[BlueOnyx:24022] Re: TLS handshake failing in Sendmail

[Michael Stauber]

Hi Ernie,

> I am having problems with emails for certain domains getting stuck in the
> mailq with 5210R. Not had this error in other BX versions.
> 
> The server is using a Letsencrypt certificate, and the visite has it's own
> Letsencrypt certificate. There is only one visite on the server. Most users
> are sending via smtp AUTH.
> 
> The error says:
>  Deferred: 403 4.7.0 TLS handshake failed
> 
> I can get around it by adding a TLS exemption in /etc/mail/access for the
> domain eg.
> 
>   Try_TLS:qld.gov.au NO
> 
> But I can't be sitting there all day looking out for handshake failing
> domains to bypass. I would like to diagnose the problem, but don't know
> where to start. Any suggestions?
During the TLS-handshake MTA and sender (or recipient) are negotiating
to find out what's the best TLS protocol and cipher both support.

If that negotiation fails, then that means that they were unable to
establish a common ground.

On 5210R for Sendmail you might want to try to run this as "root":

update-crypto-policies --set LEGACY

Then restart Sendmail and see if that works better for you.

-- 
With best regards

Michael Stauber