Re: Why uw.edu not accepted my signed email?
On Wed, Nov 17, 2021, Andrew D. Arenson wrote: > Oct 21 19:52:35 redsolar sm-mta[1465905]: STARTTLS=client, error: > connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, It seems your sendmail version is a bit old? Check your favorite search engine... you need to generate a larger DH key - how to do that depends on your OS (or maybe update sendmail or disable DH?)
Re: Why uw.edu not accepted my signed email?
On Wed, Nov 17, 2021 at 05:36:43AM +, Claus Assmann wrote: > On Tue, Nov 16, 2021, Andrew D. Arenson wrote: > > > I don't see any obvious configurations that set how email is > > sent, so my guess is that it is being send via sendmail on my > > Ubuntu workstation. > > Then you should be able to check the maillog(?) for those > TLS problems and also check the mail queue: > mailq > > Also check the DSN again: does it say which is the "reporting MTA"? > That's most likely the one which has the TLS problem with uw.edu. Thank you for your further guidance. mailq shows all queues empty. Reporting-MTA is my workstation: Reporting-MTA: dns; redsolar.uits.iu.edu The maillog provided more detail for the error: Oct 21 19:52:35 redsolar sm-mta[1465905]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1 Oct 21 19:52:35 redsolar sm-mta[1465905]: ruleset=tls_server, arg1=SOFTWARE, relay=mxe29.s.uw.edu, reject=403 4.7.0 TLS handshake failed. Does 'dh key too small' mean that my sendmail configuration isn't using a big enough key, that uw.edu is ahead of the curve requiring longer keys than most places? Or is it the other way around, that my sendmail configuration IS using a bigger key, but uw.edu is outdated and for some reason doesn't support it? Andy -- Andrew D. Arenson (he/him) H 317.964.0493 arenson (at) spatzel.netC 317.679.4669
Re: Why uw.edu not accepted my signed email?
On Tue, Nov 16, 2021, Andrew D. Arenson wrote: > I don't see any obvious configurations that set how email is > sent, so my guess is that it is being send via sendmail on my > Ubuntu workstation. Then you should be able to check the maillog(?) for those TLS problems and also check the mail queue: mailq Also check the DSN again: does it say which is the "reporting MTA"? That's most likely the one which has the TLS problem with uw.edu.
Re: Why uw.edu not accepted my signed email?
On Tue, Nov 16, 2021 at 03:32:15PM -0500, Jon LaBadie wrote: > On Tue, Nov 16, 2021 at 07:29:01PM +, Claus Assmann wrote: > >On Tue, Nov 16, 2021, Andrew D. Arenson wrote: > > > >>Deferred: 403 4.7.0 TLS handshake failed. > > > >This has nothing to do with the content of the mail, it's a problem > >between the program you use to send (submit?) the mail at the SMTP > >level and the MTA at uw.edu. > >Do you use mutt directly for this or some MTA? > >Check whatever (START)TLS configuration you use for that. > > > > Recently there was a problem with whois and ".edu". > > Perhaps it also affected DNS? Thank you. Doesn't seem like the likely culprit, but I appreciate the thought. Andy -- Andrew D. Arenson (he/him) H 317.964.0493 arenson (at) spatzel.netC 317.679.4669
Re: Why uw.edu not accepted my signed email?
On Tue, Nov 16, 2021 at 07:29:01PM +, Claus Assmann wrote:
> On Tue, Nov 16, 2021, Andrew D. Arenson wrote:
>
> > Deferred: 403 4.7.0 TLS handshake failed.
>
> This has nothing to do with the content of the mail, it's a problem
> between the program you use to send (submit?) the mail at the SMTP
> level and the MTA at uw.edu.
> Do you use mutt directly for this or some MTA?
> Check whatever (START)TLS configuration you use for that.
Thanks!
I'm not sure I know enough to answer your question properly, but I will
try.
I'm running mutt on an Ubuntu OS workstation with sendmail installed.
I receive email using IMAP via a davmail process that in turn interacts
with Indiana University's Office 365 Exchange instance.
set spoolfile="{aarenson\@iu.edu@localhost:1143}INBOX"
I have the following in my .muttrc that I think were put in place to
deal with issues in _receiving_ email, but perhaps have a role in sending
email, too.
# For using TLS
set ssl_starttls=no
set ssl_force_tls=no
I don't see any obvious configurations that set how email is sent, so
my guess is that it is being send via sendmail on my Ubuntu workstation.
