Solved

Sendmail STARTTLS error

Posted on 2016-11-16
37
304 Views
Last Modified: 2016-11-17
I'm investigating an issue where emails sent by a certain domain (a school district) aren't being received.

In reviewing the logs I've found:
STARTTLS=server, error: accept failed=0, reason=sslv3 alert certificate unknown, SSL_error=1, errno=0, retry=-1, relay=server.domain.org [xxx.xx.xxx]

I suspect the issue is with the certificate or configuration of the sending server, but I'm hitting a dead end in researching it further to confirm.

Anybody have any insight?

Ken
0
Comment
Question by:kenfcamp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 20
  • 7
  • 7
  • +2
37 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41889705
can your post your sendmail.mc file?
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41889736
Here you go,

dnl#
include(`../m4/cf.m4')
VERSIONID(`default setup for Slackware Linux')dnl
OSTYPE(`linux')dnl
define('confDOMAIN_NAME', '$w.$m')dnl
dnl#
define(`confCACERT_PATH', `/etc/mail/certs')dnl
define(`confCACERT', `/etc/mail/certs/cacert.pem')dnl
define(`confSERVER_CERT', `/etc/mail/certs/server-cert.pem')dnl
define(`confSERVER_KEY', `/etc/mail/certs/server-key.pem')dnl  
define(`confCLIENT_CERT', `/etc/mail/certs/server-cert.pem')dnl
define(`confCLIENT_KEY', `/etc/mail/certs/server-key.pem')dnl    
dnl# These settings help protect against people verifying email addresses
dnl# at your site in order to send you email that you probably don't want:
define(`confPRIVACY_FLAGS', `authwarnings,novrfy,noexpn,restrictqrun')dnl
dnl# No timeout for ident:
define(`confTO_IDENT', `0')dnl
dnl# See the README in /usr/share/sendmail/cf for a ton of information on
dnl# how these options work:
FEATURE(`use_cw_file')dnl  
FEATURE(`use_ct_file')dnl
FEATURE(`mailertable',`hash -o /etc/mail/mailertable.db')dnl
FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')dnl
FEATURE(`access_db', `hash -T<TMPF> /etc/mail/access')dnl
FEATURE(`blacklist_recipients')dnl
FEATURE(`local_procmail',`',`procmail -t -Y -a $h -d $u')dnl
FEATURE(`always_add_domain')dnl
FEATURE(`redirect')dnl
FEATURE(`no_default_msa')dnl
FEATURE(`enhdnsbl', `b.barracudacentral.org', `"550 Rejected: IP in Barracuda RBL"')dnl
FEATURE(`enhdnsbl', `z.mailspike.net', `"550 Rejected: IP found in mailspike RBL"')dnl
FEATURE(`dnsbl', `korea.services.net', `"550 Rejected: Email rejected due to sending server misconfiguration - see http://korea.services.net"')dnl
INPUT_MAIL_FILTER(`clamav', `S=local:/var/run/clamav/clmilter.sock, F=, T=S:4m;R:4m;C:30s;E:10m')dnl
INPUT_MAIL_FILTER(`opendkim',`S=local:/var/run/dkim/dkim.sock')dnl
define(`confINPUT_MAIL_FILTERS', `clamav, opendkim')dnl
dnl# Also accept mail for localhost.localdomain:
LOCAL_DOMAIN(`localhost.localdomain')dnl
MAILER(local)dnl
MAILER(smtp)dnl
MAILER(procmail)dnl
dnl# Allow SASL authentication/relaying:
define(`confAUTH_OPTIONS', `A p y')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN DIGEST-MD5 CRAM-MD5')dnl
DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
dnl DAEMON_OPTIONS(`Port=587, Name=MSA, M=E')dnl
dnl# Daemon options after M= below that might need to be changed are:
dnl# s (allow SSL, not only TLS)
dnl# a (require authentication)
DAEMON_OPTIONS(`Port=smtps, Name=MSA-SSL, M=Esa')dnl
LOCAL_CONFIG
dnl# Do not allow the weak SSLv2:
O CipherList=ALL:!ADH:!NULL:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:-LOW:+SSLv3:+TLSv1:-SSLv2:+EXP:+eNULL

