I'd guess openssl is complaining about not seeing STARTTLS in your server's 
response because spamdyke is hiding qmail's STARTTLS offer after the EHLO 
greeting.  spamdyke is supposed to do that if the "tls-level" option is set to 
"none".  You can confirm this by telnetting to port 25 on your server and 
typing "ehlo me" in response to the 220 banner.  You probably won't see 
"STARTTLS" in the list of options.

However, openssl is blindly trying the "STARTTLS" command anyway and spamdyke 
isn't blocking it.  That's definitely a bug!  Since the command goes through, 
qmail starts the TLS process.  Well behaved email clients won't try the command 
if the server doesn't claim to support it, so as far as they're concerned TLS 
is not available.

Changing your "tls-level" option to "smtp" should fix this.

-- Sam Clippinger




On Apr 10, 2015, at 1:52 AM, Les Fenison via spamdyke-users 
<spamdyke-users@spamdyke.org> wrote:

> I am running spamdyke version 5.0.0+TLS+CONFIGTEST+DEBUG with Plesk's qmail 
> and trying to do TLS.
>  
> I don't know what I am doing so please correct me if I am debugging this 
> wrong...   Using openssl to verify the connection, it seems to connect OK but 
> email clients claim that starttls is not supported. 
>  
> From the command line I see this which tells me it actually is working except 
> for the second line.  Is this normal?
>  
>  > openssl s_client -starttls smtp -connect localhost:25              
> CONNECTED(00000003)
> didn't found starttls in server response, try anyway...
> depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = 
> AddTrust External CA Root
> verify return:1
> depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, 
> CN = COMODO SSL CA
> verify return:1
> depth=0 OU = Domain Control Validated, OU = COMODO SSL, CN = 
> zeus.deltatechnicalservices.com
> verify return:1
> ---
> Certificate chain
>  0 s:/OU=Domain Control Validated/OU=COMODO 
> SSL/CN=zeus.deltatechnicalservices.com
>    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL 
> CA
>  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO SSL 
> CA
>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
> External CA Root
>  2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
> External CA Root
>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
> External CA Root
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFJjCCBA6gAwIBAgIQGMp0MoDUuTK3d2vDy/BEWjANBgkqhkiG9w0BAQUFADBw
> MQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD
> VQQHEwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDEWMBQGA1UE
> AxMNQ09NT0RPIFNTTCBDQTAeFw0xNDA4MDkwMDAwMDBaFw0xNjEwMDEyMzU5NTla
> MGIxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDETMBEGA1UECxMK
> Q09NT0RPIFNTTDEoMCYGA1UEAxMfemV1cy5kZWx0YXRlY2huaWNhbHNlcnZpY2Vz
> LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKFXu+M847qhrwRg
> rwiB1VHzjDTQLY7JoU1+H9R67k7ndj8qbck26aGBCnQyk/Z9emnmF1nOt/StEBU6
> IiNiTVEka1evNix/oRXSOzjTAt3oWWR1yxHDWpVK/A5qNqRSShaF6c9JPR0ySnEw
> 9UKY918AH4AjZY6cdVST+rue2ibMFpSBEdct40sX6YgNsJZsU12ecqUZKhUZyG5/
