[BlueOnyx:24294] Re: TLS handshake still failing.

Michael Stauber mstauber at blueonyx.it
Mon Sep 14 13:34:30 -05 2020 

Hi Gregg,

> I managed to bypass the issue by adding 
> Try_TLS:server.com NO to the send mail access config. It’s a fix but I
> don’t like doing it that way. 

The smtp.setarnet.aw isn't one of your boxes, right?

> openssl s_client -starttls smtp -connect smtp.setarnet.aw:25

That doesn't work for me:

--------------------------------------------------------------------
$ openssl s_client -starttls smtp -connect smtp.setarnet.aw:25
CONNECTED(00000005)
Didn't find STARTTLS in server response, trying anyway...
write:errno=32
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
Verification: OK
--------------------------------------------------------------------

That port 25 over there doesn't have a certificate set up. So let's try
port 587:

--------------------------------------------------------------------
$ openssl s_client -starttls smtp -connect smtp.setarnet.aw:587
CONNECTED(00000005)

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = AW, L = Oranjestad, O = SERVICIO DI TELECOMUNICACION DI
ARUBA (SETAR) N.V., CN = *.setarnet.aw
verify return:1
---
Certificate chain
 0 s:C = AW, L = Oranjestad, O = SERVICIO DI TELECOMUNICACION DI ARUBA
(SETAR) N.V., CN = *.setarnet.aw
   i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
 1 s:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGtDCCBZygAwIBAgIQCDxYnrpRR1aZOBYKbTSfPjANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkwNTEwMDAwMDAwWhcN


MjEwNjI5MTIwMDAwWjB3MQswCQYDVQQGEwJBVzETMBEGA1UEBxMKT3Jhbmplc3Rh


ZDE7MDkGA1UEChMyU0VSVklDSU8gREkgVEVMRUNPTVVOSUNBQ0lPTiBESSBBUlVC


QSAoU0VUQVIpIE4uVi4xFjAUBgNVBAMMDSouc2V0YXJuZXQuYXcwggEiMA0GCSqG


SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrfHn34A/V1kkt+1TiPXUXdRd8tVJIXwlN


omyoLd19/7tdaQ4dYleZHCZW8IKSHk0mcDoVMyWWhXtcPsl3jOsOLZMlhcM+OOZ8


2cw5PCJjYOcZhuzqy7DTVio7eGhkvSQFWtsz4tv1thlzIo2hHiJwj05PUkTUSrFA


WMn4my0Vh5ulyHuojW54Bko8XEjCzwF7QsrI6FFb+Ptfxb9WF+mTY8TxuZ+WGWdb


Z5SXFbb9oGyZhJEoZJkF5rjpQFOwILD/hguRu/zZ+ZSsiGPbsnPu8VGabtH99EgQ


WgY3mnHXm7ilXSqs9Rt8jkAqcbUAkLlzYP7+YYySRgTY389SH2rDAgMBAAGjggNk


MIIDYDAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQU


xX4Gxmmgtg0yhm1/w+dLbWREF40wJQYDVR0RBB4wHIINKi5zZXRhcm5ldC5hd4IL


c2V0YXJuZXQuYXcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB


BggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2Vy


dC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNl


cnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEw


KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZn


gQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k


aWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0


LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIw


ADCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcAu9nfvB+KcbWTlCOXqpJ7RzhX



lQqrUugakJZkNo4e0YUAAAFqoroJHwAABAMASDBGAiEA7kNKheJw8jmOVoWGTUZJ



nYwPrvR7Herld7d6ui39yZQCIQCnBgr+csq4xpBg3K4rvaofivMZXomiQawx4A5B



keU2pAB2AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABaqK6CjQA



AAQDAEcwRQIgRy4GOHAJm0Tesz76SbXJDGoJjvDDTEcAOBjZEOftE6gCIQC3+btp



gaE076fW2J2w3MdAy/31X8wqNOa82VfD04qWgwB2AESUZS6w7s6vxEAH2Kj+KMDa



5oK+2MsxtT/TM5a1toGoAAABaqK6CLsAAAQDAEcwRQIhAIuHb4t79FcMSYW1N0T5
B0RIeeZXF3lqCffiEOTvDK0XAiAIYs0vJJ9L5h/Sa0mTIXSzORBhdbbFNH4rynQB
yZJkwTANBgkqhkiG9w0BAQsFAAOCAQEAGIeCfnojrnhr2zNoXnuzAFn/AzCfTXFr
R6fYMw+1fKi8PkZF8Ii/DmZdPkRz0GUP42a8z3PYtHIg4Cu3jGX6lr67ilxAh0ft
hDrupdBoCdqqSRZkzmap+wtWXGlMFfNJ6+hZShD9Gdd5J1+Bh5Fb6PuqQouw4wN3
NbjFJl6O/yNqwzG78fzstfNCWg/mr3AgOItkuwitt74HzO1tcpMjFTwItncqLen1
T4+xGMtq87oW/cD5VITCpJrgkLjUlTJgSZ9zaHG0o0ZHNlOkizFG63fNPgL6u75v
X/oznS6QmbZJxRdaaywBsNhLe4znvw0PuiIBShGxcuut0LlvR+TXEQ==
-----END CERTIFICATE-----
subject=C = AW, L = Oranjestad, O = SERVICIO DI TELECOMUNICACION DI
ARUBA (SETAR) N.V., CN = *.setarnet.aw

issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 4207 bytes and written 669 bytes
Verification: OK
---
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-GCM-SHA384
    Session-ID:
43145F1B6E89EF51D1D14A3E45567BBCE74A0CA356544DA6632B2BA7D9A2204F
    Session-ID-ctx:
    Master-Key:
D8BC4F2F59B70E7F23AC72EDCB940EA74D3F74CE8BDDC94E299C7199B5E6F80587C11303CA9D533041D20B0778229014
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
[...]
---
250 AUTH=PLAIN LOGIN
--------------------------------------------------------------------

That looks better. TLSv1.2 and DHE-RSA-AES256-GCM-SHA384 are also
something that any Sendmail or Postfix on BlueOnyx will be able to talk to.

However, the MTA on smtp.setarnet.aw is *clearly* misconfigured, because
even if TLS works on port 587, it *also* should work on port 25. But
they don't have a certificate configured for that.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list