[BlueOnyx:17781] Re: problems emailing out to some addresses

Michael Stauber mstauber at blueonyx.it
Sun Jun 14 02:29:11 -05 2015 

Hi Ken,

>> Some of my customers are on older servers. I can receive email from thsoe
>> customers, but if I reply then I see this error
> 
> sendmail -q -v
> ...
> 220 2.0.0 Ready to start TLS
> <ken at theirsitename.com>... Deferred: 403 4.7.0 TLS handshake failed.
> 
> Any way to have universal outbound capability?

Generally speaking: It has to do with this update:

http://devel.blueonyx.it/trac/changeset/2147

http://www.blueonyx.it/index.php?mact=News,cntnt01,detail,0&cntnt01articleid=190&cntnt01origid=54&cntnt01pagelimit=4&cntnt01returnid=54

That did a couple of things and basically any of them could affect
SSL/TLS connections with really old servers.

- We switched to 2048 bit Diffie-Hellman parameters.
- Disabled SSLv2 and SSLv3
- Disabled weak ciphers

To test out what it is: Edit sendmail.mc and near the end of it you'll
find these recent additions:

define(`confDH_PARAMETERS',`/usr/share/ssl/certs/sendmail-2048.dh')
LOCAL_CONFIG
O
CipherList=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3
+SSL_OP_CIPHER_SERVER_PREFERENCE
O ClientSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_NO_SSLv3

You may want to remove the line starting with "O CipherList" first,
rebuild sendmail.cf and see if that works. If it doesn't, throw out the
"O ServerSSLOptions" and "O ClientSSLOptions" and see if that makes a
difference.

However: These lines will come back next time the constructor
/usr/sausalito/constructor/base/email/syncEmailService.pl runs.

And of course: You'll reduce your own servers security to accommodate
the older boxes. That's a bit of a catch. But if it's the ciphers, then
maybe we can wiggle one in at the end that the older boxes can still
handle.

So what kind of older servers are that?

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list