[BlueOnyx:13533] Re: TLS message: tlsv1 alert insufficient security:s3_pkt.c:1092:SSL alert number 71

Tobias Gablunsky t.gablunsky at cbxnet.de
Thu Aug 15 08:34:56 -05 2013 

Seems, the TLS problem with gmx and web.de just showed an already known sendmail bug. Today I got an answer from an email admin at gmx:

8.14.4/8.14.4	2009/12/30
[...]
	If a Diffie-Hellman cipher is selected for STARTTLS, the
		handshake could fail with some TLS implementations
		because the prime used by the server is not long enough.
		Note: the initialization of the DSA/DH parameters for
		the server can take a significant amount of time on slow
		machines. This can be turned off by setting DHParameters
		to none or a file (see doc/op/op.me).  Patch from
		Petr Lampa of the Brno University of Technology.
[...]


http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=461802

I just created a file containing diffie-hellmann parameters:

  openssl dhparam -out /etc/mail/sendmail.dh 1024

and referenced it in the sendmail.mc file:

  define(`confDH_PARAMETERS',`/etc/mail/tls/dhparam.pem')

After a rebuild of the sendmail.cf "m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf" and a restart of the daemon everything worked again!

HTH,


Mit freundlichen Grüßen,

Tobias Gablunsky
Servertechnik
Server Management
____________________________________________

CBXNET combox internet GmbH
Lützowstr. 106 | 10785 Berlin
Tel: +49 (30) 5900 69-41
Fax: +49 (30) 5900 69-99
www.cbxnet.de

Event Connect - Internet für Ihren Event!
Tel: +49 (30) 5900 69-80
www.event-connect.de

Amtsgericht Berlin-Charlottenburg HRB 71171
Geschäftsführer: Lutz Treutler 

 

> -----Original Message-----
> From: blueonyx-bounces at mail.blueonyx.it 
> [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of Dirk Estenfeld
> Sent: Tuesday, August 13, 2013 3:46 PM
> To: BlueOnyx General Mailing List
> Subject: [BlueOnyx:13526] Re: TLS message: tlsv1 alert 
> insufficient security:s3_pkt.c:1092:SSL alert number 71
> 
> Hello,
> 
> never ending story....
> Still problems whith sendmail/TLS hat 5106R
> 
> If I use a certificate file which includes certificate and key 
> 
> define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
> define(`confSERVER_KEY',`/usr/share/ssl/certs/ sendmail.pem ')
> 
> apple mail clients can send their emails with ssl enabled. 
> But with gmx and web.de I get the error errormessage:
> 
> Aug 13 15:38:07 server sendmail[16630]: STARTTLS=server, 
> error: accept failed=0, SSL_error=1, errno=0, retry=-1
> Aug 13 15:38:07 server sendmail[16630]: STARTTLS=server: 
> 16630:error:1409442F:SSL routines:SSL3_READ_BYTES:tlsv1 alert 
> insufficient security:s3_pkt.c:1092:SSL alert number 71
> Aug 13 15:38:07 server sendmail[16630]: r7DDc6Mm016630: 
> mout.web.de [212.227.17.11] did not issue MAIL/EXPN/VRFY/ETRN 
> during connection to MTA
> 
> If I separate certificate and key into two files 
> 
> define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
> define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmailkey.pem')
> 
> Server will receive emails from web.de and gmx but apple mail 
> clients can not send and I see in /var/log/maillog 
> 
> Aug 13 15:35:06 server sendmail[16393]: STARTTLS=server, 
> relay=tmo-096-42.customers.d1-online.com [1.2.3.4], 
> version=TLSv1/SSLv3, verify=NO, cipher=AES128-SHA, bits=128/128
> Aug 13 15:35:07 server sendmail[16393]: r7DDYwvh016393: 
> tmo-096-42.customers.d1-online.com [1.2.3.4] did not issue 
> MAIL/EXPN/VRFY/ETRN during connection to MTA
> 
> I also tried 
> 
> define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
> define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmailkey.pem')
> define(`confCLIENT_CERT',`/usr/share/ssl/certs/sendmailclient.pem')
> define(`confCLIENT_KEY',`/usr/share/ssl/certs/sendmailclient.pem')
> 
> and hoped that I found the solution to separate servers and 
> clients. But in this case web.de and gmx mails can not be received.
> 
> What can I do to get mails from web.de and gmx and have apple 
> mail clients to send their emails.
> What seperates the 5106R (where I have the issues) from the 
> 5108R (where I do not have the issues)?
> 
> Best regards,
> Dirk
> 
> -----------------------------------------------
> Black Point Arts Internet Solutions GmbH - Hanauer 
> Landstrasse 423a - 60314 Frankfurt
> 
> 
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>

More information about the Blueonyx mailing list