[BlueOnyx:24295] Re: TLS handshake still failing.
Greggk
greggk at gmail.com
Mon Sep 14 14:35:32 -05 2020
No, the smtp.setarnet.aw is the server that is not accepting the tls
handshake.
Ok, from your info, it seems that the server is only connecting to 25 and
failing, is there a way to make it check port 25, and then port 587?
On Mon, Sep 14, 2020 at 11:41 AM Michael Stauber <mstauber at blueonyx.it>
wrote:
> Hi Gregg,
>
> > I managed to bypass the issue by adding
> > Try_TLS:server.com NO to the send mail access config. It’s a fix but I
> > don’t like doing it that way.
>
> The smtp.setarnet.aw isn't one of your boxes, right?
>
> > openssl s_client -starttls smtp -connect smtp.setarnet.aw:25
>
> That doesn't work for me:
>
> --------------------------------------------------------------------
> $ openssl s_client -starttls smtp -connect smtp.setarnet.aw:25
> CONNECTED(00000005)
> Didn't find STARTTLS in server response, trying anyway...
> write:errno=32
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 0 bytes
> Verification: OK
> --------------------------------------------------------------------
>
> That port 25 over there doesn't have a certificate set up. So let's try
> port 587:
>
> --------------------------------------------------------------------
> $ openssl s_client -starttls smtp -connect smtp.setarnet.aw:587
> CONNECTED(00000005)
>
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
> verify return:1
> depth=0 C = AW, L = Oranjestad, O = SERVICIO DI TELECOMUNICACION DI
> ARUBA (SETAR) N.V., CN = *.setarnet.aw
> verify return:1
> ---
> Certificate chain
> 0 s:C = AW, L = Oranjestad, O = SERVICIO DI TELECOMUNICACION DI ARUBA
> (SETAR) N.V., CN = *.setarnet.aw
> i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
> 1 s:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
> i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIGtDCCBZygAwIBAgIQCDxYnrpRR1aZOBYKbTSfPjANBgkqhkiG9w0BAQsFADBN
> MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
> aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkwNTEwMDAwMDAwWhcN
>
>
> MjEwNjI5MTIwMDAwWjB3MQswCQYDVQQGEwJBVzETMBEGA1UEBxMKT3Jhbmplc3Rh
>
>
> ZDE7MDkGA1UEChMyU0VSVklDSU8gREkgVEVMRUNPTVVOSUNBQ0lPTiBESSBBUlVC
>
>
> QSAoU0VUQVIpIE4uVi4xFjAUBgNVBAMMDSouc2V0YXJuZXQuYXcwggEiMA0GCSqG
>
>
> SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrfHn34A/V1kkt+1TiPXUXdRd8tVJIXwlN
>
>
> omyoLd19/7tdaQ4dYleZHCZW8IKSHk0mcDoVMyWWhXtcPsl3jOsOLZMlhcM+OOZ8
>
>
> 2cw5PCJjYOcZhuzqy7DTVio7eGhkvSQFWtsz4tv1thlzIo2hHiJwj05PUkTUSrFA
>
>
> WMn4my0Vh5ulyHuojW54Bko8XEjCzwF7QsrI6FFb+Ptfxb9WF+mTY8TxuZ+WGWdb
>
>
> Z5SXFbb9oGyZhJEoZJkF5rjpQFOwILD/hguRu/zZ+ZSsiGPbsnPu8VGabtH99EgQ
>
>
> WgY3mnHXm7ilXSqs9Rt8jkAqcbUAkLlzYP7+YYySRgTY389SH2rDAgMBAAGjggNk
>
>
> MIIDYDAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQU
>
>
> xX4Gxmmgtg0yhm1/w+dLbWREF40wJQYDVR0RBB4wHIINKi5zZXRhcm5ldC5hd4IL
>
>
