Fix QMAIL mail server - "warning: dropping
connection, unable to SSL accept:protocol error" and why error
occurs
Every time I had to modify something in productive QMAIL server
install, I end up with some kind unexplainable problems which
create huge issues for clients. For one more time I end up with
errors after minor "innocent" modifications of a working for more
than year time QMAIL ....
After last changes I made to combined qmail install of
Thibs,
QmailRocks in Daemontools qmail start up files
:
/var/qmail/supervise/qmail-smtpd/run
/var/qmail/supervise/qmail-smtpdssl/run
In both files I set variable:
SSL=0 to SSL=1:
After making the change I restarted qmail tested sending emails and
all looked well. Therefore I thought all works as usual, e.g.
e-mail are properly sent and respectively received to the mail
server....
So far so good until just today, when I received urgent phone call
in which my employer reported about severe problems with receiving
emails.
Trying to send from Gmail or Yahoo to our mail server were unable
to be received with some delivery failure errors ...
First I was a bit sceptical, hoping that maybe the errors reporting
are not caused by the mail server but after giving a try to send
email to the mail server in question the reported problem prooved
true.
As always when errors with QMail, I checked what the logs says
about the problem just to find in
/var/log/qmail-smtpd/current log following err:
@4000000050374a0e1a5dc374 sslserver: warning: dropping
connection, unable to SSL accept:protocol
error
I've dig over almost all primary forums, threads and blog posts
online but nowhere I couldn't find anymeaningful as explanation to
the error, so was forced to look for solution myself.
Obviously, there was error with SSL, so my first thought was to
check if all is fine with permissions of servercert.pem and
clientcert.pem. The permissions of two files were as
follows:
ls -al /var/qmail/control/clientcert.pem
-rw-r----- 1 root qmail 2136 2011-10-10 13:23
/var/qmail/control/clientcert.pem
ls -al /var/qmail/control/servercert.pem
-rw-r--r-- 1 qmaild qmail 2311 2011-10-12 13:21
/var/qmail/control/servercert.pem
At first glimpse I was suspicious concerning permissions of
/var/qmail/control/clientcert.pem but after checking on other Qmail
servers which worked just fine I was sure the problem did not root
in clientcert.pem permissions.
As you can guess another failure point I suspected was the previous
day change of SSL=0 to SSL=1 in
/var/qmail/supervise/qmail-smtpd/run and
/var/qmail/supervise/qmail-smtpdssl/run. On that account, I
immediately reversed back the yesterday setting of SSL=0 and then
restart QMAIL.
The usual QMAIL to restart qmail is via qmailctl, but since so
often qmailctl does not reload qmail current settings I had to also
refresh current working qmail binaries via both stopping qmail with
qmailctl stop and through /etc/inittab by commenting out in
it line dealing with daemontools svscanboot:
Hence I first stopped all running qmail processes via init
script:
# /usr/bin/qmailctl stop
Then commented line:
SV:123456:respawn:/usr/bin/svscanboot
to:
#SV:123456:respawn:/usr/bin/svscanboot
Onwards did reload of initab with command:
# /sbin/init q
Right onwards I uncommented the commented line:
#SV:123456:respawn:/usr/bin/svscanboot
to:
SV:123456:respawn:/usr/bin/svscanboot
And load up daemontools (svscanboot) via inittab
issuing:
# /sbin/init q
Finally I had to start QMAIL processes:
# qmailctl restart
...
Change of SSL svscanboot daemontools service script SSL=0 to SSL=1
however created other problems for clients cause any present
clients which used crypted connections to SMTP server viaSSL
encryption rendered unable to send mails anymore with error
messages like:
Cannot establish SSL with SMTP server xx.xxx.xxx.xxx:465,
SSL_connect error 336031996.
To work around this issue I had to once again start SSL (set SSL=1)
in /var/qmail/supervise/qmail-smtpssl/run and leave SSL switched
off for /var/qmail/supervise/qmail-smtp/run.
Even doing this changes for about 20 minutes though I restarted
QMAIL multiple times, qmail continued having issues with mails
received with the shitty:
@4000000050374a0e1a5dc374 sslserver: warning: dropping
connection, unable to SSL accept:protocol
error
After multiple restarts "magically" the stupid server figured out
it should load my changed setting in qmail-smtpdssl/run (before it
finally worked I probably had to restart 20 times using qmailctl
stop; qmailctl start ....
I've figured out as a good practice to put delay between qmailctl
stop and qmailctl start cmds so in restarts I used a little 3 secs
sleep in between like so:
# qmailctl stop; killall -9 multilog; sleep 3; qmailctl
start
Also killing multilog (killall -9 multilog) is good practice cause
often nevertheless restarts server logging is not refreshed
...
Something else that might be important is the AUTH settings in
qmail-smtpd/run and qmail-smtpdssl/run in thisfinally working qmail
they are:
AUTH=1
REQUIRE_AUTH=0
ALLOW_INSECURE_AUTH=0
Hope this post helps someone to solve same crazy error ...
Cheers