The error message SSL_accept error from unknown[client-ip]: lost connection typically indicates a TLS handshake failure between Postfix and the mail client. Let's examine the key configuration elements:
# Verify certificate permissions
ls -l /etc/ssl/certs/mailcert.pem /etc/ssl/private/mail.key
# Check certificate validity
openssl x509 -in /etc/ssl/certs/mailcert.pem -text -noout
openssl rsa -in /etc/ssl/private/mail.key -check -noout
Your master.cf shows both submission (587) and smtps (465) ports enabled, but let's verify:
# Check listening ports
netstat -tulnp | grep postfix
Update your main.cf with these recommended TLS parameters:
# Modern TLS configuration
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_ciphers = high
smtpd_tls_mandatory_ciphers = high
smtpd_tls_exclude_ciphers = aNULL, MD5, DES, 3DES
smtpd_tls_received_header = yes
Use OpenSSL to test the connection manually:
# Test 465 (SMTPS)
openssl s_client -connect mail.myserver.com:465 -starttls smtp -debug
# Test 587 (Submission)
openssl s_client -connect mail.myserver.com:587 -starttls smtp -debug
For Thunderbird, these settings are crucial:
- Use "SSL/TLS" connection security for port 465
- Use "STARTTLS" for port 587
- Under Advanced config, try enabling "Allow insecure plaintext authentication" temporarily for testing
Even with UFW inactive, check other potential blockers:
# Check iptables rules
iptables -L -n -v
# Verify port accessibility from remote
nc -zv mail.myserver.com 465 587 25
For better security and compatibility, consider Let's Encrypt:
# Install certbot
sudo apt install certbot
sudo certbot certonly --standalone -d mail.myserver.com
# Update Postfix config
smtpd_tls_cert_file=/etc/letsencrypt/live/mail.myserver.com/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/mail.myserver.com/privkey.pem
Increase TLS logging to pinpoint the exact failure point:
smtpd_tls_loglevel = 2
smtp_tls_loglevel = 2
When attempting to connect via Thunderbird to a Postfix/Dovecot setup with self-signed certificates, the mail.log shows critical SSL negotiation failures:
postfix/submission/smtpd[11439]: SSL_accept error from unknown[95.134.50.75]: lost connection
postfix/submission/smtpd[11439]: lost connection after CONNECTThe current Postfix configuration shows several important settings that need verification:
# TLS Settings in main.cf
smtpd_tls_cert_file=/etc/ssl/certs/mailcert.pem
smtpd_tls_key_file=/etc/ssl/private/mail.key
smtpd_tls_security_level = may
smtpd_tls_protocols = !SSLv2, !SSLv3The observed behavior suggests network-level problems:
- Port 25 timeouts indicate possible ISP blocking (common for residential ISPs)
- Port 465 working confirms basic TCP connectivity
For submission service (port 587), ensure these parameters in master.cf:
submission inet n - - - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_wrappermode=no
-o smtpd_tls_auth_only=yes
-o smtpd_tls_protocols=!SSLv2,!SSLv3,TLSv1.2,TLSv1.3For self-signed certificates, ensure proper permissions and format:
# Check certificate chain
openssl x509 -in /etc/ssl/certs/mailcert.pem -text -noout
# Verify private key
openssl rsa -in /etc/ssl/private/mail.key -check
# Test SSL handshake (from client machine)
openssl s_client -connect mail.example.com:465 -starttls smtpWhen using self-signed certs in Thunderbird:
- Go to Account Settings > Server Settings
- Under Security Settings, select "SSL/TLS"
- Click "Advanced" and add exception for your certificate
Increase logging level for detailed troubleshooting:
# In /etc/postfix/main.cf:
smtpd_tls_loglevel = 2
smtp_tls_loglevel = 2Check Dovecot authentication path:
# Verify auth socket exists
ls -la /var/spool/postfix/private/authEven with UFW inactive, check other potential blockers:
# Check iptables rules
iptables -L -n -v
# Verify SELinux status (if applicable)
getenforceIf issues persist, consider using Let's Encrypt certificates:
sudo certbot certonly --standalone -d mail.example.com
sudo postfix reload