TLS library problem: error:0A000126

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
loocek
Advanced member
Advanced member
Posts: 76
Joined: Sat Sep 13, 2014 1:14 am
Contact:

TLS library problem: error:0A000126

Post by loocek »

Hi,
I have Zimbra 8.8.15 patch 46 on Ubuntu 18.

In log I have daily about 2000 logs like:
Jan 7 00:22:34 poczta postfix/smtps/smtpd[8147]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:

I tried solution from here to use openssl.cnf from patch 38:
viewtopic.php?t=72124&hilit=0A000126&start=30

but it doesn't work.

Does anybody have another idea for solving this ?
Thanks.
Good hosting:
https://sdata.net.pl
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 941
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P44 NETWORK Edition

Re: TLS library problem: error:0A000126

Post by JDunphy »

I would probably try from the command line to see if you can get more information. Sounds like you think that it's from a MUA vs 3rd party probes that only want to know what ports are open vs completing the handshake. 2000 every day does seem excessive for this type of port knocking.

Code: Select all

% openssl s_client -connect your.mail.server:587 -starttls smtp -debug
Why it is terminating early could be anything from protocol/ciphers to certificate errors. The above line should allow you to see more detail.

I think one of the test certificate sites will alert you to these client/server cipher problems... https://www.ssllabs.com/ssltest/

HTH,

Jim
loocek
Advanced member
Advanced member
Posts: 76
Joined: Sat Sep 13, 2014 1:14 am
Contact:

Re: TLS library problem: error:0A000126

Post by loocek »

I don't see any suspicious in output if this command:

Code: Select all

Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 5448 bytes and written 454 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)


Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
  Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 825889B96DB6F5173D126C1CD1064A0F0EA0567B25EBD38458B3A83CBD60F841
    Session-ID-ctx: 
    Resumption PSK: FF7C1EEE2E72A4E632BC0BE94C00E52D7C4E6F59D962DF3C298810C3297305F0A235D75B840E82F3E7F1D1D7936C4913
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
Sample full log from connection with this error is:

Code: Select all

Jan  7 11:55:13 poczta postfix/smtps/smtpd[25016]: connect from dazzling.monitoring.internet-measurement.com[87.236.176.87]
Jan  7 11:55:13 poczta postfix/smtps/smtpd[25016]: SSL_accept error from dazzling.monitoring.internet-measurement.com[87.236.176.87]: -1
Jan  7 11:55:13 poczta postfix/smtps/smtpd[25016]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
Jan  7 11:55:13 poczta postfix/smtps/smtpd[25016]: lost connection after CONNECT from dazzling.monitoring.internet-measurement.com[87.236.176.87]
Jan  7 11:55:13 poczta postfix/smtps/smtpd[25016]: disconnect from dazzling.monitoring.internet-measurement.com[87.236.176.87] commands=0/0
Today was about 100 of these errors.
In summary - these are probably port scanners. Or... correct me if I'm wrong.
Good hosting:
https://sdata.net.pl
loocek
Advanced member
Advanced member
Posts: 76
Joined: Sat Sep 13, 2014 1:14 am
Contact:

Re: TLS library problem: error:0A000126

Post by loocek »

On the other hand - not exacly :)

Because I've found a case when some user has logged in to Postfix, sent email and that error also occured. Take a look:

Code: Select all

Jan  7 10:04:37 poczta postfix/smtps/smtpd[8899]: NOQUEUE: filter: RCPT from c48-86.icpnet.pl[62.21.48.86]: <biuro@elektro.pl>: Sender address triggers FILTER smtp-amavis:[127.0.0.1]:10026; from=<biuro@elektro.pl> to=<noreply@schracktechnikgmbh.s02.eur1.teams-events.com> proto=ESMTP helo=<[192.168.1.140]>
Jan  7 10:04:37 poczta postfix/smtps/smtpd[8899]: 5919D1FEB3F: client=c48-86.icpnet.pl[62.21.48.86], sasl_method=LOGIN, sasl_username=biuro@elektro.pl
Jan  7 10:04:37 poczta postfix/cleanup[8828]: 5919D1FEB3F: message-id=<e6fda5ce-fc43-4ece-9c8e-5516882e83b3@mail.dll>
Jan  7 10:04:37 poczta postfix/qmgr[15710]: 5919D1FEB3F: from=<biuro@elektro.pl>, size=3387, nrcpt=1 (queue active)
Jan  7 10:04:37 poczta postfix/smtps/smtpd[8899]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
Jan  7 10:04:37 poczta postfix/smtps/smtpd[8899]: disconnect from c48-86.icpnet.pl[62.21.48.86] ehlo=1 auth=1 mail=1 rcpt=1 bdat=1 noop=1 commands=6
Jan  7 10:04:37 poczta postfix/dkimmilter/smtpd[8832]: connect from localhost[127.0.0.1]
Jan  7 10:04:37 poczta postfix/dkimmilter/smtpd[8832]: 906271FEB74: client=localhost[127.0.0.1]
Jan  7 10:04:37 poczta postfix/cleanup[8828]: 906271FEB74: message-id=<e6fda5ce-fc43-4ece-9c8e-5516882e83b3@mail.dll>
Jan  7 10:04:37 poczta postfix/qmgr[15710]: 906271FEB74: from=<biuro@elektro.pl>, size=3931, nrcpt=1 (queue active)
Jan  7 10:04:37 poczta postfix/dkimmilter/smtpd[8832]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Jan  7 10:04:37 poczta postfix/smtp[8835]: 5919D1FEB3F: to=<noreply@schracktechnikgmbh.s02.eur1.teams-events.com>, relay=127.0.0.1[127.0.0.1]:10026, delay=0.37, delays=0.17/0/0/0.2, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10030): 250 2.0.0 Ok: queued as 906271FEB74)
Jan  7 10:04:37 poczta postfix/qmgr[15710]: 5919D1FEB3F: removed
(email address of my user in this log I've changed a bit for security reasons of course).
Good hosting:
https://sdata.net.pl
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 941
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P44 NETWORK Edition