> FF0WYAKph+Y2Niq9+ekYQsTR6uFLGSqPHqsCSJSgMyYFoKhzqIKtKRqIx0W0V351
> 9ieLpsHVyK7wXx8D/yYRegUy6Zly4C/+qox3TetUdYixAgfjoiVcxOaApsXO1u/+
> 6u/vaRECAwEAAaOCAcgwggHEMB8GA1UdIwQYMBaAFBtrvR+KSRiUVDdVtCAX7Te5
> dxh9MB0GA1UdDgQWBBQ70u2sxzyx9KeWCy/DTRJgXYcVDzAOBgNVHQ8BAf8EBAMC
> BaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
> TwYDVR0gBEgwRjA6BgsrBgEEAbIxAQICBzArMCkGCCsGAQUFBwIBFh1odHRwczov
> L3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwBAgEwOAYDVR0fBDEwLzAtoCug
> KYYnaHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPU1NMQ0EuY3JsMGkGCCsG
> AQUFBwEBBF0wWzAzBggrBgEFBQcwAoYnaHR0cDovL2NydC5jb21vZG9jYS5jb20v
> Q09NT0RPU1NMQ0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9j
> YS5jb20wTwYDVR0RBEgwRoIfemV1cy5kZWx0YXRlY2huaWNhbHNlcnZpY2VzLmNv
> bYIjd3d3LnpldXMuZGVsdGF0ZWNobmljYWxzZXJ2aWNlcy5jb20wDQYJKoZIhvcN
> AQEFBQADggEBACi5Wm/BhDiaG5VDCQ2da/JJ86ElkrEYoJPPYrfFrTLysVV39BLE
> LzD5twkprqoZgrOomYGYo4nqZfWoo6gr5cmDAEE1Ta5HkGOdbMd84J4dHXg9HCoo
> DsPh1J0lbGwje5y7NkLsKs8DwODTBr/xd2ydzh9D1sH7mI6BVzny3GUdNgCAwPlk
> u+YouczhpiWtVPlIRSkWZCWPDJqHbAe99ycu7cpYCCGpDB/1zVrqfCcPA7e33nV+
> X9ir0y8VYG0IuClmML1XAX2dWxz7thCg4Iv4254W9hMGjMPmA4IimlBrpYSiSNLK
> OscpabtrkIt8yA4gt7AgpHQRsITtOEwTAes=
> -----END CERTIFICATE-----
> subject=/OU=Domain Control Validated/OU=COMODO 
> SSL/CN=zeus.deltatechnicalservices.com
> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO 
> SSL CA
> ---
> No client certificate CA names sent
> Server Temp Key: DH, 1024 bits
> ---
> SSL handshake has read 4688 bytes and written 474 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : DHE-RSA-AES256-GCM-SHA384
>     Session-ID: 
> E97F65696AF247A9C8941BF155950E7F68F158B307B141184C079141E708BEDC
>     Session-ID-ctx: 
>     Master-Key: 
> D06D87AAF5468820F10DA83F77EFEFC38361692BF52F75D0B0F7477B36B2C7485D0FCAFCF5760043223BCF3A20508F6D
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     TLS session ticket lifetime hint: 300 (seconds)
>     TLS session ticket:
>     0000 - b2 8a cc aa 49 27 62 a7-40 d8 98 3a a3 60 db 02   ....I'b.@..:.`..
>     0010 - d2 f4 51 92 51 0c a1 c0-e0 1a c7 32 c8 ce 3b 64   ..Q.Q......2..;d
>     0020 - 31 79 8f a5 fc 96 ca 2e-0c b8 5d 20 41 83 ef 01   1y........] A...
>     0030 - 71 23 de 32 e8 3f f1 60-ba da c6 3c bf 20 fa e9   q#.2.?.`...<. ..
>     0040 - bd 01 8b c9 49 ce 67 9e-35 61 6f 7e 97 cb f1 60   ....I.g.5ao~...`
>     0050 - c2 5c 2d ae 94 6e 79 47-6d 41 15 43 87 81 14 7d   .\-..nyGmA.C...}
>     0060 - 5e 13 75 c6 da b3 6a de-17 b8 ef dc 87 de b2 89   ^.u...j.........
>     0070 - a2 94 1e b4 69 ce 67 33-9b 0f 8f e3 44 37 78 8b   ....i.g3....D7x.
>     0080 - 9d cb 49 2e 70 73 61 91-64 a2 94 61 0c 99 63 81   ..I.psa.d..a..c.
>     0090 - 8f 49 4e e9 87 78 ef 79-c8 d2 ca e2 f7 1a 35 bb   .IN..x.y......5.
>  
>     Start Time: 1428648515
>     Timeout   : 300 (sec)
>     Verify return code: 0 (ok)
> _______________________________________________
> spamdyke-users mailing list
> spamdyke-users@spamdyke.org
> http://www.spamdyke.org/mailman/listinfo/spamdyke-users

_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Reply via email to