Ken
0
 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 250 total points
ID: 41889751
are you keys at least 2048?

or maybe your diffie-hellman is too short:

   cd /etc/mail/certs
   openssl dhparam -out dh.param 4096

in your sendmail.mc:

   define(`confDH_PARAMETERS', `CERT_DIR/dh.param')dnl
   
restart sendmail.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 14

Author Comment

by:kenfcamp
ID: 41889817
This looks like it might take a while lol

I'll update once It completes and I rebuild and verify

Ken
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41889823
It does.  Depending upon the cpu and memory, it may take a very long while.  Don't be concerned.
0
 
LVL 10

Expert Comment

by:Scott Silva
ID: 41889936
And if you still can't get that domain to cooperate, you can disable encryption to that domain in /etc/mail/access

Add a line                           Try_TLS:<partial or full destination hostname / mx record>     NO

That will tell sendmail to skip the TLS handshake on that domain.  When I was running sendmail I had a few domains that just wouldn't complete handshake, and sendmail does not fallback to an unencrypted connection.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41889974
use of the try_tls in the access depends upon the version of sendmail running.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41889980
+SSLv3: indicates that you are allowing SSLv3 but it has been removed from most servers by now.
0
 
LVL 79

Expert Comment

by:arnold
ID: 41890332
What the client allows is of little importance as long as the client can negotiate the options available from the server

try the following from the sendmail on which the email lands to reach the remote
openssl s_client -connect server.domain.org -starttls smtp

Look at the protocol, certificate information...
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890482
Sorry for the delay, I had to run out for a while.

[ Jan Springer ] -
I've rebuilt my cf file and restarted Sendmail... No change

[ Scott Silva ] -
I've tried the TRY_TLS with no success. It works great for communication issues (TLS client errors) w/ Ironports etc

[ arnold ] -
Great idea, but no luck nothing to connect to except http/https ports which go to an outlook web app.
I do know that mail sent to recipients go to a different address,
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890485
To me it looks like there's something wrong with the senders certificate and my server's refusing to accept it.
Am I looking at it wrong?
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41890486
Is that a self-signed certificate?  If so, are you sure that all of values (i.e., fqdn) were entered correctly?
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890492
Ok

I've just pulled logs going back to October 16th, and aside from this one server there are only two other servers that have generated this error.
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41890493
I am not sure.  Perhaps Arnold or Dave can assist.
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890495
Jan,

My certificate is self signed yes... I can't say if the sending server doesn't like it or not, but with the volume of email sent and received through my server I'd hear about delivery issues real fast
0
 
LVL 29

Expert Comment

by:Jan Springer
ID: 41890498
I don't disagree.  But I do run into the server now and again that has to be difficult when all others don't have a problem.
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890499
I can't speak for the senders certificate other than my server seems to enjoy spitting it out heh
1
 
LVL 10

Expert Comment

by:Scott Silva
ID: 41890505
Maybe try MXTool box on the offending site and see what you get... You might have to test the MX record names too...
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890514
You're right, it happens.. But to answer your question yes the FQDN matches the mail server's name
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890523
Scott,

That's the rub.. the MX record for the domain points to a totally different server and IP.
0
 
LVL 10

Expert Comment

by:Scott Silva
ID: 41890534
So you get a fail when they send to you? Use that IP or name for the mxtoolbox tests...  Many companies only receive on their MX boxes and send from another...
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890537
blacklists are clean for the domains listed mail server
0
 
LVL 10

Expert Comment

by:Scott Silva
ID: 41890542
an smtp test... I think it checks cert validity...
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890546
blacklists on "problem server" IP are clean as well

