On Sat, 2014-05-03 at 18:11 -0400, Sam Varshavchik wrote: > Lindsay Haisley writes: > > > Just recently, as in the past few days, I'm seeing failures from > > Courier's outbound SMTP which report in the mail logs as: > > > > May 3 15:00:40 mitra courieresmtp: > > id=0000000000150472.0000000053654AE0.00007045,from=<fmo...@fmp.com>,addr=<x...@xxx.net>: > > > > 500 couriertls: ionnect: error:140773F2:SSL > > routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message > > > > When I use swaks to test ESMTP with STARTTLS I get a segmentation fault > > and the dialog is terminated. A little checking indicates that OpenSSL > > is crashing on the client side and the segfault message is generated > > locally by OpenSSL, not being sent back through the SMTP connection. > > This _seems_ to be a known bug, and is apparently related to fixes for > > the heartbleed bug in OpenSSL. I'm using Ubuntu 12.04 LTS with Courier > > 0.66.1 (the version distributed with this Ubuntu release). Setting > > ESMTP_USE_STARTTLS=0 in /etc/courier/courierd solves the problem in > > Courier, at the expense of email security. > > > > Does anyone have any insight on this problem? > > I can connect to your mail server and negotiate TLS just fine: > > TLS_VERIFYPEER=NONE couriertls -host=mitra.fmp.com -port=25 -protocol=smtp - > printx509=2 > 220 mitra.fmp.com ESMTP > EHLO shorty.email-scan.com > 250-mitra.fmp.com Ok. > 250-AUTH LOGIN CRAM-MD5 CRAM-SHA1 CRAM-SHA256 > 250-STARTTLS > 250-XVERP=Courier > 250-XEXDATA > 250-XSECURITY=NONE,STARTTLS > 250-PIPELINING > 250-8BITMIME > 250-SIZE > 250 DSN > STARTTLS > 220 Ok > Subject: > C=US > ST=TX > L=Leander > O=Courier Mail Server at FMP Computer Services > OU=Automatically-generated ESMTP STARTTLS key > CN=mitra.fmp.com > emailAddress=fmo...@fmp.com > > Not-Before: 2013-04-02 22:01:50 > Not-After: 2014-04-02 22:01:50 > Version: TLSv1/SSLv3 > Bits: 256 > Cipher: AES256-SHA > > Your server is not crashing. What's crashing is xxx.xxx's server. > > I can also connect to my MX and negotiate TLS too.
The problem occurs when mitra.fmp.com is the SMTP _client_ (not the server) but thanks for jumping on it anyway. This only seems to occur with an address at nv.net (the xxx.net in my original post), MX of mx.nv.net. I've added 'nv.net: /SECURITY=NONE' to esmtproutes which has solved the problem with regard to this particular host, however a few swaks sessions indicate that something in the response from this remote host is causing OpenSSL (actually the perl SSLeay module) to crash locally, which I can verify using strace. This happens from 3 different locations (all Ubuntu 12.04 LTS) on different boxes, all running openSSL 1.0.1. It does _not_ happen from a 4th location running 0.9.8e-fips-rhel5. All these sessions were with swaks, which is a perl-based SMTP analyzer. Here's a session with mx.nv.net using couriertls: $ TLS_VERIFYPEER=NONE couriertls -host=mx.nv.net -port=25 -protocol=smtp -printx509=2 220 nv.net ESMTP spoken here EHLO linode 250-nv.net domain name should be qualified linode 250-DSN 250-SIZE 104857600 250-STARTTLS 250-AUTH=MSN 250-AUTH=LOGIN 250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5 MSN 250-ETRN 250-TURN 250-ATRN 250-NO-SOLICITING 250-8BITMIME 250-HELP 250-PIPELINING 250 EHLO STARTTLS 220 please start a TLS connection couriertls: connect: error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message It appears to be a problem at nv.net, but if possible I'd like to know a bit more since my correspondent there is both a customer and a personal friend, who's knows personally the operator of nv.net. It would be nice to have some additional information to pass on to them. Is there any way to dig deeper into this? -- Lindsay Haisley | "UNIX is user-friendly, it just FMP Computer Services | chooses its friends." 512-259-1190 | -- Andreas Bogk http://www.fmp.com | ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
