Postfix TLS Certificate Warning

I have been noticing the following error in my mail.log when Postfix receives an email.

SSL_accept error from domain.example.com [x.x.x.x] -1 warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:../ssl/record/rec_layer_s3.c:1528:SSL alert number 46:

I am trying to understand what this means. It looks like there is a problem with a certificate. I believe I have sslv3 turned off in my configuration as it is referenced as !SSLv3. Could the sending entity be trying to use SSLv3? If so, does this mean that the message is not being sent over TLS? I do end up receiving the message regardless of the above error.

Thanks

Edit: Output from the openssl command. Sorry for the screenshots. I couldn't get the block quote to format correctly. Looks like it might not like my self-signed certificate?

Part 1 Part 2


I am trying to understand what this means. It looks like there is a problem with a certificate.

Exactly. It means the other system, the one trying to connect to you to transfer mail, does not trust your certificate because it isn't issued by a trusted CA. Some senders don't enforce this -- i.e. may accept a selfsigned cert -- but some do, and you are apparently getting one(s) that do(es). You have already diagnosed this on your own.

Could the sending entity be trying to use SSLv3?

No. The function name ssl3_read_bytes is because the same record format is used for all protocols from SSL3 up including TLS1.0-1.3, and thus the lower-level function first written for SSL3 is reused. (OTOH SSL2 used a different record format that is now completely obsoleted and forgotten.) The error text sslv3 alert certificate unknown is because this alert was first defined in SSL3 and like (nearly all) other alerts carried forward unchanged in higher protocols, whereas some other, newer alerts were added. Neither of these means the SSL3 protocol is being used.


It looks like the self-signed certificate was the problem. I created a free one using Let's Encrypt. Once I configured the server to use that one, that error went away.