Hello, a user of my mail gateway has got the following messages while have tried to send a message to <recipie...@recipdomain.tld>,<recipie...@recipdomain.tld>:
----- Original Message ----- From: "Mail Delivery Subsystem" <mailer-dae...@recipserver.tld> To: <sen...@senddomain.tld> Sent: Tuesday, July 07, 2009 12:52 AM Subject: Warning: could not send message for past 4 hours > ********************************************** > ** THIS IS A WARNING MESSAGE ONLY ** > ** YOU DO NOT NEED TO RESEND YOUR MESSAGE ** > ********************************************** > > The original message was received at Mon, 6 Jul 2009 15:30:05 +0200 > from myserver.mydomain.tld [xxx.yyy.www.zzz] > > ----- Transcript of session follows ----- > <recipie...@recipdomain.tld>,<recipie...@recipdomain.tld>... Deferred: 403 4.7.0 TLS handshake failed. > Warning: message still undelivered after 4 hours > Will keep trying until message is 4 days old > . . . The recipient 'recipserver.tld' runs Sendmail: # telnet aaa.bbb.ccc.ddd 25 Trying aaa.bbb.ccc.ddd... Connected to aaa.bbb.ccc.ddd. Escape character is '^]'. 220 recipserver.tld ESMTP Sendmail 8.14.3/8.14.3; Thu, 9 Jul 2009 09:53:50 +0200 While I mind up that my server support TLS: (:-O) : # postconf -d | grep tls lmtp_enforce_tls = no lmtp_sasl_tls_security_options = $lmtp_sasl_security_options lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options lmtp_starttls_timeout = 300s lmtp_tls_CAfile = lmtp_tls_CApath = lmtp_tls_cert_file = lmtp_tls_dcert_file = lmtp_tls_dkey_file = $lmtp_tls_dcert_file lmtp_tls_enforce_peername = yes lmtp_tls_exclude_ciphers = lmtp_tls_fingerprint_cert_match = lmtp_tls_fingerprint_digest = md5 lmtp_tls_key_file = $lmtp_tls_cert_file lmtp_tls_loglevel = 0 lmtp_tls_mandatory_ciphers = medium lmtp_tls_mandatory_exclude_ciphers = lmtp_tls_mandatory_protocols = SSLv3, TLSv1 lmtp_tls_note_starttls_offer = no lmtp_tls_per_site = lmtp_tls_policy_maps = lmtp_tls_scert_verifydepth = 9 lmtp_tls_secure_cert_match = nexthop lmtp_tls_security_level = lmtp_tls_session_cache_database = lmtp_tls_session_cache_timeout = 3600s lmtp_tls_verify_cert_match = hostname lmtp_use_tls = no milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject} {cert_issuer} smtp_enforce_tls = no smtp_sasl_tls_security_options = $smtp_sasl_security_options smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options smtp_starttls_timeout = 300s smtp_tls_CAfile = smtp_tls_CApath = smtp_tls_cert_file = smtp_tls_dcert_file = smtp_tls_dkey_file = $smtp_tls_dcert_file smtp_tls_enforce_peername = yes smtp_tls_exclude_ciphers = smtp_tls_fingerprint_cert_match = smtp_tls_fingerprint_digest = md5 smtp_tls_key_file = $smtp_tls_cert_file smtp_tls_loglevel = 0 smtp_tls_mandatory_ciphers = medium smtp_tls_mandatory_exclude_ciphers = smtp_tls_mandatory_protocols = SSLv3, TLSv1 smtp_tls_note_starttls_offer = no smtp_tls_per_site = smtp_tls_policy_maps = smtp_tls_scert_verifydepth = 9 smtp_tls_secure_cert_match = nexthop, dot-nexthop smtp_tls_security_level = smtp_tls_session_cache_database = smtp_tls_session_cache_timeout = 3600s smtp_tls_verify_cert_match = hostname smtp_use_tls = no smtpd_client_new_tls_session_rate_limit = 0 smtpd_enforce_tls = no smtpd_sasl_tls_security_options = $smtpd_sasl_security_options smtpd_starttls_timeout = 300s smtpd_tls_CAfile = smtpd_tls_CApath = smtpd_tls_always_issue_session_ids = yes smtpd_tls_ask_ccert = no smtpd_tls_auth_only = no smtpd_tls_ccert_verifydepth = 9 smtpd_tls_cert_file = smtpd_tls_dcert_file = smtpd_tls_dh1024_param_file = smtpd_tls_dh512_param_file = smtpd_tls_dkey_file = $smtpd_tls_dcert_file smtpd_tls_exclude_ciphers = smtpd_tls_fingerprint_digest = md5 smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_loglevel = 0 smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = smtpd_tls_mandatory_protocols = SSLv3, TLSv1 smtpd_tls_received_header = no smtpd_tls_req_ccert = no smtpd_tls_security_level = smtpd_tls_session_cache_database = smtpd_tls_session_cache_timeout = 3600s smtpd_tls_wrappermode = no smtpd_use_tls = no tls_daemon_random_bytes = 32 tls_export_cipherlist = ALL:+RC4:@STRENGTH tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH tls_null_cipherlist = eNULL:!aNULL tls_random_bytes = 32 tls_random_exchange_name = ${data_directory}/prng_exch tls_random_prng_update_period = 3600s tls_random_reseed_period = 3600s tls_random_source = dev:/dev/urandom Basically, I can't figure out why a TLS communication is attempted. After this, I can't figure out who try to start the comunication over TLS. For my latter question I fear that is my mail gateway, and just for this I would like to know if is it possible to disable TLS while there is the needing to communicate with 'recipserver.tld'. Could I disable the TLS with wathever server my mail gateway starts to communicate (i.e.: acting as client) or this can causes problems or limitation? Or, on the other side, is the server that has not to try to start communication over TLS while has to to talk with my server? Thanks in advance for all clarification about this situation. Thanks, rocsca