I have no record of configuring sendmail myself, and I kept fairly
copious notes when building this workstation in March, so I assume sendmail has
whatever is the stock configuration for its Ubuntu package.
Andy
--
Andrew D. Arenson (he/him) H 317.964.0493
arenson (at) spatzel.netC 317.679.4669
Re: Why uw.edu not accepted my signed email?
On Tue, Nov 16, 2021 at 07:29:01PM +, Claus Assmann wrote: On Tue, Nov 16, 2021, Andrew D. Arenson wrote: Deferred: 403 4.7.0 TLS handshake failed. This has nothing to do with the content of the mail, it's a problem between the program you use to send (submit?) the mail at the SMTP level and the MTA at uw.edu. Do you use mutt directly for this or some MTA? Check whatever (START)TLS configuration you use for that. Recently there was a problem with whois and ".edu". Perhaps it also affected DNS? -- Jon H. LaBadie j...@labadie.us 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
Re: Why uw.edu not accepted my signed email?
On Tue, Nov 16, 2021, Andrew D. Arenson wrote: > Deferred: 403 4.7.0 TLS handshake failed. This has nothing to do with the content of the mail, it's a problem between the program you use to send (submit?) the mail at the SMTP level and the MTA at uw.edu. Do you use mutt directly for this or some MTA? Check whatever (START)TLS configuration you use for that. -- Please don't Cc: me, use only the list for replies.
Why uw.edu not accepted my signed email?
Using either mutt (1.13.2, installed via Ubuntu 20.04) or Outlook on my windows laptop, I can successfully send a signed email to myself or most people in the world. I can't, however, send a signed email from my mutt client to anyone using a University of Washington (uw.edu) email address. This has failed for three different email addresses, while sending from Outlook has worked. The error I get in the bounced email message is: Deferred: 403 4.7.0 TLS handshake failed. I don't have a strong understanding of things like S/MIME, TLS, PKCS7, etc. I would be grateful for your advice about what might be different between how my Outlook application is signing outgoing email vs. how my mutt application is signing outgoing email that might help explain why the uw.edu server is having a problem receiving my email. Here are some hopefully relevant headers from a signed email sent from Outlook and another one sent from mutt: (from Outlook) ; Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="=_NextPart_000_0005_01D7C724.88FFBB10" ; --=_NextPart_000_0005_01D7C724.88FFBB10 ; Content-Type: application/pkcs7-signature; name="smime.p7s" ; Content-Transfer-Encoding: base64 ; Content-Disposition: attachment; filename="smime.p7s" (from mutt) ; Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha-256; boundary="RnlQjJ0d97Da+TV1" ; --RnlQjJ0d97Da+TV1 ; Content-Type: application/x-pkcs7-signature ; Content-Disposition: attachment; filename="smime.p7s" ; Content-Transfer-Encoding: base64 I see two differences: 1) micalg is different, with the older SHA1 used by Outlook and the newer sha-256 used by mutt. 2) The Content-Type of the signed portion of the email is different, with Outlook using application/pkcs7-signature while mutt uses application/x-pkcs7-signature For both of the above, my understanding is that mutt is actually using a more modern and/or secure and/or standard version than Outlook is. I also used openssl to take a look at what the uw.edu server might be expecting in terms of TLS as compared to my own university's mail server, but found no obvious differences. I may not have known where to look though. In case it's helpful, here's what I tried: openssl s_client -starttls smtp -connect uw.edu:25 ... SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 openssl s_client -starttls smtp -connect mail-relay.iu.edu:25 SSL-Session: Protocol : TLSv1.2 Cipher: ECDHE-RSA-AES256-GCM-SHA384 Also, in case it's relevant, here are the parameters in my smime.rc file used by my mutt client to sign outgoing emails: # Sction B: Outgoing messages # Algorithm to use for encryption. # valid choices are rc2-40, rc2-64, rc2-128, des, des3 set smime_encrypt_with="des3" # Encrypt a message. Input file is a MIME entity. set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c" # Sign. set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin -in %f -certfile %i -outform DER" Since my signed emails don't seem to fail when being sent anywhere else, my guess is that there's some sort of problem at the uw.edu end, but I have failed, so far, to get ahold of anyone there to discuss this. I'm hoping to learn enough that I could either fix something on my end or offer a suggestion to the mail server admins at uw.edu about what they might change. Andy -- Andrew D. Arenson (he/him) H 317.964.0493 arenson (at) spatzel.netC 317.679.4669
