Date: Wed, 01 May 2019 13:49:36 -0400 From: "Dave Cottlehuber" <dch@skunkwerks.at> To: freebsd-questions <freebsd-questions@freebsd.org>, "David K. Gerry" <david.k.gerry@gmail.com> Subject: Re: FreeBSD 12.0-p3 sendmail openssl Google Message-ID: <57666625-0fc4-4094-97b9-03adba03d3e2@www.fastmail.com> In-Reply-To: <d0703d2a-f13e-f4ea-65fc-db58abfe3269@gmail.com> References: <d0703d2a-f13e-f4ea-65fc-db58abfe3269@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 30 Apr 2019, at 22:57, David K. Gerry wrote: > Greetings, >=20 > I upgraded to FreeBSD 12.0-p3 on Wednesday using make installworld, > mergemaster, etc. Since then I have not been able to recieve e-mail fr= om > Google with the following error in the mail log. >=20 > Apr 30 18:14:07 john-steed sm-mta[32581]: STARTTLS=3Dserver, error: ac= cept > failed=3D-1, reason=3Dsslv3 alert illegal parameter, SSL_error=3D1, er= rno=3D0, ------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^---------------= ------ Hi David, TLDR: use TLS1.1 at minimum, preferred 1.2 & share more info to reduce speculation. SSLv2 is vulnerable to a bunch of attacks. I can't speak for sendmail config (it may help others if you share it) b= ut this looks like SSLv3 is not accepted by your mailserver, and presumably= you'll need to tweak something somewhere to address that. This post is old https://mikeberggren.com/post/101178147946/sendmail-sslv3 but will probably point you in the right direction. You can test this using openssl library. I used google here but test your inbound smtp server. $ openssl s_client -connect smtp.gmail.com:25 -starttls smtp -ssl3 CONNECTED(00000004) 34371043328:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert prot= ocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1528:SSL = alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 259 bytes and written 91 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID:=20 Session-ID-ctx:=20 Master-Key:=20 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1556732024 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- so, gmail hates sslv3 as well but TLS1.2 is good: $ openssl s_client -connect smtp.gmail.com:25 -starttls smtp -tls1_2 CONNECTED(00000004) depth=3D2 OU =3D GlobalSign Root CA - R2, O =3D GlobalSign, CN =3D Globa= lSign verify return:1 depth=3D1 C =3D US, O =3D Google Trust Services, CN =3D Google Internet = Authority G3 verify return:1 depth=3D0 C =3D US, ST =3D California, L =3D Mountain View, O =3D Google= LLC, CN =3D smtp.gmail.com verify return:1 --- Certificate chain 0 s:C =3D US, ST =3D California, L =3D Mountain View, O =3D Google LLC,= CN =3D smtp.gmail.com i:C =3D US, O =3D Google Trust Services, CN =3D Google Internet Autho= rity G3 1 s:C =3D US, O =3D Google Trust Services, CN =3D Google Internet Autho= rity G3 i:OU =3D GlobalSign Root CA - R2, O =3D GlobalSign, CN =3D GlobalSign= --- Server certificate -----BEGIN CERTIFICATE----- MIIEijCCA3KgAwIBAgIQaiGCOBlBFzCgFMqcMuRIjzANBgkqhkiG9w0BAQsFADBU ... fhldLEHkmtdnfCFfmG0=3D -----END CERTIFICATE----- subject=3DC =3D US, ST =3D California, L =3D Mountain View, O =3D Google= LLC, CN =3D smtp.gmail.com issuer=3DC =3D US, O =3D Google Trust Services, CN =3D Google Internet A= uthority G3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3214 bytes and written 335 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: E23A7EC04F4D1412C8B68E6A1B14895B54A5D9A5202F9F8DD8E52667= 062AA080 Session-ID-ctx:=20 Master-Key: 6B78186FC15620CB267621F83FC0E720F21BC56DFDBE5FC84B2C7B94= 25D206133D57D8DCE5C873DE4FDFA6CCCFAAD160 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 00 38 c4 3b 8c 9c cb 2d-d8 34 c9 1e f9 87 97 86 .8.;...-.4 ... 00d0 - 25 d6 df 3d c7 12 d6 5d-dd ee %..=3D...].= . Start Time: 1556732472 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- 250 SMTPUTF8 ^C=E2=8F=8E =20 I'm curious whether your 11.x vs 12.x servers have a different response.= A+ Dave
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?57666625-0fc4-4094-97b9-03adba03d3e2>