TLS library problem: error:0A000126
TLS library problem: error:0A000126
Hi,
I have Zimbra 8.8.15 patch 46 on Ubuntu 18.
In log I have daily about 2000 logs like:
Jan 7 00:22:34 poczta postfix/smtps/smtpd[8147]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
I tried solution from here to use openssl.cnf from patch 38:
viewtopic.php?t=72124&hilit=0A000126&start=30
but it doesn't work.
Does anybody have another idea for solving this ?
Thanks.
I have Zimbra 8.8.15 patch 46 on Ubuntu 18.
In log I have daily about 2000 logs like:
Jan 7 00:22:34 poczta postfix/smtps/smtpd[8147]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
I tried solution from here to use openssl.cnf from patch 38:
viewtopic.php?t=72124&hilit=0A000126&start=30
but it doesn't work.
Does anybody have another idea for solving this ?
Thanks.
Good hosting:
https://sdata.net.pl
https://sdata.net.pl
- JDunphy
- Outstanding Member
- Posts: 941
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P44 NETWORK Edition
Re: TLS library problem: error:0A000126
I would probably try from the command line to see if you can get more information. Sounds like you think that it's from a MUA vs 3rd party probes that only want to know what ports are open vs completing the handshake. 2000 every day does seem excessive for this type of port knocking.
Why it is terminating early could be anything from protocol/ciphers to certificate errors. The above line should allow you to see more detail.
I think one of the test certificate sites will alert you to these client/server cipher problems... https://www.ssllabs.com/ssltest/
HTH,
Jim
Code: Select all
% openssl s_client -connect your.mail.server:587 -starttls smtp -debug
I think one of the test certificate sites will alert you to these client/server cipher problems... https://www.ssllabs.com/ssltest/
HTH,
Jim
Re: TLS library problem: error:0A000126
I don't see any suspicious in output if this command:
Sample full log from connection with this error is:
Today was about 100 of these errors.
In summary - these are probably port scanners. Or... correct me if I'm wrong.
Code: Select all
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5448 bytes and written 454 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 825889B96DB6F5173D126C1CD1064A0F0EA0567B25EBD38458B3A83CBD60F841
Session-ID-ctx:
Resumption PSK: FF7C1EEE2E72A4E632BC0BE94C00E52D7C4E6F59D962DF3C298810C3297305F0A235D75B840E82F3E7F1D1D7936C4913
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
Code: Select all
Jan 7 11:55:13 poczta postfix/smtps/smtpd[25016]: connect from dazzling.monitoring.internet-measurement.com[87.236.176.87]
Jan 7 11:55:13 poczta postfix/smtps/smtpd[25016]: SSL_accept error from dazzling.monitoring.internet-measurement.com[87.236.176.87]: -1
Jan 7 11:55:13 poczta postfix/smtps/smtpd[25016]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
Jan 7 11:55:13 poczta postfix/smtps/smtpd[25016]: lost connection after CONNECT from dazzling.monitoring.internet-measurement.com[87.236.176.87]
Jan 7 11:55:13 poczta postfix/smtps/smtpd[25016]: disconnect from dazzling.monitoring.internet-measurement.com[87.236.176.87] commands=0/0
In summary - these are probably port scanners. Or... correct me if I'm wrong.
Good hosting:
https://sdata.net.pl
https://sdata.net.pl
Re: TLS library problem: error:0A000126
On the other hand - not exacly 
Because I've found a case when some user has logged in to Postfix, sent email and that error also occured. Take a look:
(email address of my user in this log I've changed a bit for security reasons of course).

