Thanks Gordon. Please see below.
On Sat, 04 Apr 2009 20:09:04 -0700, Gordon Messmer <[email protected]> wrote: > Ricardo Kleemann wrote: >>> What's connecting to Courier and starting the TLS session? >>> >> I believe it's msmtp, from one of my clients. > > You can test various protocol settings with openssl's "s_client". See > which of these work: > > openssl s_client -starttls smtp -connect localhost:25 -ssl2 > openssl s_client -starttls smtp -connect localhost:25 -ssl3 > openssl s_client -starttls smtp -connect localhost:25 -tls1 $ openssl s_client -starttls smtp -connect localhost:25 -ssl2 CONNECTED(00000003) write:errno=104 $ openssl s_client -starttls smtp -connect localhost:25 -ssl3 CONNECTED(00000003) 19951:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40 19951:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:530: Using tls1 gives me errors of certificate expired, but at the same time I'd like to understand why ssl2 and ssl3 are failing. $ openssl s_client -starttls smtp -connect localhost:25 -tls1 CONNECTED(00000003) depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated ESMTP STARTTLS key/CN=localhost/[email protected] verify error:num=18:self signed certificate verify return:1 depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated ESMTP STARTTLS key/CN=localhost/[email protected] verify error:num=10:certificate has expired notAfter=Dec 11 02:21:26 2004 GMT verify return:1 depth=0 /C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated ESMTP STARTTLS key/CN=localhost/[email protected] notAfter=Dec 11 02:21:26 2004 GMT verify return:1 --- Certificate chain 0 s:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated ESMTP STARTTLS key/CN=localhost/[email protected] i:/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated ESMTP STARTTLS key/CN=localhost/[email protected] --- Server certificate -----BEGIN CERTIFICATE----- MIIDAzCCAmygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBuzELMAkGA1UEBhMCVVMx CzAJBgNVBAgTAk5ZMREwDwYDVQQHEwhOZXcgWW9yazEcMBoGA1UEChMTQ291cmll ciBNYWlsIFNlcnZlcjEzMDEGA1UECxMqQXV0b21hdGljYWxseS1nZW5lcmF0ZWQg RVNNVFAgU1RBUlRUTFMga2V5MRIwEAYDVQQDEwlsb2NhbGhvc3QxJTAjBgkqhkiG 9w0BCQEWFnBvc3RtYXN0ZXJAZXhhbXBsZS5jb20wHhcNMDMxMjEyMDIyMTI2WhcN MDQxMjExMDIyMTI2WjCBuzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMREwDwYD VQQHEwhOZXcgWW9yazEcMBoGA1UEChMTQ291cmllciBNYWlsIFNlcnZlcjEzMDEG A1UECxMqQXV0b21hdGljYWxseS1nZW5lcmF0ZWQgRVNNVFAgU1RBUlRUTFMga2V5 MRIwEAYDVQQDEwlsb2NhbGhvc3QxJTAjBgkqhkiG9w0BCQEWFnBvc3RtYXN0ZXJA ZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANk5lrfmaV3Q IYTMGy5YDTHTPQJP/fONExxmDvuJ0eCjxyXTKz77zHTvMAMASlqDCfScP0U6TbxR mDcH5mCbNCkSnDaq8Mqtn2azQ/kIztRHfty/oEs+MS6Ev/NCC2zFNYWp/uqRO1At Sqan99SJiwLCaP9iZMaRhm50zSHT9J9ZAgMBAAGjFTATMBEGCWCGSAGG+EIBAQQE AwIGQDANBgkqhkiG9w0BAQQFAAOBgQCLqrhHQd2NuudFFWmiBTnDSioef/23EOic CdKFOR0hyA2EyDYaIUB/G8QAASgKTYZ4pTnUEumEwYtJ1fKXOdZ/SJhqrns6GS4L frLN2rAsX3Ff4dDM0vMw5/0FBEnivULJBDT4nSRi+BwgGu6/ulWMq01KrV+FqOpe nVVnnhS0HQ== -----END CERTIFICATE----- subject=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated ESMTP STARTTLS key/CN=localhost/[email protected] issuer=/C=US/ST=NY/L=New York/O=Courier Mail Server/OU=Automatically-generated ESMTP STARTTLS key/CN=localhost/[email protected] --- No client certificate CA names sent --- SSL handshake has read 1167 bytes and written 320 bytes --- New, TLSv1/SSLv3, Cipher is AES256-SHA Server public key is 1024 bit Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 6AC48DDD3ED03429C4A1DAAEF7ECF74ADE9D7B17F78BDD7D90E0BF34E3FD73C3 Session-ID-ctx: Master-Key: 92272CB5262B063D846E1A90CB48DEED4AAB68A862AF5E61EDF212B1ACB0656F282F05178B0C6597E729242984A4EE86 Key-Arg : None Compression: 1 (zlib compression) Start Time: 1238904625 Timeout : 7200 (sec) Verify return code: 10 (certificate has expired) --- 250 DSN > > You should also check *all* of your configuration files for TLS_PROTOCOL > and TLS_STARTTLS_PROTOCOL. Neither of those settings should have values > unless you understand what they do, and you have specific security > requirements: > > grep ^TLS_PROTOCOL * > grep ^TLS_STARTTLS_PROTOCOL * I have commented out TLS_PROTOCOL in *all* of the files, and none have TLS_STARTTLS_PROTOCOL And yes, I restarted courier. ------------------------------------------------------------------------------ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
