Sorry, this went privately so I am sending to the list.
On Fri, 24 Jan 2020 16:10:57 -0500,
Johann Klasek wrote:
>
> Hi John,
>
> On Fri, Jan 24, 2020 at 06:33:26PM +0100, ml+mailop--- via mailop wrote:
> > Usually I don't reply to top-posted mails...
> >
> > 1. Try with
> > openssl s_client -connect other.host:25 -state -debug -crlf -starttls smtp
> > ...
> > and add parameters to match your sendmail setup.
> >
> > 2. See cf/README how to set the option in your mc file:
> > confCIPHER_LIST CipherList [undefined] Cipher list for TLS.
> >
> > 3. If you post changes you made, then post real data,
> > not something like
> > tls_srv_features CipherList=...
> > because that doesn't tell someone else whether you used the
> > right key(s).
> >
> > 4. you can use the same openssl command against your server
> > to see whether your config changes actually have the desired
> > effect.
> >
> > 5. If the problem persist, you need to provide more data,
> > e.g., real hostnames, your .mc file, and so on.
> >
> [..]
>
> did you already worked out this list?
I first want to thank everyone who has been helping me on this
problem. Well, I found something interesting, when using openssl
connect to the host which is (one of them) ukiah.firemountain.net I
got the following output:
SSL_connect:before SSL initialization
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS write client hello
SSL_connect:SSLv3/TLS read server hello
depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops,
CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
verify error:num=66:EE certificate key too weak
verify return:1
depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops,
CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops,
CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
verify return:1
SSL_connect:SSLv3/TLS read server certificate
SSL3 alert write:fatal:handshake failure
SSL_connect:error in error
140589450400896:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too
small:../ssl/statem/statem_clnt.c:2150:
CONNECTED(00000003)
---
Certificate chain
0 s:C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, CN
= ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
i:C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops, CN
= ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICzzCCAjgCCQCA5lXYLCT/ITANBgkqhkiG9w0BAQQFADCBqzELMAkGA1UEBhMC
VVMxETAPBgNVBAgTCE1hcnlsYW5kMQ8wDQYDVQQHEwZTcGFya3MxHTAbBgNVBAoT
FEZpcmUgb24gdGhlIE1vdW50YWluMQwwCgYDVQQLEwNvcHMxHzAdBgNVBAMTFnVr
aWFoLmZpcmVtb3VudGFpbi5uZXQxKjAoBgkqhkiG9w0BCQEWG3Bvc3RtYXN0ZXJA
ZmlyZW1vdW50YWluLm5ldDAeFw0xMTA3MDcxODE5NTJaFw0yMTA3MDQxODE5NTJa
MIGrMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxDzANBgNVBAcTBlNw
YXJrczEdMBsGA1UEChMURmlyZSBvbiB0aGUgTW91bnRhaW4xDDAKBgNVBAsTA29w
czEfMB0GA1UEAxMWdWtpYWguZmlyZW1vdW50YWluLm5ldDEqMCgGCSqGSIb3DQEJ
ARYbcG9zdG1hc3RlckBmaXJlbW91bnRhaW4ubmV0MIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQDKrJVfXAoOwHmr+MA1BLZjQEdFKqlYJQurmGBSfNrDRtNdayow
ov3YalNrBdDnGoRNrIFcZBzLsmryDikWCHcTGdf4OdDgTAX3gSqy0IIDSkfARyjA
8Um/bNofWkOW7ZDSeTsDQaXaCiaO9SmYFAaELjQjOzF4s/vh3iFniQc55QIDAQAB
MA0GCSqGSIb3DQEBBAUAA4GBAHO9usD3EfVUoAaXlzPn38DMRG1HG5qEDzbPGR+L
46fMS+4Ikwa9E9EezVWlOjJheC6FOBwewBrGHgUvP8cz+R+4wfliju+Ji1iJosaT
u8K9n5Hf1IQT9EkhkZKhn9r6tkOZW9gMIMbbTW6aTL7ig690cKKUJ7Tm9C0nA1S3
+xeP
-----END CERTIFICATE-----
subject=C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops,
CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
issuer=C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops,
CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
---
No client certificate CA names sent
---
SSL handshake has read 1893 bytes and written 354 bytes
Verification error: self signed certificate
---
New, (NONE), Cipher is (NONE)
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1579904838
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
---
Here is a longer excerpt from the log if that will help:
Jan 24 17:21:41 debian-2 sm-mta[9779]: STARTTLS=client, error: connect
failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
Jan 24 17:21:41 debian-2 sm-mta[9779]: ruleset=tls_server,
arg1=SOFTWARE, relay=ukiah.firemountain.net, reject=403 4.7.0 TLS
handshake failed.
Jan 24 17:21:41 debian-2 sm-mta[9779]: 00OLAdDa009105:
to=<postmas...@firemountain.net>, delay=01:10:40, xdelay=00:00:46,
mailer=esmtp, pri=841143,
relay=ukiah.firemountain.net. [207.114.3.55], dsn=4.0.0,
stat=Deferred: 403 4.7.0 TLS handshake failed.
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?
John Covici wb2una
cov...@ccs.covici.com
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
