Hello, this is OpenBSD current (OpenBSD 5.6-beta (GENERIC) #274: Mon Jul 21 15:52:55 MDT 2014) and i can't relay mails to some server.
from the log: smtp-out: Connecting to smtp+tls://1.2.3.4:25 (mail.example.com) on session 522cc981f2c57ee7... smtp-out: Connected on session 522cc981f2c57ee7 smtp-out: Error on session 522cc981f2c57ee7: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error smtp-out: Disabling route [] <-> 1.2.3.4 (mail.example.com) for 800s I have found a similar mail on the mailinglist and its Git entry: https://github.com/OpenSMTPD/OpenSMTPD/issues/388 (Relay: fallback to smtp after a failed attemp with smtp+tls #388) It is there and is working: smtp-out: Error on session e92dd1c7949ca31f: opportunistic TLS failed, downgrading to plain smtp-out: Connecting to smtp://4.3.2.1:25 (mx.example.com) on session e92dd1c7949ca31f... But for some server it did not fallback to smtp and the mails stay in the queue: 40550190fc4e068|inet4|mta||[email protected]|[email protected]|[email protected]| 1406040999|1406386599|0|2|pending|1161|Network error on destination MXs It seems that it is caused by TLS1_2: # openssl s_client -msg -connect mail.example.com:25 -starttls smtp CONNECTED(00000003) >>> TLS 1.2 Handshake [length 0200], ClientHello 01 00 01 fc 03 03 d7 4f 3e 01 4a 90 41 27 c7 bf .. .. .. <<< TLS 1.0 Alert [length 0002], fatal decode_error 02 32 5074867261276:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/s23_clnt.c:526 With TLS1_2 disabled: # openssl s_client -msg -no_tls1_2 -connect mail.example.com:25 # -starttls smtp CONNECTED(00000003) >>> TLS 1.1 Handshake [length 00b7], ClientHello 01 00 00 b3 03 02 1f b4 57 7c ce b6 90 79 9b 1e .. .. .. <<< TLS 1.0 Handshake [length 0035], ServerHello 02 00 00 31 03 01 53 ce 7e f5 df a8 e9 a9 e9 2c .. .. So I have disabled TLS1_2 in "ssl/23_clnt.c" to get it running again, but this is baloney of course. Thanks for any help Stefan -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
