[BlueOnyx:17895] Re: Working around "Deferred: 403 4.7.0 TLS handshake failed."
Michael Stauber
mstauber at blueonyx.it
Wed Jun 24 11:23:19 -05 2015
Hi Chris,
> It appears that there are still some issues getting email out to
> mailservers that cannot negotiate properly.
>
> One that has been brought to our attention is from a customer who is
> still using BlueQuartz. I know. (Really, I know.) Predictably, he is
> getting this in his log:
>
> Jun 22 18:32:12 admin sendmail[23854]: STARTTLS=server, error: accept
> failed=0, SSL_error=1, errno=0, retry=-1
> Jun 22 18:32:12 admin sendmail[23854]: STARTTLS=server:
> 23854:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:s3_pkt.c:1052:SSL alert number 40
The error message ":sslv3 alert handshake failure:s3_pkt.c:1052:SSL
alert number 40" is just because the SSL certificate that Sendmail uses
is self-signed. So the validity check of the certificate fails and then
it continues to use it nonetheless. So that's non-critical.
> 220 2.0.0 Ready to start TLS
> <user at domain.tld>... Deferred: 403 4.7.0 TLS handshake failed.
Ok, with that we get a bit further. I don't have access to any
BlueQuartz anymore, so I can't test this. But I can tell you this: A
Cobalt RaQ550 can talk to a (patched) BlueOnyx since we started to
support this two ciphers as lowest allowed ones:
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
So even a BlueQuartz should be able to handle them.
Please run this command against the BlueQuartz IP (obviously replace
127.0.0.1 with the IP of that box):
nmap --script ssl-enum-ciphers -p 465 127.0.0.1
The BlueQuartz needs SMTPS to be enabled for this, which it might not
have active.
The resulting info would help to troubleshoot this further.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list