Bug#913129: openssl: TLS error (error 403 4.7.0 TLS handshake failed in sendmail logs)

Wed, 07 Nov 2018 02:34:11 -0800 

Package: openssl
Version: 1.1.1-2
Severity: important

Dear Maintainer,

Last saturday, I have upgraded my testing server. This server acts as a mail
server running sendmail.

With stable openssl package, my server ran fine. With new package, sendmail
returns the obvious message :

dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed

I have removed TLS from SMTP configuration (Try_TLS: NO in /etc/mail/access) but
some MX requires TLS and I'm unable to send message to several MX. For rexample
orange.fr :

Nov  7 09:17:31 rayleigh sm-mta[10148]: ruleset=try_tls, 
arg1=smtp-in.orange.fr, relay=smtp-in.orange.fr, reject=550 5.7.1 
<x...@orange.fr>... do not try TLS with smtp-in.orange.fr [80.12.242.9]
Nov  7 09:17:31 rayleigh sm-mta[10148]: wA68PQwK006059: to=<x...@orange.fr>, 
delay=23:52:05, xdelay=00:00:01, mailer=esmtp, pri=77460547, 
relay=smtp-in.orange.fr. [80.12.242.9], dsn=5.0.0, stat=Service unavailable

Second constatation : I use a patch (from sendmail 8.16) that allow sendmail to
automatically disable TLS when 4.7.0 error occurs.

With stable openssl, when sendmail tries to send message, SMTP always receives :
... dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.

With testing package, sendmail randomly receives :
... dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed
or
... dsn=4.0.0, stat=Deferred

        Of course, I have read openssl installation instructions, but I haven't
        found any workaround.

        If I downgrade openssl to openssl_1.1.0f-3+deb9u2_amd64.deb, sendmail 
runs
        as expected.

        Best regards,

        JKB

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssl depends on:
ii  libc6      2.27-8
ii  libssl1.1  1.1.1-2

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20170717

-- no debconf information

Reply via email to