On Thu, 19 Feb 2015 17:35:27 -0800, Adam Thompson <[email protected]> wrote:

I'm seeing this in my logs, which prevents me from emailing my Dell reps:

Feb 19 14:27:49 mail smtpd[10516]: smtp-out: Connecting to smtp+tls://143.166.224.193:25 (ps-smtp.us.dell.com) on session e622753fb14af8b3... Feb 19 14:27:49 mail smtpd[10516]: smtp-out: Connected on session e622753fb14af8b3 Feb 19 14:27:50 mail smtpd[10516]: smtp-out: Error on session e622753fb14af8b3: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error Feb 19 14:27:50 mail smtpd[10516]: smtp-out: Disabling route [] <-> 143.166.224.193 (ps-smtp.us.dell.com) for 800s Feb 19 14:27:51 mail smtpd[10516]: smtp-out: No valid route for [connector:[]->[relay:Dell.com],0x0] Feb 19 14:28:00 mail smtpd[10516]: relay: TempFail for fe32cf29be63e5db: session=0000000000000000, from=<[email protected]>, to=<[email protected]>, rcpt=<->, source=-, relay=Dell.com, delay=6m51s, stat=Network error on destination MXs

(I'm running smtpd from OpenBSD 5.6-STABLE.)

How do I disable TLS for a single remote MX or domain?

I reread the smtpd.conf man page and don't see any option for disabling TLS and forcing plain text on a connection.

I was able to reproduce the issue on my own server running OpenSMTPD 5.4.3 and LibreSSL 2.1.3

Feb 19 22:36:37 mx smtpd[23222]: smtp-out: Connecting to smtp+tls://143.166.224.193:25 (ps-smtp.us.dell.com) on session 14687637672870f4... Feb 19 22:36:38 mx smtpd[23222]: smtp-out: Connected on session 14687637672870f4 Feb 19 22:36:38 mx smtpd[23222]: smtp-out: Error on session 14687637672870f4: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error Feb 19 22:36:38 mx smtpd[23222]: smtp-out: Disabling route [] <-> 143.166.224.193 (ps-smtp.us.dell.com) for 800s Feb 19 22:36:39 mx smtpd[23222]: smtp-out: Connecting to smtp+tls://143.166.224.134:25 (ps-smtp2.us.dell.com) on session 14687638b073970f... Feb 19 22:36:39 mx smtpd[23222]: smtp-out: Connected on session 14687638b073970f Feb 19 22:36:39 mx smtpd[23222]: smtp-out: Error on session 14687638b073970f: IO Error: error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error Feb 19 22:36:39 mx smtpd[23222]: smtp-out: Disabling route [] <-> 143.166.224.134 (ps-smtp2.us.dell.com) for 800s Feb 19 22:36:40 mx smtpd[23222]: smtp-out: No valid route for [connector:[]->[relay:dell.com],0x0]
Feb 19 22:36:44 mx smtpd[23222]: smtp-in: Closing session 1468763438d80396
Feb 19 22:36:46 mx smtpd[23222]: relay: TempFail for 2fb23264e05bd09b: session=0000000000000000, from=<[email protected]>, to=<[email protected]>, rcpt=<->, source=-, relay=dell.com, delay=12s, stat=Network error on destination MXs


Mxtoolbox.com test

smtp:143.166.224.193   Monitor This    smtp
220 ps-smtp.us.dell.com ESMTP

Test    Result
        SMTP Banner Check       OK - 143.166.224.193 resolves to 
ps-smtp.us.dell.com
        SMTP Reverse DNS Mismatch       OK - Reverse DNS matches SMTP Banner
        SMTP TLS        OK - Supports TLS.
        SMTP Connection Time    1.030 seconds - Good on Connection time
        SMTP Open Relay OK - Not an open relay.
        SMTP Transaction Time   3.167 seconds - Good on Transaction Time
Session Transcript:
Connecting to 143.166.224.193

220 ps-smtp.us.dell.com ESMTP [967 ms]
EHLO MXTB-PWS3.mxtoolbox.com
250-ps-smtp.us.dell.com
250-8BITMIME
250-SIZE 41943040
250 STARTTLS [671 ms]
MAIL FROM: <[email protected]>
250 sender <[email protected]> ok [640 ms]
RCPT TO: <[email protected]>
550 #5.1.0 Address rejected. [655 ms]

MXTB-PWS3v2 3572ms

Starttls.info test

Results for: dell.com
Mail server     Result  
smtp2.ins.dell.com
Grade: A (81.9%)
Certificate
There is a self-signed certificate in the trust chain. It may be a configuration problem. There are one or more fatal problems which causes the certificate not to be trusted. There are validity issues for the certificate. Certificates are seldom verified for SMTP servers, so this doesn't mean that STARTTLS won't be used.

