Solved

Sendmail STARTTLS error

Posted on 2016-11-16
37
40 Views
Last Modified: 2016-11-17
I'm investigating an issue where emails sent by a certain domain (a school district) aren't being received.

In reviewing the logs I've found:
STARTTLS=server, error: accept failed=0, reason=sslv3 alert certificate unknown, SSL_error=1, errno=0, retry=-1, relay=server.domain.org [xxx.xx.xxx]

I suspect the issue is with the certificate or configuration of the sending server, but I'm hitting a dead end in researching it further to confirm.

Anybody have any insight?

Ken
0
Comment
Question by:kenfcamp
  • 20
  • 7
  • 7
  • +2
37 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41889705
can your post your sendmail.mc file?
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41889736
Here you go,

dnl#
include(`../m4/cf.m4')
VERSIONID(`default setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
define('confDOMAIN_NAME', '$w.$m')dnl
dnl#
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/server-cert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/server-key.pem')dnl  
define(`confCLIENT_CERT', `/etc/mail/certs/server-cert.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/server-key.pem')dnl    
dnl# These settings help protect against people verifying email addresses
dnl# at your site in order to send you email that you probably don't want:
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl# No timeout for ident:
define(`confTO_IDENT', `0')dnl
dnl# See the README in /usr/share/sendmail/cf for a ton of information on
dnl# how these options work:
FEATURE(`use_cw_file')dnl  
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
FEATURE(`no_default_msa')dnl
FEATURE(`enhdnsbl', `b.barracudacentral.org', `"550 Rejected: IP in Barracuda RBL"')dnl
FEATURE(`enhdnsbl', `z.mailspike.net', `"550 Rejected: IP found in mailspike RBL"')dnl
FEATURE(`dnsbl', `korea.services.net', `"550 Rejected: Email rejected due to sending server misconfiguration - see http://korea.services.net"')dnl
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m;C:30s;E:10m')dnl
INPUT_MAIL_FILTER(`opendkim',`S=local:/var/run/dkim/dkim.sock')dnl
define(`confINPUT_MAIL_FILTERS', `clamav, opendkim')dnl
dnl# Also accept mail for localhost.localdomain:
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl# Allow SASL authentication/relaying:
define(`confAUTH_OPTIONS', `A p y')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')dnl
dnl# Daemon options after M= below that might need to be changed are:
dnl# s (allow SSL, not only TLS)
dnl# a (require authentication)
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=Esa')dnl
LOCAL_CONFIG
dnl# Do not allow the weak SSLv2:
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL

Ken
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 250 total points
ID: 41889751
are you keys at least 2048?

or maybe your diffie-hellman is too short:

   cd /etc/mail/certs
   openssl dhparam -out dh.param 4096

in your sendmail.mc:

   define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
   
restart sendmail.
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41889817
This looks like it might take a while lol

I'll update once It completes and I rebuild and verify

Ken
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41889823
It does.  Depending upon the cpu and memory, it may take a very long while.  Don't be concerned.
0
 
LVL 9

Expert Comment

by:Scott Silva
ID: 41889936
And if you still can't get that domain to cooperate, you can disable encryption to that domain in /etc/mail/access

Add a line                           Try_TLS:<partial or full destination hostname / mx record>     NO

That will tell sendmail to skip the TLS handshake on that domain.  When I was running sendmail I had a few domains that just wouldn't complete handshake, and sendmail does not fallback to an unencrypted connection.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41889974
use of the try_tls in the access depends upon the version of sendmail running.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 41889980
+SSLv3: indicates that you are allowing SSLv3 but it has been removed from most servers by now.
0
 
LVL 76

Expert Comment

by:arnold
ID: 41890332
What the client allows is of little importance as long as the client can negotiate the options available from the server

try the following from the sendmail on which the email lands to reach the remote
openssl s_client -connect server.domain.org -starttls smtp

Look at the protocol, certificate information...
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890482
Sorry for the delay, I had to run out for a while.

[ Jan Springer ] -
I've rebuilt my cf file and restarted Sendmail... No change

[ Scott Silva ] -
I've tried the TRY_TLS with no success. It works great for communication issues (TLS client errors) w/ Ironports etc

[ arnold ] -
Great idea, but no luck nothing to connect to except http/https ports which go to an outlook web app.
I do know that mail sent to recipients go to a different address,
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890485
To me it looks like there's something wrong with the senders certificate and my server's refusing to accept it.
Am I looking at it wrong?
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41890486
Is that a self-signed certificate?  If so, are you sure that all of values (i.e., fqdn) were entered correctly?
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890492
Ok

I've just pulled logs going back to October 16th, and aside from this one server there are only two other servers that have generated this error.
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41890493
I am not sure.  Perhaps Arnold or Dave can assist.
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890495
Jan,

My certificate is self signed yes... I can't say if the sending server doesn't like it or not, but with the volume of email sent and received through my server I'd hear about delivery issues real fast
0
 
