On Thu, 19 Feb 2015 17:35:27 -0800, Adam Thompson <[email protected]>
wrote:
I'm seeing this in my logs, which prevents me from emailing my Dell reps:
Feb 19 14:27:49 mail smtpd[10516]: smtp-out: Connecting to
smtp+tls://143.166.224.193:25 (ps-smtp.us.dell.com) on session
e622753fb14af8b3...
Feb 19 14:27:49 mail smtpd[10516]: smtp-out: Connected on session
e622753fb14af8b3
Feb 19 14:27:50 mail smtpd[10516]: smtp-out: Error on session
e622753fb14af8b3: IO Error: error:1407741A:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error
Feb 19 14:27:50 mail smtpd[10516]: smtp-out: Disabling route [] <->
143.166.224.193 (ps-smtp.us.dell.com) for 800s
Feb 19 14:27:51 mail smtpd[10516]: smtp-out: No valid route for
[connector:[]->[relay:Dell.com],0x0]
Feb 19 14:28:00 mail smtpd[10516]: relay: TempFail for fe32cf29be63e5db:
session=0000000000000000, from=<[email protected]>,
to=<[email protected]>, rcpt=<->, source=-, relay=Dell.com,
delay=6m51s, stat=Network error on destination MXs
(I'm running smtpd from OpenBSD 5.6-STABLE.)
How do I disable TLS for a single remote MX or domain?
I reread the smtpd.conf man page and don't see any option for disabling
TLS and forcing plain text on a connection.
I was able to reproduce the issue on my own server running OpenSMTPD 5.4.3
and LibreSSL 2.1.3
Feb 19 22:36:37 mx smtpd[23222]: smtp-out: Connecting to
smtp+tls://143.166.224.193:25 (ps-smtp.us.dell.com) on session
14687637672870f4...
Feb 19 22:36:38 mx smtpd[23222]: smtp-out: Connected on session
14687637672870f4
Feb 19 22:36:38 mx smtpd[23222]: smtp-out: Error on session
14687637672870f4: IO Error: error:1407741A:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error
Feb 19 22:36:38 mx smtpd[23222]: smtp-out: Disabling route [] <->
143.166.224.193 (ps-smtp.us.dell.com) for 800s
Feb 19 22:36:39 mx smtpd[23222]: smtp-out: Connecting to
smtp+tls://143.166.224.134:25 (ps-smtp2.us.dell.com) on session
14687638b073970f...
Feb 19 22:36:39 mx smtpd[23222]: smtp-out: Connected on session
14687638b073970f
Feb 19 22:36:39 mx smtpd[23222]: smtp-out: Error on session
14687638b073970f: IO Error: error:1407741A:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error
Feb 19 22:36:39 mx smtpd[23222]: smtp-out: Disabling route [] <->
143.166.224.134 (ps-smtp2.us.dell.com) for 800s
Feb 19 22:36:40 mx smtpd[23222]: smtp-out: No valid route for
[connector:[]->[relay:dell.com],0x0]
Feb 19 22:36:44 mx smtpd[23222]: smtp-in: Closing session 1468763438d80396
Feb 19 22:36:46 mx smtpd[23222]: relay: TempFail for 2fb23264e05bd09b:
session=0000000000000000, from=<[email protected]>,
to=<[email protected]>, rcpt=<->, source=-, relay=dell.com,
delay=12s, stat=Network error on destination MXs
Mxtoolbox.com test
smtp:143.166.224.193 Monitor This smtp
220 ps-smtp.us.dell.com ESMTP
Test Result
SMTP Banner Check OK - 143.166.224.193 resolves to
ps-smtp.us.dell.com
SMTP Reverse DNS Mismatch OK - Reverse DNS matches SMTP Banner
SMTP TLS OK - Supports TLS.
SMTP Connection Time 1.030 seconds - Good on Connection time
SMTP Open Relay OK - Not an open relay.
SMTP Transaction Time 3.167 seconds - Good on Transaction Time
Session Transcript:
Connecting to 143.166.224.193
220 ps-smtp.us.dell.com ESMTP [967 ms]
EHLO MXTB-PWS3.mxtoolbox.com
250-ps-smtp.us.dell.com
250-8BITMIME
250-SIZE 41943040
250 STARTTLS [671 ms]
MAIL FROM: <[email protected]>
250 sender <[email protected]> ok [640 ms]
RCPT TO: <[email protected]>
550 #5.1.0 Address rejected. [655 ms]
MXTB-PWS3v2 3572ms
Starttls.info test
Results for: dell.com
Mail server Result
smtp2.ins.dell.com
Grade: A (81.9%)
Certificate
There is a self-signed certificate in the trust chain. It may be a
configuration problem.
