[BlueOnyx:17894] Working around "Deferred: 403 4.7.0 TLS handshake failed."

Chris Gebhardt - VIRTBIZ Internet cobaltfacts at virtbiz.com
Wed Jun 24 10:08:26 -05 2015 

It appears that there are still some issues getting email out to 
mailservers that cannot negotiate properly.

One that has been brought to our attention is from a customer who is 
still using BlueQuartz.  I know.  (Really, I know.)   Predictably, he is 
getting this in his log:

Jun 22 18:32:12 admin sendmail[23854]: STARTTLS=server, error: accept 
failed=0, SSL_error=1, errno=0, retry=-1
Jun 22 18:32:12 admin sendmail[23854]: STARTTLS=server: 
23854:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake 
failure:s3_pkt.c:1052:SSL alert number 40
Jun 22 18:32:12 admin sendmail[23854]: t5MMWCTA023854: 
webcluster.virtbiz.com [208.77.216.242] did not issue 
MAIL/EXPN/VRFY/ETRN during connection to MTA

Meanwhile, we're seeing this sort of thing:
<user at domain.tld>... Connecting to mail.domain.tld. via esmtp...
220 admin.domain.tld ESMTP Sendmail Ready; Wed, 24 Jun 2015 10:59:56 -0400
 >>> EHLO webcluster.virtbiz.com
250-admin.domain.tld Hello webcluster.virtbiz.com [208.77.216.242], 
pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 5242880
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-STARTTLS
250-DELIVERBY
250 HELP
 >>> STARTTLS
220 2.0.0 Ready to start TLS
<user at domain.tld>... Deferred: 403 4.7.0 TLS handshake failed.

As I understand from the above, our mailserver is attempting to 
negotiate and the BlueQuartz server is saying "sure, let's talk SSLv3" 
to which our server is responding "not on your life."   And the 
conversation ends there.

 From a standards standpoint, it's well and good that this is the sort 
of thing that is bound to happen when there are folks using very old 
servers out there.   From a practicality standpoint, that's not very useful.

Are there any suggestions for getting emails through to those folks, 
either from our end, or from theirs?

Our customer insists that the issue only happens with email from us and 
states specifically "No problem receiving email from Paypal, Yahoo or 
anywhere else."

Obviously, just because we're the canary in the mine for him doesn't 
mean that he'll be immune from problems going forward.   But clearly 
there must be a way for those emails to get through.   I've counseled 
that this would be another great opportunity to consider moving to 
BlueOnyx.  The customer seems to be unimpressed with that suggestion 
since, again, as he sees it, our email server is the problem.

I throw this out there for comment and suggestion.   Let's discuss!

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ

More information about the Blueonyx mailing list