Bug 611562 - Sendmail STARTTLS=server SSL error
Summary: Sendmail STARTTLS=server SSL error
Alias: None
Product: Fedora
Classification: Fedora
Component: sendmail   
(Show other bugs)
Version: 13
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jaroslav Škarvada
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2010-07-05 16:36 UTC by Gary Myers
Modified: 2015-07-15 17:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-07-12 18:25:03 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Sendmail configuration (M4) (2.92 KB, application/octet-stream)
2010-07-07 22:26 UTC, Gary Myers
no flags Details
Sendmail log with TLS enabled (4.65 KB, text/plain)
2010-07-09 11:24 UTC, Gary Myers
no flags Details
Sendmail log without TLS (32.50 KB, text/plain)
2010-07-09 11:24 UTC, Gary Myers
no flags Details

Description Gary Myers 2010-07-05 16:36:47 UTC
Description of problem: 'appriver.com' mail servers seem unable to email systems running Fedora 13 with sendmail-8.14.4-4.fc13.x86_64. The following [example] is produced in the maillog:

Jun 21 09:00:46 smaserver sendmail[20221]: STARTTLS=server, error: accept failed=0, SSL_error=1, errno=0, retry=-1, relay=server100.appriver.com []
Jun 21 09:00:46 smaserver sendmail[20221]: STARTTLS=server: 20221:error:1409441A:SSL routines:SSL3_READ_BYTES:tlsv1 alert decode error:s3_pkt.c:1193:SSL alert number 50
Jun 21 09:00:46 smaserver sendmail[20221]: o5L80jdu020221: server100.appriver.com [] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Version-Release number of selected component (if applicable): sendmail-8.14.4-4.fc13.x86_64

How reproducible: E-mail was sent to three servers (two on one ISP, one on another) running F13 and the Sendmail version listed all produced the same sort of error messages. Further test messages sent via a F12 (sendmail-8.14.4-3.fc12.x86_64) system were processed without issue.

Steps to Reproduce:
1. E-mail sent via appriver.com fail with SSL error.
Actual results: No email from users of 'appriver.com' mail filtering service.

Expected results: Email to be delivered.

Additional info: OpenSSL is at the same release version on F12 and F13.

Comment 1 Jaroslav Škarvada 2010-07-07 16:39:01 UTC
Sorry, I do not have appriver account. In my tests SSL(on port 465)/TLS(on port 25) worked OK. I tested setup from http://www.brennan.id.au/12-Sendmail_Server.html#encryption with evolution client. Is your settings/certificate correct? Can you provide more debuginfo?

Comment 2 Gary Myers 2010-07-07 22:26:34 UTC
Created attachment 430189 [details]
Sendmail configuration (M4)

Comment 3 Gary Myers 2010-07-07 22:26:54 UTC
Nothing has changed config wise, I simply updated to Fedora 13. I use Self-signed certs, but this had not caused a problem in the past and does not cause a problem on the Fedora 12 system as mentioned in my original post.

I am sorry, I do not have any further debug information other than what sendmail logged. There is nothing listed on the web with this: "STARTTLS=server:
20221:error:1409441A:SSL routines:SSL3_READ_BYTES:tlsv1 alert decode
error:s3_pkt.c:1193:SSL alert number 50" so I am assuming it is something new in the current F13 release of Sendmail.

If it is of help, I have attached my sendmail.mc and this fails with appriver.

Comment 4 Jaroslav Škarvada 2010-07-08 14:10:57 UTC
Do you now the version of sendmail that worked for you? For now there is same version of sendmail in F12 and F13 (the F13 build differs only in release number - it is rebuilt with compat-db).

Is it working from other domains than appriver?

Is it working without TLS?

Can you try with more AUTH_MECHs than PLAIN?

Can't be related to "big number of root CAs" problem? According to http://www.sendmail.org/~ca/email/starttls.html#starttlssetup sendmail dislikes big number of root CAs during TLS handshake. There is also bugzilla about it:

Also please try to use something like:
define(`confLOG_LEVEL', `98')dnl
to make the logging more verbose.

Comment 5 Gary Myers 2010-07-09 11:23:57 UTC
sendmail-8.14.4-3.fc12.x86_64 works fine.
sendmail-8.14.4-4.fc13.x86_64 fails.

The configurations for both servers are identical, save for the ca-bundle, which is larger in F13. I have no tried copying the ca-bundle from F12 to replace the ca-bundle in F13 yet.

Yes, the configuration works with all other domains. appriver is the first to fail like this.

Yes it works if I remove the certificate options from sendmail.mc, but then I lose TLS ability when remote.

Added EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN to the AUTH_MECH but this did not affect the TLS issue.

I enabled the extra logging features. There are two files of log extracts: "sendmail-log-with-TLS.txt" shows the output with certificates enabled; "sendmail-log-without-TLS.txt" shows the message being processed successfully.

Comment 6 Gary Myers 2010-07-09 11:24:28 UTC
Created attachment 430642 [details]
Sendmail log with TLS enabled

Comment 7 Gary Myers 2010-07-09 11:24:54 UTC
Created attachment 430643 [details]
Sendmail log without TLS

Comment 8 Gary Myers 2010-07-09 11:27:04 UTC
Typo in comment 5: That should read "I have not tried copying the ca-bundle from F12 to replace the ca-bundle in F13 yet."

Comment 9 Jaroslav Škarvada 2010-07-09 13:08:23 UTC
> sendmail-8.14.4-3.fc12.x86_64 works fine.
> sendmail-8.14.4-4.fc13.x86_64 fails.

As I wrote in comment 4, these versions are same (only rebuilt with compat-db that shouldn't be the source of your problem). Thus I tip the ca-bundle. Please try to cut it down. There are reports that the number of certs in F12 is still too much for MS clients to handle and overflow their buffers, thus maybe you will need to cut it more down. After looking on appriver pages I suspect them from using something like Exchange.

Comment 10 Gary Myers 2010-07-12 18:24:39 UTC
Thanks for your help Jaroslav.

I have created my own CA and set about creating new self-signed certificates. With sendmail now configured to only use my CA, the TLS handshake with the 'appriver' servers works fine. This is not an ideal solution as I now have to re-configure the servers I maintain to use their own CAs. However, this is not the fault of Fedora or Sendmail, but poorly written MTAs that people should not be so daft as to allow anywhere near the Internet!!

Note You need to log in before you can comment on or make changes to this bug.