Because I've found a case when some user has logged in to Postfix, sent email and that error also occured. Take a look:
Code: Select all
Jan 7 10:04:37 poczta postfix/smtps/smtpd[8899]: NOQUEUE: filter: RCPT from c48-86.icpnet.pl[62.21.48.86]: <biuro@elektro.pl>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<biuro@elektro.pl> to=<noreply@schracktechnikgmbh.s02.eur1.teams-events.com> proto=ESMTP helo=<[192.168.1.140]>
Jan 7 10:04:37 poczta postfix/smtps/smtpd[8899]: 5919D1FEB3F: client=c48-86.icpnet.pl[62.21.48.86], sasl_method=LOGIN, sasl_username=biuro@elektro.pl
Jan 7 10:04:37 poczta postfix/cleanup[8828]: 5919D1FEB3F: message-id=<e6fda5ce-fc43-4ece-9c8e-5516882e83b3@mail.dll>
Jan 7 10:04:37 poczta postfix/qmgr[15710]: 5919D1FEB3F: from=<biuro@elektro.pl>, size=3387, nrcpt=1 (queue active)
Jan 7 10:04:37 poczta postfix/smtps/smtpd[8899]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
Jan 7 10:04:37 poczta postfix/smtps/smtpd[8899]: disconnect from c48-86.icpnet.pl[62.21.48.86] ehlo=1 auth=1 mail=1 rcpt=1 bdat=1 noop=1 commands=6
Jan 7 10:04:37 poczta postfix/dkimmilter/smtpd[8832]: connect from localhost[127.0.0.1]
Jan 7 10:04:37 poczta postfix/dkimmilter/smtpd[8832]: 906271FEB74: client=localhost[127.0.0.1]
Jan 7 10:04:37 poczta postfix/cleanup[8828]: 906271FEB74: message-id=<e6fda5ce-fc43-4ece-9c8e-5516882e83b3@mail.dll>
Jan 7 10:04:37 poczta postfix/qmgr[15710]: 906271FEB74: from=<biuro@elektro.pl>, size=3931, nrcpt=1 (queue active)
Jan 7 10:04:37 poczta postfix/dkimmilter/smtpd[8832]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan 7 10:04:37 poczta postfix/smtp[8835]: 5919D1FEB3F: to=<noreply@schracktechnikgmbh.s02.eur1.teams-events.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.17/0/0/0.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 906271FEB74)
Jan 7 10:04:37 poczta postfix/qmgr[15710]: 5919D1FEB3F: removed
Good hosting:
https://sdata.net.pl
https://sdata.net.pl
- JDunphy
- Outstanding Member
- Posts: 941
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P44 NETWORK Edition
Re: TLS library problem: error:0A000126
Strange... Client does not issue QUIT but issues NOOP and then does an abrupt disconnect? Does 62.21.48.86 have some SMTP firewall scanning appliance in the middle or is this some script?loocek wrote: ↑Tue Jan 07, 2025 7:47 pm ...
Jan 7 10:04:37 poczta postfix/smtps/smtpd[8899]: 5919D1FEB3F: client=c48-86.icpnet.pl[62.21.48.86], sasl_method=LOGIN, sasl_username=biuro@elektro.pl
...
Jan 7 10:04:37 poczta postfix/smtps/smtpd[8899]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
Jan 7 10:04:37 poczta postfix/smtps/smtpd[8899]: disconnect from c48-86.icpnet.pl[62.21.48.86] ehlo=1 auth=1 mail=1 rcpt=1 bdat=1 noop=1 commands=6
Jan 7 10:04:37 poczta postfix/dkimmilter/smtpd[8832]: connect from localhost[127.0.0.1]
Jan 7 10:04:37 poczta postfix/dkimmilter/smtpd[8832]: 906271FEB74: client=localhost[127.0.0.1]
....
Jan 7 10:04:37 poczta postfix/qmgr[15710]: 5919D1FEB3F: removed
Trying to understand why a MUA would issue a NOOP???... probing thinking the connection disappeared or to perform some odd keep-alive and a way for the client to avoid any idle timeouts enforced by firewalls, proxies, etc
I suppose you could tcpdump port 587 and 465 into a pcap file and then run wireshark on the pcap file to dig deeper. See which side is issuing the RST.
Code: Select all
# tcpdump -i eth0 port 465 or port 587 -w TLS-SMTP.pcap
Re: TLS library problem: error:0A000126
I disabled firewall on server.
Then I've captured pcap.
Could you take a look on it ? (attachment)
At 19:45:36 there was that error again (like in Twin Peaks Series... "its hapenning again.......brrrrr"
)
Then I've captured pcap.