Re: TLS library problem: error:0A000126

Post by JDunphy »

loocek wrote: Tue Jan 07, 2025 7:47 pm ...
Jan 7 10:04:37 poczta postfix/smtps/smtpd[8899]: 5919D1FEB3F: client=c48-86.icpnet.pl[62.21.48.86], sasl_method=LOGIN, sasl_username=biuro@elektro.pl
...
Jan 7 10:04:37 poczta postfix/smtps/smtpd[8899]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
Jan 7 10:04:37 poczta postfix/smtps/smtpd[8899]: disconnect from c48-86.icpnet.pl[62.21.48.86] ehlo=1 auth=1 mail=1 rcpt=1 bdat=1 noop=1 commands=6
Jan 7 10:04:37 poczta postfix/dkimmilter/smtpd[8832]: connect from localhost[127.0.0.1]
Jan 7 10:04:37 poczta postfix/dkimmilter/smtpd[8832]: 906271FEB74: client=localhost[127.0.0.1]
....
Jan 7 10:04:37 poczta postfix/qmgr[15710]: 5919D1FEB3F: removed
Strange... Client does not issue QUIT but issues NOOP and then does an abrupt disconnect? Does 62.21.48.86 have some SMTP firewall scanning appliance in the middle or is this some script?

Trying to understand why a MUA would issue a NOOP???... probing thinking the connection disappeared or to perform some odd keep-alive and a way for the client to avoid any idle timeouts enforced by firewalls, proxies, etc

I suppose you could tcpdump port 587 and 465 into a pcap file and then run wireshark on the pcap file to dig deeper. See which side is issuing the RST.

Code: Select all

# tcpdump -i eth0 port 465 or port 587 -w TLS-SMTP.pcap
Jim
loocek
Advanced member
Advanced member
Posts: 76
Joined: Sat Sep 13, 2014 1:14 am
Contact:

Re: TLS library problem: error:0A000126

Post by loocek »

I disabled firewall on server.
Then I've captured pcap.
Could you take a look on it ? (attachment)

At 19:45:36 there was that error again (like in Twin Peaks Series... "its hapenning again.......brrrrr" ;) )
Attachments
TLS-SMTP.pcap.tar.gz
(6.96 KiB) Downloaded 37 times
Good hosting:
https://sdata.net.pl
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 941
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P44 NETWORK Edition

Re: TLS library problem: error:0A000126

Post by JDunphy »

Looks like the Client is sending the RST's and terminating the connection abruptly.

I was looking at the time stamps and they are fairly close together with the entire start to finish in about 1.2 seconds. This is a port 465 client but we can't look any closer at the data because it's encrypted. As expected, the encryption negotiated correctly to TLS 1.3

The last TCP flags from the server were: FIN, ACK, PSH and the client comes back with a RST (Reset) and abruptly terminated the connection. This bypasses the usual TCP teardown (exchanging FIN and ACK).

My best guess is something upstream is in the middle or the client itself as the root cause.

You could also be running into that openssl 3.0 issue from a few years ago where various applications were seeing "unexpected eof while reading". I didn't follow this closely at the time but I thought I remember seeing postfix issue a patch in their mailing list after openssl added the SSL_OP_IGNORE_UNEXPECTED_EOF option. This is a big leap on my part because there is no data to validate this correlation other than not seeing the QUIT.

Ref: https://news.ycombinator.com/item?id=37474601

What did you think? Email is still being queued up and delivered correct?

Jim
loocek
Advanced member
Advanced member
Posts: 76
Joined: Sat Sep 13, 2014 1:14 am
Contact:

Re: TLS library problem: error:0A000126

Post by loocek »

I don't know what I should think about potential issue with Postfix or openssl.
This is Ubuntu 18 so maybe software is little bit old ? And has bugs ? But Zimbra 8 is newest:
zimbra-openssl 3.0.9-1zimbra8.8b1.18.04
zimbra-postfix 3.6.1-1zimbra8.7b4.18.04

I don't know..

Does anybody has same error in its Zimbra 8.8.15 FOSS ?

Code: Select all

postfix/smtps/smtpd[19907]: warning: TLS library problem: error:0A000126:SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304:
And emails are being successfuly sent anyway so... But I don't like these lots of errors in log. Today about 4000.
Server is small, about 100 mail accounts.
Good hosting:
https://sdata.net.pl
liverpoolfcfan
Elite member
Elite member
Posts: 1147
Joined: Sat Sep 13, 2014 12:47 am

Re: TLS library problem: error:0A000126

Post by liverpoolfcfan »

Do an internet search for just

Code: Select all

SSL routines::unexpected eof while reading:ssl/record/rec_layer_s3.c:304
- Perhaps all the hits will provide a reason for you.
liverpoolfcfan
Elite member
Elite member
Posts: 1147
Joined: Sat Sep 13, 2014 12:47 am

Re: TLS library problem: error:0A000126

Post by liverpoolfcfan »

By the way, we also run 8.8.15P47 but on Rocky 8, using LetsEncrypt certificates. These errors do not appear in our logs.
Post Reply