On Sat, Jan 28, 2012 at 1:59 PM, Peter Fraser <p...@thinkage.ca> wrote: > I am getting the following errors, with sendmail (Openbsd 5.0 and errors were > there for 4.9 as well) ... > Jan 28 16:34:51 mail sm-mta[372]: STARTTLS=client: 372:error:1411809D:SSL > routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls invalid ecpointformat > list:/usr/src/lib/libssl/ssl/../src/ssl/t1_lib.c:1470: ... > From peering around with google these seem to come from an error in ssl. I > assume that it is edgewave.com.mx1.rci.rcimx.net that has the error, not > OpenBSD 5.0 > but none the less I cannot send email to this site, with TLS enabled.
This was a bug in the EC point extension support in OpenSSL versions before 1.0.0c, including the version in OpenBSD 5.0. It's fixed in the version of OpenSSL that's been imported since then for OpenBSD 5.1. > It my surprise I found that not configuring TLS on sendmail.mc only turns it > off for receiving not sending. That's true. There's a fundamental asymmetry to SSL/TLS, where servers have to be configured with certs and such but clients require nothing. My reading of the history of the design of SSL is that that was intentional. So, how do you turn TLS client support off completely in sendmail? The easiest method is probably to use LOCAL_TRY_TLS in your .mc file to define a try_tls ruleset that always returns NO. > The only way I can find to turn it off for sending is by adding > > Try_TLS:edgewave.com.mx1.rci.rcimx.net NO > Try_TLS:edgewave.com.mx2.rci.rcimx.net NO > Try_TLS:edgewave.com.mx3.rci.rcimx.net NO > Try_TLS:edgewave.com.mx4.rci.rcimx.net NO > > to sendmail's map access database. That looks correct. You could also apply that to the entire rci.rcimx.net domain with a single entry: Try_TLS:rci.rcimx.net NO > It would have been nice if sendmail falls back to a none TLS connection if the > handshake occurs. Well, the handshake also fails whenever an attackers interferes with the connection. A "revert to insecure when attacked" behavior makes you secure except when it matters. Philip Guenther
