Bug#707049: bugs.debian.org: tls cert on bugs-master.debian.org for a different hostname
I see this problem too -- ironically from a freshly installed wheezy system running sendmail. Syslog: 201 2013-05-16T09:00:24.888014+02:00 duva sm-mta 19115 - - STARTTLS=client, error: connect failed=0, SSL_error=5, errno=0, retry=-1 211 2013-05-16T09:00:24.888257+02:00 duva sm-mta 19115 - - ruleset=tls_server, arg1=SOFTWARE, relay=bugs-master.debian.org, reject=403 4.7.0 TLS handshake failed. 221 2013-05-16T09:00:24.888318+02:00 duva sm-mta 19115 - - r4G70JEv019092: to=702...@bugs.debian.org, delay=00:00:04, xdelay=00:00:02, mailer=esmtp, pri=150610, relay=bugs-master.debian.org. [140.211.166.26], dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed. The attempts and failures happens repeatedly, and the mail is stuck on the queue: r4G70JEv019092 224 Thu May 16 09:00 si...@josefsson.org (Deferred: 403 4.7.0 TLS handshake failed.) 702...@bugs.debian.org Sendmail doesn't seem able to recover (like postfix did) so it just re-tries the delivery and TLS handshake and never fall back to non-TLS. Thus, I can't seem to get any emails through to bugs.debian.org without the following in /etc/mail/access and running 'make' in /etc/mail. Try_TLS:master.debian.org NO Try_TLS:bugs-master.debian.org NO /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#707049: bugs.debian.org: tls cert on bugs-master.debian.org for a different hostname
Package: bugs.debian.org Severity: normal Dear Maintainer, When sending a bug, the mail gets sent to the mx bugs-master.debian.org. The exim handling port 25 on that box has a tls cert with CN=buxtehude.debian.org. AFAICT there also is no subAltName extension for bugs-master.debian.org. This prevents the use of TLS with at least some MTAs (I use postfix): :; egrep /smtp'\[' /var/log/mail.log May 7 06:23:18 localhost postfix/smtp[19450]: SSL_connect error to bugs-master.debian.org[140.211.166.26]:25: Connection reset by peer May 7 06:23:18 localhost postfix/smtp[19450]: 252371001CE: Cannot start TLS: handshake failure May 7 06:23:18 localhost postfix/smtp[19450]: Host offered STARTTLS: [bugs-master.debian.org] May 7 06:23:19 localhost postfix/smtp[19450]: 252371001CE: to=707...@bugs.debian.org, relay=bugs-master.debian.org[140.211.166.26]:25, delay=454, delays=453/0.04/0.95/0.45, dsn=2.0.0, status=sent (250 OK id=1UZbJQ-5W-5M) As you can see, the mail got sent, but without tls. If you want the MX for bugs.d.o to be bugs-master.d.o, then that SHOULD be the mailname of the box bugs-master.d.o A resolves to and the TLS cert SHOULD have that name either in CN or subAltName. Or, the actual mailname and CN should be specified in the MX RR. Try running: :; gnutls-cli -p 25 --starttls bugs-master.debian.org to see why the tls handshake failed above. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org