There are one or more fatal problems which causes the certificate not to
be trusted.
There are validity issues for the certificate. Certificates are seldom
verified for SMTP servers, so this doesn't mean that STARTTLS won't be
used.
Generally speaking it's a bad practice not to have a valid certificate,
and an even worse practice not to verify them. Any attempted encrypted
communication is left all but wide open to Man-in-the-Middle attacks.
Protocol
Supports SSLV3.
Supports TLSV1.
Key exchange
Key size is 1024 bits; that's somewhat insecure.
Cipher
Weakest accepted cipher: 128.
Strongest accepted cipher: 256.
smtp.ins.dell.com
Error: Could not connect (timeout)
Checktls.info test
Checking [email protected]
looking up MX hosts on domain "dell.com"
smtp.ins.dell.com (preference:10)
smtp2.ins.dell.com (preference:20)
Trying TLS on smtp.ins.dell.com[143.166.224.193] (10):
seconds test stage and result
[000.055] Connected to server
[003.388] <-- 220 ps-smtp.us.dell.com ESMTP
[003.388] We are allowed to connect
[003.388] --> EHLO checktls.com
[003.960] <-- 250-ps-smtp.us.dell.com
250-8BITMIME
250-SIZE 41943040
250 STARTTLS
[003.960] We can use this server
[003.960] TLS is an option on this server
[003.961] --> STARTTLS
[004.055] <-- 220 Go ahead with TLS
[004.056] STARTTLS command works on this server
[004.238] Cipher in use: DHE-RSA-AES256-SHA
[004.238] Connection converted to SSL
[004.295]
Certificate 1 of 3 in chain:
subject= /C=US/ST=TX/L=Round Rock/O=Dell USA L.P./OU=Information
Technology/CN=smtp.ins.dell.com
issuer= /O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
[004.347]
Certificate 2 of 3 in chain:
subject= /O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
issuer= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
[004.398]
Certificate 3 of 3 in chain:
subject= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
issuer= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
[004.399] Cert VALIDATED: ok
[004.400] Cert Hostname VERIFIED (smtp.ins.dell.com =
smtp.ins.dell.com)
[004.400] ~~> EHLO checktls.com
[004.849] <~~ 250-ps-smtp.us.dell.com
250-8BITMIME
250 SIZE 41943040
[004.850] TLS successfully started on this server
[004.850] ~~> MAIL FROM:<[email protected]>
[004.913] <~~ 250 sender <[email protected]> ok
[004.913] Sender is OK
[004.913] ~~> RCPT TO:<[email protected]>
[004.979] <~~ 250 recipient <[email protected]> ok
[004.979] Recipient OK, E-mail address proofed
[004.980] ~~> QUIT
[005.120] <~~ 221 ps-smtp.us.dell.com
Trying TLS on smtp2.ins.dell.com[143.166.83.141] (20):
seconds test stage and result
[000.052] Connected to server
[000.892] <-- 220 ps-smtp.us.dell.com ESMTP
[000.892] We are allowed to connect
[000.892] --> EHLO checktls.com
[000.947] <-- 250-ps-smtp.us.dell.com
250-8BITMIME
250-SIZE 41943040
250 STARTTLS
[000.947] We can use this server
[000.947] TLS is an option on this server
[000.947] --> STARTTLS
[000.999] <-- 220 Go ahead with TLS
[001.000] STARTTLS command works on this server
[001.140] Cipher in use: DHE-RSA-AES256-SHA
[001.140] Connection converted to SSL
[001.194]
Certificate 1 of 3 in chain:
subject= /C=US/ST=TX/L=Round Rock/O=Dell USA L.P./OU=Information
Technology/CN=smtp.ins.dell.com
issuer= /O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
[001.243]
Certificate 2 of 3 in chain:
subject= /O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
issuer= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
[001.291]
Certificate 3 of 3 in chain:
subject= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
issuer= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
[001.292] Cert VALIDATED: ok
[001.293] Cert Hostname VERIFIED (smtp2.ins.dell.com =
smtp.ins.dell.com)
[001.293] ~~> EHLO checktls.com
[001.348] <~~ 250-ps-smtp.us.dell.com
250-8BITMIME
250 SIZE 41943040
[001.348] TLS successfully started on this server
[001.349] ~~> MAIL FROM:<[email protected]>
[001.399] <~~ 250 sender <[email protected]> ok
[001.400] Sender is OK
[001.400] ~~> RCPT TO:<[email protected]>
[001.452] <~~ 250 recipient <[email protected]> ok
[001.453] Recipient OK, E-mail address proofed
[001.453] ~~> QUIT
[001.504] <~~ 221 ps-smtp.us.dell.com
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
