eric thanks for your reply
these the responses to the mx of hpe.com [root@ns1 domains]# openssl s_client -starttls smtp -no_ssl3 -no_ssl2 -cipher "AES256-SHA" -connect 15.233.44.29:25 CONNECTED(00000003) to the mx of dbschenker.com [root@ns1 domains]# openssl s_client -starttls smtp -no_ssl3 -no_ssl2 -cipher "AES256-SHA" -connect 62.180.229.52:25 CONNECTED(00000003) shall i replace the tlsciphers and check out ? rajesh ----- Original Message ----- From: Eric Broch [mailto:ebr...@whitehorsetc.com] To: qmailtoaster-list@qmailtoaster.com Sent: Mon, 3 Apr 2017 21:49:05 -0600 Subject: Hi Rajesh, Could you test something like this from qmail host: openssl s_client -starttls smtp -no_ssl3 -no_ssl2 -cipher "AES256-SHA" -connect a...@domain.com:25 BTW these are the ciphers on my my COS 6 host: DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:KRB5-IDEA-CBC-SHA:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA Eric On 4/3/2017 8:23 PM, Rajesh M wrote: > hi > > os ; centos 6 > qmailtoaster, spamassassin, mysql, dovecot, clam > > we are suddenly receiving TLS connect failed: timed out error on all our > servers running qmail > > when emails are sent by our customer to the following domains hp.com, > hpe.com, dbschenker.com, kamyn.co.ke > > the authentication by the customer is done correctly, email gets sent from > the email client of the customer and emails recd by the server. however the > mail lies in the queue till finally it bounces back to the sender with the > message TLS connect failed. > > 2017-04-03 15:21:40.916522500 bounce msg 4468196 qp 33696 > 2017-04-03 15:21:40.916589500 end msg 4468196 > 2017-04-03 15:01:34.006986500 starting delivery 56232: msg 4468196 to remote > a...@hpe.com > 2017-04-03 15:21:40.869716500 delivery 56232: failure: > TLS_connect_failed:_timed_out;_connected_to_15.241.48.71./I'm_not_going_to_try_again; > _this_message_has_been_in_the_queue_too_long./ > 2017-04-03 15:01:34.007035500 starting delivery 56233: msg 4468196 to remote > xxx...@hpe.com > 2017-04-03 15:21:40.851782500 delivery 56233: failure: > TLS_connect_failed:_timed_out;_connected_to_15.241.48.71./I'm_not_going_to_try_again; > _this_message_has_been_in_the_queue_too_long./ > 2017-04-03 15:01:34.007150500 starting delivery 56234: msg 4468196 to remote > dfdf...@hpe.com > 2017-04-03 15:21:40.876609500 delivery 56234: failure: > TLS_connect_failed:_timed_out;_connected_to_15.241.48.71./I'm_not_going_to_try_again; > _this_message_has_been_in_the_queue_too_long./ > > > this is happening since the last 10 days. There are no error details in the > qmail logs. > > however emails sent from two of our window servers using mailenable, go > through correctly to these domains. > > we have not changed anything on our qmail servers and all servers are > identical in config. > > so it seems that there is common issue between all our qmail servers. > > our ssl certificates are the self signed ones (validity 10 years) created > > openssl genrsa -out x.key 2048 > openssl req -new -key x.key -out x.csr > openssl x509 -req -days 36500 -in x.csr -signkey x.key -out x.crt > cat x.crt x.key > fqdn.crt > > tlsciphers file > > DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:KRB5-DES-CBC3-MD5:KRB5-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:RC2-CBC-MD5:KRB5-RC4-MD5:KRB5-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:KRB5-DES-CBC-MD5:KRB5-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC4-SHA:EXP-RC4-MD5:EXP-RC4-MD5 > > could somebody help please > > rajesh > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com > For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com -- Eric Broch, IMSO, DAM, NGOO, DITH, URTS White Horse Technical Consulting (WHTC)
--------------------------------------------------------------------- To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com