Dear everyone,
s6-ucspitlsd/s6-tlsd-io seem to have an issue with STARTTLS.
I have the service:
#!/bin/execlineb -P
fdmove -c 2 1
fdmove 1 3
importas -i OLDPATH PATH
export PATH /var/qmail/bin/:${OLDPATH}
export KEYFILE /etc/ssl/letsencrypt/domain.key
export CERTFILE /etc/ssl/letsencrypt/signed_chain.crt
export TLS_UID 1011
export TLS_GID 1012
s6-envuidgid qmaild
backtick -E IP { s6-dnsip4 my.dns.com }
s6-tcpserver -v -c255 -1 -- ${IP} 25
s6-ucspitlsd -K30000 --
s6-applyuidgid -Uz --
smtpd-starttls-proxy-io
qmail-smtpd
When I test STARTTLS by running:
openssl s_client -debug -starttls smtp -tls1_2 -connect ${IP}:25
The logs say:
s6-tlsd-io: fatal: unable to tls_handshake:
The end of the relevant strace file says:
timer_settime(0, 0, {it_interval={tv_sec=0, tv_nsec=0}, it_value={tv_sec=30, tv_nsec=0}}, NULL) = 0
brk(0x5573be741000) = 0x5573be741000
read(0, "\26\3\1\5\357", 5) = 5
read(0, "\1\0\5\353\3\3\357W\362\3627\264\213\\\224\213\214\fj\3138\262\345p=L\274>q7v\263"..., 1519) = 1519
getpid() = 24505
getpid() = 24505
getpid() = 24505
getpid() = 24505
write(1, "\26\3\3\0z\2\0\0v\3\3\236\31\324\t\203[\363D>[BT\376\250\222.\20_at_\217\335x"..., 3694) = 3694
read(0, 0x5573be731883, 5) = -1 EAGAIN (Resource temporarily unavailable)
writev(2, [{iov_base="s6-tlsd-io: fatal: unable to tls"..., iov_len=45}, {iov_base=NULL, iov_len=0}], 2) = 45
exit_group(97) = ?
+++ exited with 97 +++
The openssl command itself prints no error.
I originally investigated this since other mail servers
have the same issue as my openssl invocation,
delaying mail transfers until they try without STARTTLS.
Does anyone have an idea why this happens or is this a bug in s6-ucspitlsd/s6-tlsd-io?
Best regards,
Paul
Received on Wed Dec 03 2025 - 22:23:12 CET