SSL/TLS suddenly stopped working for postfix

Matt Mullins mokomull at
Fri Dec 30 22:01:36 UTC 2011

On Fri, Dec 30, 2011 at 8:53 AM, Mark <mark at> wrote:
> My apologies for the cross-posting but I believe it is relevant.

That's still typically frowned upon, IMHO.

>    I have been running postfix for 8+ months without problems.  Recently ( a
> week or two) I had a user complain that he could no longer send.  It appears
> that postfix is no longer accepting SSL/TLS connections.  STARTTLS is
> working on port 587 (and possibly 25, still testing)  I am trying to figure
> out why the change.
>    If I try and open an openssl connection manually, this is what I get:
> openssl s_client -connect
> CONNECTED(00000003)
> 44829:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:478:

This command starts speaking the SSL protocol immediately at the
beginning of the connection, which is wrong for STARTTLS cases.  You
need to do this instead:
  $ openssl s_client -connect -starttls smtp

The most common SSL-just-stops-working issue is that your certificate
expired.  Check that by looking for "Not After" in the output of:
  root at mailserver# openssl x509 -noout -text -in /path/to/server.crt
Matt Mullins

More information about the freebsd-questions mailing list