Could you take a look on it ? (attachment)
At 19:45:36 there was that error again (like in Twin Peaks Series... "its hapenning again.......brrrrr"

- Attachments
-
- TLS-SMTP.pcap.tar.gz
- (6.96 KiB) Downloaded 37 times
Good hosting:
https://sdata.net.pl
https://sdata.net.pl
- JDunphy
- Outstanding Member
- Posts: 941
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P44 NETWORK Edition
Re: TLS library problem: error:0A000126
Looks like the Client is sending the RST's and terminating the connection abruptly.
I was looking at the time stamps and they are fairly close together with the entire start to finish in about 1.2 seconds. This is a port 465 client but we can't look any closer at the data because it's encrypted. As expected, the encryption negotiated correctly to TLS 1.3
The last TCP flags from the server were: FIN, ACK, PSH and the client comes back with a RST (Reset) and abruptly terminated the connection. This bypasses the usual TCP teardown (exchanging FIN and ACK).
My best guess is something upstream is in the middle or the client itself as the root cause.
You could also be running into that openssl 3.0 issue from a few years ago where various applications were seeing "unexpected eof while reading". I didn't follow this closely at the time but I thought I remember seeing postfix issue a patch in their mailing list after openssl added the SSL_OP_IGNORE_UNEXPECTED_EOF option. This is a big leap on my part because there is no data to validate this correlation other than not seeing the QUIT.
Ref: https://news.ycombinator.com/item?id=37474601
What did you think? Email is still being queued up and delivered correct?
Jim
I was looking at the time stamps and they are fairly close together with the entire start to finish in about 1.2 seconds. This is a port 465 client but we can't look any closer at the data because it's encrypted. As expected, the encryption negotiated correctly to TLS 1.3
The last TCP flags from the server were: FIN, ACK, PSH and the client comes back with a RST (Reset) and abruptly terminated the connection. This bypasses the usual TCP teardown (exchanging FIN and ACK).
My best guess is something upstream is in the middle or the client itself as the root cause.
You could also be running into that openssl 3.0 issue from a few years ago where various applications were seeing "unexpected eof while reading". I didn't follow this closely at the time but I thought I remember seeing postfix issue a patch in their mailing list after openssl added the SSL_OP_IGNORE_UNEXPECTED_EOF option. This is a big leap on my part because there is no data to validate this correlation other than not seeing the QUIT.
Ref: https://news.ycombinator.com/item?id=37474601
What did you think? Email is still being queued up and delivered correct?
Jim
Re: TLS library problem: error:0A000126
I don't know what I should think about potential issue with Postfix or openssl.
This is Ubuntu 18 so maybe software is little bit old ? And has bugs ? But Zimbra 8 is newest:
zimbra-openssl 3.0.9-1zimbra8.8b1.18.04
zimbra-postfix 3.6.1-1zimbra8.7b4.18.04
I don't know..
Does anybody has same error in its Zimbra 8.8.15 FOSS ?
And emails are being successfuly sent anyway so... But I don't like these lots of errors in log. Today about 4000.
Server is small, about 100 mail accounts.
This is Ubuntu 18 so maybe software is little bit old ? And has bugs ? But Zimbra 8 is newest:
zimbra-openssl 3.0.9-1zimbra8.8b1.18.04
zimbra-postfix 3.6.1-1zimbra8.7b4.18.04
I don't know..
Does anybody has same error in its Zimbra 8.8.15 FOSS ?
Code: Select all
postfix/smtps/smtpd[19907]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
Server is small, about 100 mail accounts.
Good hosting:
https://sdata.net.pl
https://sdata.net.pl
-
- Elite member
- Posts: 1147
- Joined: Sat Sep 13, 2014 12:47 am
Re: TLS library problem: error:0A000126
Do an internet search for just - Perhaps all the hits will provide a reason for you.
Code: Select all
SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304
-
- Elite member
- Posts: 1147
- Joined: Sat Sep 13, 2014 12:47 am
Re: TLS library problem: error:0A000126
By the way, we also run 8.8.15P47 but on Rocky 8, using LetsEncrypt certificates. These errors do not appear in our logs.