Bug 611562
| Summary: | Sendmail STARTTLS=server SSL error | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gary Myers <gary> | ||||||||
| Component: | sendmail | Assignee: | Jaroslav Škarvada <jskarvad> | ||||||||
| Status: | CLOSED WORKSFORME | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | low | ||||||||||
| Version: | 13 | CC: | bryan, herrold, jskarvad, mlichvar | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2010-07-12 18:25:03 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Gary Myers
2010-07-05 16:36:47 UTC
Sorry, I do not have appriver account. In my tests SSL(on port 465)/TLS(on port 25) worked OK. I tested setup from http://www.brennan.id.au/12-Sendmail_Server.html#encryption with evolution client. Is your settings/certificate correct? Can you provide more debuginfo? Created attachment 430189 [details]
Sendmail configuration (M4)
Nothing has changed config wise, I simply updated to Fedora 13. I use Self-signed certs, but this had not caused a problem in the past and does not cause a problem on the Fedora 12 system as mentioned in my original post. I am sorry, I do not have any further debug information other than what sendmail logged. There is nothing listed on the web with this: "STARTTLS=server: 20221:error:1409441A:SSL routines:SSL3_READ_BYTES:tlsv1 alert decode error:s3_pkt.c:1193:SSL alert number 50" so I am assuming it is something new in the current F13 release of Sendmail. If it is of help, I have attached my sendmail.mc and this fails with appriver. Do you now the version of sendmail that worked for you? For now there is same version of sendmail in F12 and F13 (the F13 build differs only in release number - it is rebuilt with compat-db). Is it working from other domains than appriver? Is it working without TLS? Can you try with more AUTH_MECHs than PLAIN? Can't be related to "big number of root CAs" problem? According to http://www.sendmail.org/~ca/email/starttls.html#starttlssetup sendmail dislikes big number of root CAs during TLS handshake. There is also bugzilla about it: https://bugzilla.redhat.com/show_bug.cgi?id=479484 Also please try to use something like: define(`confLOG_LEVEL', `98')dnl to make the logging more verbose. sendmail-8.14.4-3.fc12.x86_64 works fine. sendmail-8.14.4-4.fc13.x86_64 fails. The configurations for both servers are identical, save for the ca-bundle, which is larger in F13. I have no tried copying the ca-bundle from F12 to replace the ca-bundle in F13 yet. Yes, the configuration works with all other domains. appriver is the first to fail like this. Yes it works if I remove the certificate options from sendmail.mc, but then I lose TLS ability when remote. Added EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN to the AUTH_MECH but this did not affect the TLS issue. I enabled the extra logging features. There are two files of log extracts: "sendmail-log-with-TLS.txt" shows the output with certificates enabled; "sendmail-log-without-TLS.txt" shows the message being processed successfully. Created attachment 430642 [details]
Sendmail log with TLS enabled
Created attachment 430643 [details]
Sendmail log without TLS
Typo in comment 5: That should read "I have not tried copying the ca-bundle from F12 to replace the ca-bundle in F13 yet." > sendmail-8.14.4-3.fc12.x86_64 works fine. > sendmail-8.14.4-4.fc13.x86_64 fails. As I wrote in comment 4, these versions are same (only rebuilt with compat-db that shouldn't be the source of your problem). Thus I tip the ca-bundle. Please try to cut it down. There are reports that the number of certs in F12 is still too much for MS clients to handle and overflow their buffers, thus maybe you will need to cut it more down. After looking on appriver pages I suspect them from using something like Exchange. Thanks for your help Jaroslav. I have created my own CA and set about creating new self-signed certificates. With sendmail now configured to only use my CA, the TLS handshake with the 'appriver' servers works fine. This is not an ideal solution as I now have to re-configure the servers I maintain to use their own CAs. However, this is not the fault of Fedora or Sendmail, but poorly written MTAs that people should not be so daft as to allow anywhere near the Internet!! |