> c2V0YXJuZXQuYXcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
>
>
> BggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2Vy
>
>
> dC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNl
>
>
> cnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEw
>
>
> KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZn
>
>
> gQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k
>
>
> aWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0
>
>
> LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIw
>
>
> ADCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcAu9nfvB+KcbWTlCOXqpJ7RzhX
>
>
>
> lQqrUugakJZkNo4e0YUAAAFqoroJHwAABAMASDBGAiEA7kNKheJw8jmOVoWGTUZJ
>
>
>
> nYwPrvR7Herld7d6ui39yZQCIQCnBgr+csq4xpBg3K4rvaofivMZXomiQawx4A5B
>
>
>
> keU2pAB2AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABaqK6CjQA
>
>
>
> AAQDAEcwRQIgRy4GOHAJm0Tesz76SbXJDGoJjvDDTEcAOBjZEOftE6gCIQC3+btp
>
>
>
> gaE076fW2J2w3MdAy/31X8wqNOa82VfD04qWgwB2AESUZS6w7s6vxEAH2Kj+KMDa
>
>
>
> 5oK+2MsxtT/TM5a1toGoAAABaqK6CLsAAAQDAEcwRQIhAIuHb4t79FcMSYW1N0T5
> B0RIeeZXF3lqCffiEOTvDK0XAiAIYs0vJJ9L5h/Sa0mTIXSzORBhdbbFNH4rynQB
> yZJkwTANBgkqhkiG9w0BAQsFAAOCAQEAGIeCfnojrnhr2zNoXnuzAFn/AzCfTXFr
> R6fYMw+1fKi8PkZF8Ii/DmZdPkRz0GUP42a8z3PYtHIg4Cu3jGX6lr67ilxAh0ft
> hDrupdBoCdqqSRZkzmap+wtWXGlMFfNJ6+hZShD9Gdd5J1+Bh5Fb6PuqQouw4wN3
> NbjFJl6O/yNqwzG78fzstfNCWg/mr3AgOItkuwitt74HzO1tcpMjFTwItncqLen1
> T4+xGMtq87oW/cD5VITCpJrgkLjUlTJgSZ9zaHG0o0ZHNlOkizFG63fNPgL6u75v
> X/oznS6QmbZJxRdaaywBsNhLe4znvw0PuiIBShGxcuut0LlvR+TXEQ==
> -----END CERTIFICATE-----
> subject=C = AW, L = Oranjestad, O = SERVICIO DI TELECOMUNICACION DI
> ARUBA (SETAR) N.V., CN = *.setarnet.aw
>
> issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
>
> ---
> No client certificate CA names sent
> Peer signing digest: SHA512
> Peer signature type: RSA
> Server Temp Key: DH, 2048 bits
> ---
> SSL handshake has read 4207 bytes and written 669 bytes
> Verification: OK
> ---
> New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : DHE-RSA-AES256-GCM-SHA384
> Session-ID:
> 43145F1B6E89EF51D1D14A3E45567BBCE74A0CA356544DA6632B2BA7D9A2204F
> Session-ID-ctx:
> Master-Key:
>
> D8BC4F2F59B70E7F23AC72EDCB940EA74D3F74CE8BDDC94E299C7199B5E6F80587C11303CA9D533041D20B0778229014
> PSK identity: None
> PSK identity hint: None
> SRP username: None
> TLS session ticket lifetime hint: 300 (seconds)
> [...]
> ---
> 250 AUTH=PLAIN LOGIN
> --------------------------------------------------------------------
>
> That looks better. TLSv1.2 and DHE-RSA-AES256-GCM-SHA384 are also
> something that any Sendmail or Postfix on BlueOnyx will be able to talk to.
>
> However, the MTA on smtp.setarnet.aw is *clearly* misconfigured, because
> even if TLS works on port 587, it *also* should work on port 25. But
> they don't have a certificate configured for that.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20200914/82eb72dc/attachment.html>
More information about the Blueonyx
mailing list