Re: sendmail TLS errors
On Sat, Jan 28, 2012, Peter Fraser wrote: > It would have been nice if sendmail falls back to a none TLS connection if the > handshake occurs. See the RFC about STARTTLS why this isn't possible within a single session. Hence the MTA would have to "remember" that TLS failed before and not try it in a subsequent session. That's not exactly trivial with sm8: the information has to be stored somewhere, there has to be some decision which kind of errors actually cause avoiding TLS, how often an error should occur before doing so, when an error condition should "time out", etc. All of this has to work together with any TLS related requirements specified in the access map and other delivery decisions.
Re: sendmail TLS errors
Thanks, particularly for the Try_TLS:rci.rcimx.net NO If fact I had to use Try_TLS:rcimx.net NO Try_TLS:securence.com NO To get all the ones that I know about -Original Message- From: Philip Guenther [mailto:guent...@gmail.com] Sent: Saturday, February 04, 2012 1:53 AM To: Peter Fraser Cc: misc@openbsd.org Subject: Re: sendmail TLS errors On Sat, Jan 28, 2012 at 1:59 PM, Peter Fraser wrote: > I am getting the following errors, with sendmail (Openbsd 5.0 and > errors were there for 4.9 as well) ... > Jan 28 16:34:51 mail sm-mta[372]: STARTTLS=client: > 372:error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls > invalid ecpointformat > list:/usr/src/lib/libssl/ssl/../src/ssl/t1_lib.c:1470: ... > From peering around with google these seem to come from an error in > ssl. I assume that it is edgewave.com.mx1.rci.rcimx.net that has the > error, not OpenBSD 5.0 but none the less I cannot send email to this > site, with TLS enabled. This was a bug in the EC point extension support in OpenSSL versions before 1.0.0c, including the version in OpenBSD 5.0. It's fixed in the version of OpenSSL that's been imported since then for OpenBSD 5.1. > It my surprise I found that not configuring TLS on sendmail.mc only > turns it off for receiving not sending. That's true. There's a fundamental asymmetry to SSL/TLS, where servers have to be configured with certs and such but clients require nothing. My reading of the history of the design of SSL is that that was intentional. So, how do you turn TLS client support off completely in sendmail? The easiest method is probably to use LOCAL_TRY_TLS in your .mc file to define a try_tls ruleset that always returns NO. > The only way I can find to turn it off for sending is by adding > > Try_TLS:edgewave.com.mx1.rci.rcimx.net NO > Try_TLS:edgewave.com.mx2.rci.rcimx.net NO > Try_TLS:edgewave.com.mx3.rci.rcimx.net NO > Try_TLS:edgewave.com.mx4.rci.rcimx.net NO > > to sendmail's map access database. That looks correct. You could also apply that to the entire rci.rcimx.net domain with a single entry: Try_TLS:rci.rcimx.net NO > It would have been nice if sendmail falls back to a none TLS > connection if the handshake occurs. Well, the handshake also fails whenever an attackers interferes with the connection. A "revert to insecure when attacked" behavior makes you secure except when it matters. Philip Guenther
Re: sendmail TLS errors
On Sat, Jan 28, 2012 at 1:59 PM, Peter Fraser wrote: > I am getting the following errors, with sendmail (Openbsd 5.0 and errors were > there for 4.9 as well) ... > Jan 28 16:34:51 mail sm-mta[372]: STARTTLS=client: 372:error:1411809D:SSL > routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat > list:/usr/src/lib/libssl/ssl/../src/ssl/t1_lib.c:1470: ... > From peering around with google these seem to come from an error in ssl. I > assume that it is edgewave.com.mx1.rci.rcimx.net that has the error, not > OpenBSD 5.0 > but none the less I cannot send email to this site, with TLS enabled. This was a bug in the EC point extension support in OpenSSL versions before 1.0.0c, including the version in OpenBSD 5.0. It's fixed in the version of OpenSSL that's been imported since then for OpenBSD 5.1. > It my surprise I found that not configuring TLS on sendmail.mc only turns it > off for receiving not sending. That's true. There's a fundamental asymmetry to SSL/TLS, where servers have to be configured with certs and such but clients require nothing. My reading of the history of the design of SSL is that that was intentional. So, how do you turn TLS client support off completely in sendmail? The easiest method is probably to use LOCAL_TRY_TLS in your .mc file to define a try_tls ruleset that always returns NO. > The only way I can find to turn it off for sending is by adding > > Try_TLS:edgewave.com.mx1.rci.rcimx.net NO > Try_TLS:edgewave.com.mx2.rci.rcimx.net NO > Try_TLS:edgewave.com.mx3.rci.rcimx.net NO > Try_TLS:edgewave.com.mx4.rci.rcimx.net NO > > to sendmail's map access database. That looks correct. You could also apply that to the entire rci.rcimx.net domain with a single entry: Try_TLS:rci.rcimx.net NO > It would have been nice if sendmail falls back to a none TLS connection if the > handshake occurs. Well, the handshake also fails whenever an attackers interferes with the connection. A "revert to insecure when attacked" behavior makes you secure except when it matters. Philip Guenther
sendmail TLS errors
I am getting the following errors, with sendmail (Openbsd 5.0 and errors were there for 4.9 as well) Jan 28 16:34:48 mail sm-mta[24871]: starting daemon (8.14.5): SMTP+queueing@00:30:00 Jan 28 16:34:51 mail sm-mta[372]: STARTTLS=client, error: connect failed=-1, SSL_error=1, errno=0, retry=-1 Jan 28 16:34:51 mail sm-mta[372]: STARTTLS=client: 372:error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat list:/usr/src/lib/libssl/ssl/../src/ssl/t1_lib.c:1470: Jan 28 16:34:51 mail sm-mta[372]: STARTTLS=client: 372:error:14092113:SSL routines:SSL3_GET_SERVER_HELLO:serverhello tlsext:/usr/src/lib/libssl/ssl/../src/ssl/s3_clnt.c:945: Jan 28 16:34:51 mail sm-mta[372]: ruleset=tls_server, arg1=SOFTWARE, relay=edgewave.com.mx1.rci.rcimx.net, reject=403 4.7.0 TLS handshake failed. >From peering around with google these seem to come from an error in ssl. I assume that it is edgewave.com.mx1.rci.rcimx.net that has the error, not OpenBSD 5.0 but none the less I cannot send email to this site, with TLS enabled. It my surprise I found that not configuring TLS on sendmail.mc only turns it off for receiving not sending. The only way I can find to turn it off for sending is by adding Try_TLS:edgewave.com.mx1.rci.rcimx.net NO Try_TLS:edgewave.com.mx2.rci.rcimx.net NO Try_TLS:edgewave.com.mx3.rci.rcimx.net NO Try_TLS:edgewave.com.mx4.rci.rcimx.net NO to sendmail's map access database. The addresses belong to a email company that handles email for a other companies. I know of 5 companies that I cannot send to. You can try this yourself by sending email to x...@redcondor.com The email doesn't exist but the connection is dropped before anyone discovers that xxx is not valid. It would have been nice if sendmail falls back to a none TLS connection if the handshake occurs. As it is I have to watch the maillog to identify which mail is being blocked and adding the resulting address the access map