Generally speaking it's a bad practice not to have a valid certificate, and an even worse practice not to verify them. Any attempted encrypted communication is left all but wide open to Man-in-the-Middle attacks.

Protocol
Supports SSLV3.
Supports TLSV1.
Key exchange
Key size is 1024 bits; that's somewhat insecure.
Cipher
Weakest accepted cipher: 128.
Strongest accepted cipher: 256.
smtp.ins.dell.com

Error: Could not connect (timeout)

Checktls.info test

Checking [email protected]
looking up MX hosts on domain "dell.com"
smtp.ins.dell.com (preference:10)
smtp2.ins.dell.com (preference:20)
Trying TLS on smtp.ins.dell.com[143.166.224.193] (10):
seconds         test stage and result
[000.055]               Connected to server
[003.388]       <--  220 ps-smtp.us.dell.com ESMTP
[003.388]               We are allowed to connect
[003.388]       -->  EHLO checktls.com
[003.960]       <--  250-ps-smtp.us.dell.com
250-8BITMIME
250-SIZE 41943040
250 STARTTLS
[003.960]               We can use this server
[003.960]               TLS is an option on this server
[003.961]       -->  STARTTLS
[004.055]       <--  220 Go ahead with TLS
[004.056]               STARTTLS command works on this server
[004.238]               Cipher in use: DHE-RSA-AES256-SHA
[004.238]               Connection converted to SSL
[004.295]               
Certificate 1 of 3 in chain:
subject= /C=US/ST=TX/L=Round Rock/O=Dell USA L.P./OU=Information Technology/CN=smtp.ins.dell.com
issuer= /O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
[004.347]               
Certificate 2 of 3 in chain:
subject= /O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
issuer= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
[004.398]               
Certificate 3 of 3 in chain:
subject= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
issuer= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
[004.399]               Cert VALIDATED: ok
[004.400]               Cert Hostname VERIFIED (smtp.ins.dell.com = 
smtp.ins.dell.com)
[004.400]       ~~>  EHLO checktls.com
[004.849]       <~~  250-ps-smtp.us.dell.com
250-8BITMIME
250 SIZE 41943040
[004.850]               TLS successfully started on this server
[004.850]       ~~>  MAIL FROM:<[email protected]>
[004.913]       <~~  250 sender <[email protected]> ok
[004.913]               Sender is OK
[004.913]       ~~>  RCPT TO:<[email protected]>
[004.979]       <~~  250 recipient <[email protected]> ok
[004.979]               Recipient OK, E-mail address proofed
[004.980]       ~~>  QUIT
[005.120]       <~~  221 ps-smtp.us.dell.com
Trying TLS on smtp2.ins.dell.com[143.166.83.141] (20):
seconds         test stage and result
[000.052]               Connected to server
[000.892]       <--  220 ps-smtp.us.dell.com ESMTP
[000.892]               We are allowed to connect
[000.892]       -->  EHLO checktls.com
[000.947]       <--  250-ps-smtp.us.dell.com
250-8BITMIME
250-SIZE 41943040
250 STARTTLS
[000.947]               We can use this server
[000.947]               TLS is an option on this server
[000.947]       -->  STARTTLS
[000.999]       <--  220 Go ahead with TLS
[001.000]               STARTTLS command works on this server
[001.140]               Cipher in use: DHE-RSA-AES256-SHA
[001.140]               Connection converted to SSL
[001.194]               
Certificate 1 of 3 in chain:
subject= /C=US/ST=TX/L=Round Rock/O=Dell USA L.P./OU=Information Technology/CN=smtp.ins.dell.com
issuer= /O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
[001.243]               
Certificate 2 of 3 in chain:
subject= /O=Cybertrust Inc/CN=Cybertrust Public SureServer SV CA
issuer= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
[001.291]               
Certificate 3 of 3 in chain:
subject= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
issuer= /C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
[001.292]               Cert VALIDATED: ok
[001.293]               Cert Hostname VERIFIED (smtp2.ins.dell.com = 
smtp.ins.dell.com)
[001.293]       ~~>  EHLO checktls.com
[001.348]       <~~  250-ps-smtp.us.dell.com
250-8BITMIME
250 SIZE 41943040
[001.348]               TLS successfully started on this server
[001.349]       ~~>  MAIL FROM:<[email protected]>
[001.399]       <~~  250 sender <[email protected]> ok
[001.400]               Sender is OK
[001.400]       ~~>  RCPT TO:<[email protected]>
[001.452]       <~~  250 recipient <[email protected]> ok
[001.453]               Recipient OK, E-mail address proofed
[001.453]       ~~>  QUIT
[001.504]       <~~  221 ps-smtp.us.dell.com

--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]

Reply via email to