "log_max_backups": 20, "log_syslog_server": "/dev/log", "retention_years": 3, "smtpd_bind_address": ":1025", "smtpd_force_secure_conn": false, "smtpd_allowed_only": true, "smtpd_auth": true, "smtpd_user": "redacted", "smtpd_password": "redacted", "web_bind_address": ":18080", "web_home_path": "", "web_default_language": "en_US", "cert_domain": "" }
After reverting to version 2.4.2 the warning messages went away instantly.
Martin.
What's the related settings in Apache reverse proxy?
What's the related settings in Apache reverse proxy?
<VirtualHost *:443>
ServerName spider.xy-space.de
SSLCertificateFile /etc/...
SSLCertificateKeyFile /etc/...
ErrorLog /var/log/apache2/spider.xy-space.de-error_log
ErrorLogFormat "[%t] [%l] [pid %P] %F: %E: [client %a] %M"
TransferLog /var/log/apache2/spider.xy-space.de-access_log
Redirect permanent "/" "https://spider.xy-space.de/"
RequestHeader set X_FORWARDED_PROTO 'https'
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://127.0.0.1:18080/
ProxyPassReverse / http://127.0.0.1:18080/
</VirtualHost>
So the ssl cert is handled by Apache, not Spider. It's more like an Apache issue to me, smtp traffic doesn't reach spider at all.
Seems i'm wrong.
Question: Is the smtp service offered by Spider running behind a (smtp) proxy too?
According to the settings.json you pasted above, the SMTP service provided by Spider doesn't offer secure connection due to no ssl cert, so you should configure Postfix (on openSUSE) to not use secure connection.
Only the web interface is behind the apache reverse proxy.
In the settings.json file there is the entry "smtpd_force_secure_conn" set to false.
I still cannot find a good idea.
There are no error messages in the spiderd log, so spiderd config must be fine.
Postfix seems to be unhappy with the new version.
Did you change anything with TLS version support or cipher support?
Dear @M-Stenzel
Confirmed it's a bug of latest Spider v2.5.0, and fixed moment ago in new version v2.5.1.
Please download new version and upgrade:
- Download: https://spiderd.io/
- Upgrade: https://spiderd.io/docs/upgrade.html
- Full change log: https://spiderd.io/docs/changelog.html
Let me know if it doesn't work for you. Thanks again for the feedback. :)