LVL 28

Expert Comment

by:Jan Springer
ID: 41890498
I don't disagree.  But I do run into the server now and again that has to be difficult when all others don't have a problem.
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890499
I can't speak for the senders certificate other than my server seems to enjoy spitting it out heh
1
 
LVL 9

Expert Comment

by:Scott Silva
ID: 41890505
Maybe try MXTool box on the offending site and see what you get... You might have to test the MX record names too...
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 13

Author Comment

by:kenfcamp
ID: 41890514
You're right, it happens.. But to answer your question yes the FQDN matches the mail server's name
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890523
Scott,

That's the rub.. the MX record for the domain points to a totally different server and IP.
0
 
LVL 9

Expert Comment

by:Scott Silva
ID: 41890534
So you get a fail when they send to you? Use that IP or name for the mxtoolbox tests...  Many companies only receive on their MX boxes and send from another...
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890537
blacklists are clean for the domains listed mail server
0
 
LVL 9

Expert Comment

by:Scott Silva
ID: 41890542
an smtp test... I think it checks cert validity...
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890546
blacklists on "problem server" IP are clean as well

That is correct.. Sending to them is no problem (they receive on a different server) but when they send to my server it results in a failure
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890548
no can do, no smtp/smtps ports open... The server does appear to be an Exchange server and the only open ports are http and https
I've loaded the domain in my browser and it turned out to be an "Outlook Web Portal"
0
 
LVL 9

Assisted Solution

by:Scott Silva
Scott Silva earned 250 total points
ID: 41890566
When you said you tried the TRY_TLS option did you use the domain name the sending server resolves to and not the MX records?
Beyond that there were issues with exchange and sendmail, but they are fairly old...
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890577
:) lol ... I'm liking you Scott you cover bases

Yes "Try_Tls" was used on the "offending" domain name, and not the domain on record.
There's no point in trying it on the other server, it's not in the logs for the sessions in question
0
 
LVL 76

Expert Comment

by:arnold
ID: 41890582
The test suggested is to replicate the sendmail connection to the remote system would actually answer many things definitively. If you must, you could use the options to identify yourself using the same certificate your sendmail is configured to use when establishing outgoing STARTTLS connection.
usually, only the remote side needs to have a valid certificate to authenticate who they are, the client does not need an authentication certificate unless that is the agreement between your organization as the sender and the receiving organization as the server through which you will relay.

Try as suggested, disable the SSLv3 as a viable option on your client side and see if that fixes the issue since the error refers to SSLv3.....

If you feel comfortable with any of the experts commenting here, you could provide(message) them the name of the server through which you want to relay, we would be able to check on whether the issue is there....

or with your, the openssl s_client has options that you can force it to attempt connections using SSLV2, SSlv3, tls, etc. and see whether one of those options is what breaks the functionality, i.e. if you follow the advise to disable the SSLv3 cipher, it may fix your outgoing connection, and/or impact your incoming ones forcing some users to update their email clients/systems........

Your error logs is not clear to me (since I am not a sendmail ....) To me it seems as an outgoing connection from your server to ..... where it tries to initiate a TLS session but fails...
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890583
I'm betting it's becoming clear why I reached out lol
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890587
Arnold,

This isn't an outgoing issue of "mine"...   It's an incoming issue with 1 server out of thousands
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890593
Arnold,
Essentially, my server sees an incoming request, but appears to be having an issue with the certificate from the sender
(At least that's how it's looking)
0
 
LVL 9

Accepted Solution

by:
Scott Silva earned 250 total points
ID: 41890598
You might just have to send a message to their postmaster account and see if you get a reply? You might have to talk to the sending admin to figure this out...

I used sendmail for close to 20 years and had plenty of these types of issues... My company higher ups made the decision to move to exchange but My MX's are still Linux spam filters..... You can't just go cold turkey....  lol
1
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890609
lol

Yea I've pretty much decided that I was going to try to contact them in the morning
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890645
Just an update

For grins and giggles SSLV3 was disabled, and a new error failure occured

No SSLv3- "STARTTLS=server, error: accept failed=-1, reason=no shared cipher, SSL_error=1"
w/ SSLv3- "STARTTLS=server, error: accept failed=0, reason=sslv3 alert certificate unknown, SSL_error=1"

I'm now wondering if they're running a cypher that my server isn't configured to use
0
 
LVL 9

Expert Comment

by:Scott Silva
ID: 41890655
I'm thinking they are running SSLV3 with a bad certificate... A lot of part time postmasters don't configure TLS right, especially if they are running older software versions or appliances...
0
 
LVL 13

Author Comment

by:kenfcamp
ID: 41890658
Agreed, it's one or the other lol

I'm done caring for the night ;) lol

Thanks everyone, I'll close this tomorrow

Have a great night
0
 
LVL 13

Author Closing Comment

by:kenfcamp
ID: 41891812
Jan and Scott,

I appreciate the effort the two of you made in resolving this issue.
I ended up sending an email the the districts admin who never really replied, but the 40 min retries that have been going on for the past month have ended heh

I'm guessing he dumped the queue, I'll have to wait to see if the issue has been addressed or not :\

Thanks again
Ken
1

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now