That is correct.. Sending to them is no problem (they receive on a different server) but when they send to my server it results in a failure
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890548
no can do, no smtp/smtps ports open... The server does appear to be an Exchange server and the only open ports are http and https
I've loaded the domain in my browser and it turned out to be an "Outlook Web Portal"
0
 
LVL 10

Assisted Solution

by:Scott Silva
Scott Silva earned 250 total points
ID: 41890566
When you said you tried the TRY_TLS option did you use the domain name the sending server resolves to and not the MX records?
Beyond that there were issues with exchange and sendmail, but they are fairly old...
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890577
:) lol ... I'm liking you Scott you cover bases

Yes "Try_Tls" was used on the "offending" domain name, and not the domain on record.
There's no point in trying it on the other server, it's not in the logs for the sessions in question
0
 
LVL 79

Expert Comment

by:arnold
ID: 41890582
The test suggested is to replicate the sendmail connection to the remote system would actually answer many things definitively. If you must, you could use the options to identify yourself using the same certificate your sendmail is configured to use when establishing outgoing STARTTLS connection.
usually, only the remote side needs to have a valid certificate to authenticate who they are, the client does not need an authentication certificate unless that is the agreement between your organization as the sender and the receiving organization as the server through which you will relay.

Try as suggested, disable the SSLv3 as a viable option on your client side and see if that fixes the issue since the error refers to SSLv3.....

If you feel comfortable with any of the experts commenting here, you could provide(message) them the name of the server through which you want to relay, we would be able to check on whether the issue is there....

or with your, the openssl s_client has options that you can force it to attempt connections using SSLV2, SSlv3, tls, etc. and see whether one of those options is what breaks the functionality, i.e. if you follow the advise to disable the SSLv3 cipher, it may fix your outgoing connection, and/or impact your incoming ones forcing some users to update their email clients/systems........

Your error logs is not clear to me (since I am not a sendmail ....) To me it seems as an outgoing connection from your server to ..... where it tries to initiate a TLS session but fails...
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890583
I'm betting it's becoming clear why I reached out lol
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890587
Arnold,

This isn't an outgoing issue of "mine"...   It's an incoming issue with 1 server out of thousands
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890593
Arnold,
Essentially, my server sees an incoming request, but appears to be having an issue with the certificate from the sender
(At least that's how it's looking)
0
 
LVL 10

Accepted Solution

by:
Scott Silva earned 250 total points
ID: 41890598
You might just have to send a message to their postmaster account and see if you get a reply? You might have to talk to the sending admin to figure this out...

I used sendmail for close to 20 years and had plenty of these types of issues... My company higher ups made the decision to move to exchange but My MX's are still Linux spam filters..... You can't just go cold turkey....  lol
1
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890609
lol

Yea I've pretty much decided that I was going to try to contact them in the morning
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890645
Just an update

For grins and giggles SSLV3 was disabled, and a new error failure occured

No SSLv3- "STARTTLS=server, error: accept failed=-1, reason=no shared cipher, SSL_error=1"
w/ SSLv3- "STARTTLS=server, error: accept failed=0, reason=sslv3 alert certificate unknown, SSL_error=1"

I'm now wondering if they're running a cypher that my server isn't configured to use
0
 
LVL 10

Expert Comment

by:Scott Silva
ID: 41890655
I'm thinking they are running SSLV3 with a bad certificate... A lot of part time postmasters don't configure TLS right, especially if they are running older software versions or appliances...
0
 
LVL 14

Author Comment

by:kenfcamp
ID: 41890658
Agreed, it's one or the other lol

I'm done caring for the night ;) lol

Thanks everyone, I'll close this tomorrow

Have a great night
0
 
LVL 14

Author Closing Comment

by:kenfcamp
ID: 41891812
Jan and Scott,

I appreciate the effort the two of you made in resolving this issue.
I ended up sending an email the the districts admin who never really replied, but the 40 min retries that have been going on for the past month have ended heh

I'm guessing he dumped the queue, I'll have to wait to see if the issue has been addressed or not :\

Thanks again
Ken
1

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question