hi all,
we've a 0.7 toaster running on a FedoraCore 3 without problems until last week i guess.
Another toasters (prior 0.7) while trying to send us email are receiving after usual SMTP conversation the following message: .... STARTTLS 220 ready for tls cG9zdG1hc3RlckBkYWtvdGEuYXV0b2xpc3Rhcy5jb20uYXI= 454 TLS connection failed: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol (#4.3.0) Connection closed by foreign host.
And the message becomes deferred.
I've made the following in our 0.7 toaster:
1- verify that serverclient.pem and clientserver.pem are readable by group qmail 2- re-generate certs serverclient/clientcert 3- re-run /qmail/bin/update_tmprsadh to rejuvenate dh* and rsa* pem's files
4- if i run
#openssl s_client -connect 127.0.0.1:25 -starttls smtp -debug
the last 2 relevant lines:
..... write to 080B0EC8 [080C24A8] (7 bytes => 7 (0x7)) 0000 - 15 03 01 00 02 02 2f ....../
6791:error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned:s3_clnt.c:687:
Did anyone found the same issue?
Any clue to fix this ?
Thanks in advance!
Yeah, this is a an odd problem with qmail-smtpd is not aware of the available ciphers in openssl. I have yet to figure out what causes this.. however, the fix is easy. Setup a static cipher list:
openssl ciphers > /var/qmail/control/tlsserverciphers
If you have similar errors when sending to another TLS enabled system, link the above file to /var/qmail/control/tlsclientciphers
If anyone else knows what determines when this is needed, I'd like to hear it.
Regards,
Bill
