Red Hat Bugzilla – Bug 611562
Sendmail STARTTLS=server SSL error
Last modified: 2015-07-15 13:40:35 EDT
Description of problem: 'appriver.com' mail servers seem unable to email systems running Fedora 13 with sendmail-8.14.4-4.fc13.x86_64. The following [example] is produced in the maillog:
Jun 21 09:00:46 smaserver sendmail: STARTTLS=server, error: accept failed=0, SSL_error=1, errno=0, retry=-1, relay=server100.appriver.com [220.127.116.11]
Jun 21 09:00:46 smaserver sendmail: STARTTLS=server: 20221:error:1409441A:SSL routines:SSL3_READ_BYTES:tlsv1 alert decode error:s3_pkt.c:1193:SSL alert number 50
Jun 21 09:00:46 smaserver sendmail: o5L80jdu020221: server100.appriver.com [18.104.22.168] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA
Version-Release number of selected component (if applicable): sendmail-8.14.4-4.fc13.x86_64
How reproducible: E-mail was sent to three servers (two on one ISP, one on another) running F13 and the Sendmail version listed all produced the same sort of error messages. Further test messages sent via a F12 (sendmail-8.14.4-3.fc12.x86_64) system were processed without issue.
Steps to Reproduce:
1. E-mail sent via appriver.com fail with SSL error.
Actual results: No email from users of 'appriver.com' mail filtering service.
Expected results: Email to be delivered.
Additional info: OpenSSL is at the same release version on F12 and F13.
Sorry, I do not have appriver account. In my tests SSL(on port 465)/TLS(on port 25) worked OK. I tested setup from http://www.brennan.id.au/12-Sendmail_Server.html#encryption with evolution client. Is your settings/certificate correct? Can you provide more debuginfo?
Created attachment 430189 [details]
Sendmail configuration (M4)
Nothing has changed config wise, I simply updated to Fedora 13. I use Self-signed certs, but this had not caused a problem in the past and does not cause a problem on the Fedora 12 system as mentioned in my original post.
I am sorry, I do not have any further debug information other than what sendmail logged. There is nothing listed on the web with this: "STARTTLS=server:
20221:error:1409441A:SSL routines:SSL3_READ_BYTES:tlsv1 alert decode
error:s3_pkt.c:1193:SSL alert number 50" so I am assuming it is something new in the current F13 release of Sendmail.
If it is of help, I have attached my sendmail.mc and this fails with appriver.
Do you now the version of sendmail that worked for you? For now there is same version of sendmail in F12 and F13 (the F13 build differs only in release number - it is rebuilt with compat-db).
Is it working from other domains than appriver?
Is it working without TLS?
Can you try with more AUTH_MECHs than PLAIN?
Can't be related to "big number of root CAs" problem? According to http://www.sendmail.org/~ca/email/starttls.html#starttlssetup sendmail dislikes big number of root CAs during TLS handshake. There is also bugzilla about it:
Also please try to use something like:
to make the logging more verbose.
sendmail-8.14.4-3.fc12.x86_64 works fine.
The configurations for both servers are identical, save for the ca-bundle, which is larger in F13. I have no tried copying the ca-bundle from F12 to replace the ca-bundle in F13 yet.
Yes, the configuration works with all other domains. appriver is the first to fail like this.
Yes it works if I remove the certificate options from sendmail.mc, but then I lose TLS ability when remote.
Added EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN to the AUTH_MECH but this did not affect the TLS issue.
I enabled the extra logging features. There are two files of log extracts: "sendmail-log-with-TLS.txt" shows the output with certificates enabled; "sendmail-log-without-TLS.txt" shows the message being processed successfully.
Created attachment 430642 [details]
Sendmail log with TLS enabled
Created attachment 430643 [details]
Sendmail log without TLS
Typo in comment 5: That should read "I have not tried copying the ca-bundle from F12 to replace the ca-bundle in F13 yet."
> sendmail-8.14.4-3.fc12.x86_64 works fine.
> sendmail-8.14.4-4.fc13.x86_64 fails.
As I wrote in comment 4, these versions are same (only rebuilt with compat-db that shouldn't be the source of your problem). Thus I tip the ca-bundle. Please try to cut it down. There are reports that the number of certs in F12 is still too much for MS clients to handle and overflow their buffers, thus maybe you will need to cut it more down. After looking on appriver pages I suspect them from using something like Exchange.
Thanks for your help Jaroslav.
I have created my own CA and set about creating new self-signed certificates. With sendmail now configured to only use my CA, the TLS handshake with the 'appriver' servers works fine. This is not an ideal solution as I now have to re-configure the servers I maintain to use their own CAs. However, this is not the fault of Fedora or Sendmail, but poorly written MTAs that people should not be so daft as to allow anywhere near the Internet!!