Re: [exim] SSL routines:SSL23_GET_CLIENT_HELLO:unknown proto…

Top Page

Reply to this message
Author: web
Date:  
To: exim-users
Subject: Re: [exim] SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
HI

Since 8 days, I recive very strange errors in exim_mainlog:

Here are some recent examples:

2012-04-06 02:33:30 TLS error on connection from (localhost) [74.79.177.106]
(SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol
2012-04-06 02:34:46 TLS error on connection from (localhost)
[186.182.196.246] (SSL_accept): error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2012-04-06 02:35:32 TLS error on connection from (localhost) [173.21.9.179]
(SSL_accept): error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
protocol
2012-04-06 02:36:02 TLS error on connection from (localhost)
[119.77.234.116] (SSL_accept): error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol

Everytime there is (localhost) [IP] connection scheme, and there is error
140760FC with the same message, while IPs in [...] are different.

My server accept TLS connections. I've checked many of IPs from such errors,
and all of them was some sort of dictionary attackers, open relay mail
servers etc. Also non of my users reported that they missed any emails.

I don't know if there is some sort of attack to my server? Is there any way
to know what domain they try to connect? I tried to tcpdump packed while
this error becames, and the only thing I found that they send QUIT very soon
after connection, this is something I catch on 25 port just before error
became:

02:19:04.416765 IP 201.231.132.235.cp-spxsvr > MY_SERVER_IP.smtp: Flags
[P.], seq 2509958694:2509958700, ack 3637536753, win 65182, length 6
0x0000: 4500 002e c092 4000 6a06 9611 c9e7 84eb E.....@.j.......
0x0010: b009 bb49 1119 0019 959a ee26 d8d0 67f1 ...I.......&..g.
0x0020: 5018 fe9e 7998 0000 5155 4954 0d0a P...y...QUIT..

Mike