STARTTLS problems

Thu, 12 Apr 2012 03:49:17 -0700 

@charite were suddenly encountering several domains that don't seem to
implement STARTTLS properly.

mailq exhibits the following behaviour:

3VRgn515L4zKg2v     443924 Tue Apr 10 10:01:13 sen...@charite.de
(lost connection with mail2.trioncology.org[81.252.237.162] while sending RCPT 
TO)
                                               recipi...@trioncology.org

3VRkVt1QCQz1tpC     713456 Tue Apr 10 12:04:06 sen...@charite.de
(lost connection with mail.seronosymposia.org[77.43.17.211] while sending MAIL 
FROM)
                                               recipi...@seronosymposia.org
                                               


Examining these two with openssl yields:

# openssl s_client -starttls smtp -CAfile /etc/ssl/certs/ca-certificates.crt 
-connect 77.43.17.211:25

...

SSL handshake has read 2773 bytes and written 545 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: 2C130000446B4890640EA3E2C7FC42CE3108961A70C69D555B0C2E7B561178F5
    Session-ID-ctx: 
    Master-Key: 
52E5135613B630FB7E573D7E471C2EB5301835559C5A6FCA25EF8615514A378AF4ABC05B7700ECC94BF676C4F3FCD343
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1334227398
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 OK



and:

# openssl s_client -starttls smtp -CAfile /etc/ssl/certs/ca-certificates.crt 
-connect 81.252.237.162:25
CONNECTED(00000003)
...
No client certificate CA names sent
---
SSL handshake has read 2271 bytes and written 673 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA
    Session-ID: 960600009866D220953A6C8C28D10A10CA17481F1D9CBE8C2D93A2F5679294AE
    Session-ID-ctx: 
    Master-Key: 
FED6B659598833657EDD05818253322342B77FA610ED2C7F7C8FFC7138CA53C828107DA110C40D8D867906BD60C5D82A
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1334227601
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
250 OK


and after that I cannot proceed in the SMTP dialogue at all. Either
CTRL-D or CTRL-C will get me back to the command line.

Disabling STARTTLS when sending mail there gets the mail delivered.
-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Reply via email to