after 8.7 upgrade, emails getting queued VERY slowly

[eleith]

i noticed my emails were coming in slower than usual after the upgrade.

i jumped to zimbra admin and noticed for all emails that get sent, they get stuck in the queue for a bit with the message

Code: Select all

can not start tls handshake failure

after a few minutes, they seem to come through.

my first guess is that this has something to do with fully disabling SSLv3 in zimbra 8.7 (based on some light googling).

i still get most of my emails, but i have had some cases where people will get bounce backs and i'll never see their email.

any suggestions on how i can debug this further?

[eleith]

i have upgraded to zimbra 8.7.1 but my problems persist.

below is more information from zimbra.log in the hopes that someone can help me debug and resolve.

Code: Select all

Oct 27 16:07:33 **** postfix/lmtp[30071]: SSL_connect error to ****.com[127.0.0.1]:7025: -1
Oct 27 16:07:33 **** postfix/lmtp[30071]: warning: TLS library problem: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
Oct 27 16:07:33 **** postfix/smtp[29865]: BF44D660026: to=<****@****.com>, orig_to=<****@****.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=0.74, delays=0.11/0/0.01/0.62, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 789CA660058)
Oct 27 16:07:33 **** postfix/qmgr[20612]: BF44D660026: removed
Oct 27 16:07:33 **** postfix/dkimmilter/smtpd[29866]: disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Oct 27 16:07:33 **** postfix/lmtp[30071]: 789CA660058: to=<****@****.com>, relay=****.com[127.0.0.1]:7025, delay=0.02, delays=0.01/0/0.01/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)


this happens for every email that comes to my server. my read of the logs is that a connection to LMTP over ssl takes place, a failure takes place and the mail gets queued. sometime later it gets processed and it works.

thus, all incoming mail gets delayed by a few minutes on my server. i would like to avoid this behavior.

one thing i'm confused about is that i followed the instructions to disable SSLv3 on lmtp, smtp, and smtpd (and i can confirm in main.conf) so i don't know why sslv3 connection is trying to be established in the first place on lmtp (7025).

[eleith]

i've narrowed it down to the fact that zimbra has moved towards having lmtp use tls.

however, for some reason, the connection being tried is over SSLv3, that results in the handshake error, and since `lmtp_tls_security_level` is `may` it will defer, put it on the queue and try it again over non TLS and then it works.

if you change the value to `none` then things will be fast again.

so the question is narrowed down to

what options need to be set, to ensure lmtp uses TLS properly? (and avoid the tsl handshake failure due to zimbra recommendation of disabling SSLv3) ?

please note, i have followed the guides to disable SSLv3, so i'm quite surprised i ran into this bug.