Thanks, particularly for the Try_TLS:rci.rcimx.net NO
If fact I had to use Try_TLS:rcimx.net NO Try_TLS:securence.com NO To get all the ones that I know about -----Original Message----- From: Philip Guenther [mailto:guent...@gmail.com] Sent: Saturday, February 04, 2012 1:53 AM To: Peter Fraser Cc: misc@openbsd.org Subject: Re: sendmail TLS errors On Sat, Jan 28, 2012 at 1:59 PM, Peter Fraser <p...@thinkage.ca> wrote: > I am getting the following errors, with sendmail (Openbsd 5.0 and > errors were there for 4.9 as well) ... > Jan 28 16:34:51 mail sm-mta[372]: STARTTLS=client: > 372:error:1411809D:SSL routines:SSL_CHECK_SERVERHELLO_TLSEXT:tls > invalid ecpointformat > list:/usr/src/lib/libssl/ssl/../src/ssl/t1_lib.c:1470: ... > From peering around with google these seem to come from an error in > ssl. I assume that it is edgewave.com.mx1.rci.rcimx.net that has the > error, not OpenBSD 5.0 but none the less I cannot send email to this > site, with TLS enabled. This was a bug in the EC point extension support in OpenSSL versions before 1.0.0c, including the version in OpenBSD 5.0. It's fixed in the version of OpenSSL that's been imported since then for OpenBSD 5.1. > It my surprise I found that not configuring TLS on sendmail.mc only > turns it off for receiving not sending. That's true. There's a fundamental asymmetry to SSL/TLS, where servers have to be configured with certs and such but clients require nothing. My reading of the history of the design of SSL is that that was intentional. So, how do you turn TLS client support off completely in sendmail? The easiest method is probably to use LOCAL_TRY_TLS in your .mc file to define a try_tls ruleset that always returns NO. > The only way I can find to turn it off for sending is by adding > > Try_TLS:edgewave.com.mx1.rci.rcimx.net NO > Try_TLS:edgewave.com.mx2.rci.rcimx.net NO > Try_TLS:edgewave.com.mx3.rci.rcimx.net NO > Try_TLS:edgewave.com.mx4.rci.rcimx.net NO > > to sendmail's map access database. That looks correct. You could also apply that to the entire rci.rcimx.net domain with a single entry: Try_TLS:rci.rcimx.net NO > It would have been nice if sendmail falls back to a none TLS > connection if the handshake occurs. Well, the handshake also fails whenever an attackers interferes with the connection. A "revert to insecure when attacked" behavior makes you secure except when it matters. Philip Guenther
