On Fri, 24 Jan 2020 20:30:36 -0500,
John Covici via mailop wrote:
>
> Sorry, this went privately so I am sending to the list.
>
> On Fri, 24 Jan 2020 16:10:57 -0500,
> Johann Klasek wrote:
> >
> > Hi John,
> >
> > On Fri, Jan 24, 2020 at 06:33:26PM +0100, ml+mailop--- via mailop wrote:
> > > Usually I don't reply to top-posted mails...
> > >
> > > 1. Try with
> > > openssl s_client -connect other.host:25 -state -debug -crlf -starttls
> > > smtp ...
> > > and add parameters to match your sendmail setup.
> > >
> > > 2. See cf/README how to set the option in your mc file:
> > > confCIPHER_LIST CipherList [undefined] Cipher list for TLS.
> > >
> > > 3. If you post changes you made, then post real data,
> > > not something like
> > > tls_srv_features CipherList=...
> > > because that doesn't tell someone else whether you used the
> > > right key(s).
> > >
> > > 4. you can use the same openssl command against your server
> > > to see whether your config changes actually have the desired
> > > effect.
> > >
> > > 5. If the problem persist, you need to provide more data,
> > > e.g., real hostnames, your .mc file, and so on.
> > >
> > [..]
> >
> > did you already worked out this list?
>
> I first want to thank everyone who has been helping me on this
> problem. Well, I found something interesting, when using openssl
> connect to the host which is (one of them) ukiah.firemountain.net I
> got the following output:
>
> SSL_connect:before SSL initialization
> SSL_connect:SSLv3/TLS write client hello
> SSL_connect:SSLv3/TLS write client hello
> SSL_connect:SSLv3/TLS read server hello
> depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU =
> ops, CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> verify error:num=66:EE certificate key too weak
> verify return:1
> depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU =
> ops, CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> verify error:num=18:self signed certificate
> verify return:1
> depth=0 C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU =
> ops, CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> verify return:1
> SSL_connect:SSLv3/TLS read server certificate
> SSL3 alert write:fatal:handshake failure
> SSL_connect:error in error
> 140589450400896:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too
> small:../ssl/statem/statem_clnt.c:2150:
> CONNECTED(00000003)
> ---
> Certificate chain
> 0 s:C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops,
> CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> i:C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops,
> CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIICzzCCAjgCCQCA5lXYLCT/ITANBgkqhkiG9w0BAQQFADCBqzELMAkGA1UEBhMC
> VVMxETAPBgNVBAgTCE1hcnlsYW5kMQ8wDQYDVQQHEwZTcGFya3MxHTAbBgNVBAoT
> FEZpcmUgb24gdGhlIE1vdW50YWluMQwwCgYDVQQLEwNvcHMxHzAdBgNVBAMTFnVr
> aWFoLmZpcmVtb3VudGFpbi5uZXQxKjAoBgkqhkiG9w0BCQEWG3Bvc3RtYXN0ZXJA
> ZmlyZW1vdW50YWluLm5ldDAeFw0xMTA3MDcxODE5NTJaFw0yMTA3MDQxODE5NTJa
> MIGrMQswCQYDVQQGEwJVUzERMA8GA1UECBMITWFyeWxhbmQxDzANBgNVBAcTBlNw
> YXJrczEdMBsGA1UEChMURmlyZSBvbiB0aGUgTW91bnRhaW4xDDAKBgNVBAsTA29w
> czEfMB0GA1UEAxMWdWtpYWguZmlyZW1vdW50YWluLm5ldDEqMCgGCSqGSIb3DQEJ
> ARYbcG9zdG1hc3RlckBmaXJlbW91bnRhaW4ubmV0MIGfMA0GCSqGSIb3DQEBAQUA
> A4GNADCBiQKBgQDKrJVfXAoOwHmr+MA1BLZjQEdFKqlYJQurmGBSfNrDRtNdayow
> ov3YalNrBdDnGoRNrIFcZBzLsmryDikWCHcTGdf4OdDgTAX3gSqy0IIDSkfARyjA
> 8Um/bNofWkOW7ZDSeTsDQaXaCiaO9SmYFAaELjQjOzF4s/vh3iFniQc55QIDAQAB
> MA0GCSqGSIb3DQEBBAUAA4GBAHO9usD3EfVUoAaXlzPn38DMRG1HG5qEDzbPGR+L
> 46fMS+4Ikwa9E9EezVWlOjJheC6FOBwewBrGHgUvP8cz+R+4wfliju+Ji1iJosaT
> u8K9n5Hf1IQT9EkhkZKhn9r6tkOZW9gMIMbbTW6aTL7ig690cKKUJ7Tm9C0nA1S3
> +xeP
> -----END CERTIFICATE-----
> subject=C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU =
> ops, CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
>
> issuer=C = US, ST = Maryland, L = Sparks, O = Fire on the Mountain, OU = ops,
> CN = ukiah.firemountain.net, emailAddress = postmas...@firemountain.net
>
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 1893 bytes and written 354 bytes
> Verification error: self signed certificate
> ---
> New, (NONE), Cipher is (NONE)
> Server public key is 1024 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : 0000
> Session-ID:
> Session-ID-ctx:
> Master-Key:
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> Start Time: 1579904838
> Timeout : 7200 (sec)
> Verify return code: 18 (self signed certificate)
> Extended master secret: no
> ---
>
> Here is a longer excerpt from the log if that will help:
> Jan 24 17:21:41 debian-2 sm-mta[9779]: STARTTLS=client, error: connect
> failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
> Jan 24 17:21:41 debian-2 sm-mta[9779]: ruleset=tls_server,
> arg1=SOFTWARE, relay=ukiah.firemountain.net, reject=403 4.7.0 TLS
> handshake failed.
> Jan 24 17:21:41 debian-2 sm-mta[9779]: 00OLAdDa009105:
> to=<postmas...@firemountain.net>, delay=01:10:40, xdelay=00:00:46,
> mailer=esmtp, pri=841143,
> relay=ukiah.firemountain.net. [207.114.3.55], dsn=4.0.0,
> stat=Deferred: 403 4.7.0 TLS handshake failed.
So, I have now solved the problem (sort of). On my other box, I had
no trouble connecting to at least one of those servers and so I had to
figure out why. So, I looked at the /etc/ssl/openssl.cnf and compared
them on both systems and discovered that on the one which could
connect it seems that the seclevel was 2 whereas it was not specified
at all on the system which had trouble. So, it seems that it had
nothing to do with sendmail at all, but everything to do with the
ciphers in some way. I will have to look in to that seclevel and see
what it actually means, but at least its working for now.
Thanks everyone.
--
Your life is like a penny. You're going to lose it. The question is:
How do
you spend it?
John Covici wb2una
cov...@ccs.covici.com
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
