Hello,
a user of my mail gateway has got the following messages while have
tried to send a message to
<recipie...@recipdomain.tld>,<recipie...@recipdomain.tld>:
----- Original Message -----
From: "Mail Delivery Subsystem" <mailer-dae...@recipserver.tld>
To: <sen...@senddomain.tld>
Sent: Tuesday, July 07, 2009 12:52 AM
Subject: Warning: could not send message for past 4 hours
> **********************************************
> ** THIS IS A WARNING MESSAGE ONLY **
> ** YOU DO NOT NEED TO RESEND YOUR MESSAGE **
> **********************************************
>
> The original message was received at Mon, 6 Jul 2009 15:30:05 +0200
> from myserver.mydomain.tld [xxx.yyy.www.zzz]
>
> ----- Transcript of session follows -----
> <recipie...@recipdomain.tld>,<recipie...@recipdomain.tld>...
Deferred: 403 4.7.0 TLS handshake failed.
> Warning: message still undelivered after 4 hours
> Will keep trying until message is 4 days old
>
.
.
.
The recipient 'recipserver.tld' runs Sendmail:
# telnet aaa.bbb.ccc.ddd 25
Trying aaa.bbb.ccc.ddd...
Connected to aaa.bbb.ccc.ddd.
Escape character is '^]'.
220 recipserver.tld ESMTP Sendmail 8.14.3/8.14.3; Thu, 9 Jul 2009
09:53:50 +0200
While I mind up that my server support TLS: (:-O) :
# postconf -d | grep tls
lmtp_enforce_tls = no
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options =
$lmtp_sasl_tls_security_options
lmtp_starttls_timeout = 300s
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_cert_file =
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_fingerprint_cert_match =
lmtp_tls_fingerprint_digest = md5
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = SSLv3, TLSv1
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_scert_verifydepth = 9
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject}
{cert_issuer}
smtp_enforce_tls = no
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options =
$smtp_sasl_tls_security_options
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_cert_file =
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = SSLv3, TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = no
smtpd_client_new_tls_session_rate_limit = 0
smtpd_enforce_tls = no
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_starttls_timeout = 300s
smtpd_tls_CAfile =
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = no
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file =
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_exclude_ciphers =
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_loglevel = 0
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = SSLv3, TLSv1
smtpd_tls_received_header = no
smtpd_tls_req_ccert = no
smtpd_tls_security_level =
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = no
tls_daemon_random_bytes = 32
tls_export_cipherlist = ALL:+RC4:@STRENGTH
tls_high_cipherlist = ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
tls_low_cipherlist = ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!aNULL
tls_random_bytes = 32
tls_random_exchange_name = ${data_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
Basically, I can't figure out why a TLS communication is attempted.
After this, I can't figure out who try to start the comunication over
TLS.
For my latter question I fear that is my mail gateway, and just for this
I would like to know if is it possible to disable TLS while there is the
needing to communicate with 'recipserver.tld'.
Could I disable the TLS with wathever server my mail gateway starts to
communicate (i.e.: acting as client) or this can causes problems or
limitation? Or, on the other side, is the server that has not to try to
start communication over TLS while has to to talk with my server?
Thanks in advance for all clarification about this situation.
Thanks,
rocsca
