From owner-freebsd-questions@freebsd.org Wed May 1 17:49:41 2019 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 73F58159CAED for ; Wed, 1 May 2019 17:49:41 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9ABF586EF1 for ; Wed, 1 May 2019 17:49:39 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 588A5221CF; Wed, 1 May 2019 13:49:38 -0400 (EDT) Received: from imap6 ([10.202.2.56]) by compute7.internal (MEProxy); Wed, 01 May 2019 13:49:38 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=skvXu naP6CyyXtB3Xnf4Rsd6QQT7d5VxqaD0nWhGaew=; b=Ab0wHw5b03v62pOfnec8v 1nD/ZQeKclB5NtUsgwDxlsVCHN1QrepwgTXd+PRyPH+90cld/dPqVQax5RUrEHKg xubbozpJVDqtffOGPCBx8n6YcsQ2ZkQM6hJZauK8qaP+4kgs4F5ZFxcdRcNbogRu 8WGutySzdpCLxPkaYUutBv2eeSxOK6SxDoFjR6T+KEclmHCE+q2xyKwDRm+jQs+n nUl7dSkTjU0H6mTaGsKGnfmnBgeQvYd+TLWUC5R/pnqU5LoqI8ZA0QkoaGdowZ8v VoJk+CrS/Db8CRrXdxNQGYf+lWdp7rIJkvpzr9Jp/bt/HwRwGGf6JC6jMLxX9hSm A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=skvXunaP6CyyXtB3Xnf4Rsd6QQT7d5VxqaD0nWhGa ew=; b=n4gau8H5ROG+1GYQuzx0PbVHP0h4+1urV/y86U6L1A2OyKKjQb1VAB5Fl ozSaSrELTyr3xG3G406dMuprU3NOrNE6XKQ5RnAzLpwG5UyeqT6h/9XPktsmJQjJ RH6WEmulrT7zTYRSNq4c5+9xWL/5/4f6dQUED9kBR4NW58whnyeKQm/wh28/Getn Slx98usbJmkI4D8sFLJgIFRto7/7sVVLpUL2PlPDU/aSOEewEtav3U22UtWny0IV aCLmxPIrLOj0S2TAf1PJXeN6B8huvpcwsTl4Yq7qUVj/HEl3qWp5wxNnQscsoSJK HYxZ7L4gxcnjEH7m60mVa4YpNQHmA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduuddrieejgdduudekucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfffgr vhgvucevohhtthhlvghhuhgsvghrfdcuoegutghhsehskhhunhhkfigvrhhkshdrrghtqe enucffohhmrghinhepghhmrghilhdrtghomhdpmhhikhgvsggvrhhgghhrvghnrdgtohhm necurfgrrhgrmhepmhgrihhlfhhrohhmpegutghhsehskhhunhhkfigvrhhkshdrrghtne cuvehluhhsthgvrhfuihiivgeptd X-ME-Proxy: Received: by mailuser.nyi.internal (Postfix, from userid 501) id 61DF182152; Wed, 1 May 2019 13:49:37 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface User-Agent: Cyrus-JMAP/3.1.6-449-gfb3fc5a-fmstable-20190430v1 Mime-Version: 1.0 Message-Id: <57666625-0fc4-4094-97b9-03adba03d3e2@www.fastmail.com> In-Reply-To: References: Date: Wed, 01 May 2019 13:49:36 -0400 From: "Dave Cottlehuber" To: freebsd-questions , "David K. Gerry" Subject: Re: FreeBSD 12.0-p3 sendmail openssl Google Content-Type: text/plain;charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 9ABF586EF1 X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=skunkwerks.at header.s=fm2 header.b=Ab0wHw5b; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=n4gau8H5; spf=pass (mx1.freebsd.org: domain of dch@skunkwerks.at designates 66.111.4.29 as permitted sender) smtp.mailfrom=dch@skunkwerks.at X-Spamd-Result: default: False [-6.04 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[skunkwerks.at:s=fm2,messagingengine.com:s=fm2]; XM_UA_NO_VERSION(0.01)[]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.29]; MV_CASE(0.50)[]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[skunkwerks.at]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[4]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[skunkwerks.at:+,messagingengine.com:+]; RCPT_COUNT_TWO(0.00)[2]; MX_GOOD(-0.01)[in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com,in2-smtp.messagingengine.com,in1-smtp.messagingengine.com]; NEURAL_HAM_SHORT(-0.95)[-0.954,0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:11403, ipnet:66.111.4.0/24, country:US]; IP_SCORE(-3.49)[ip: (-9.57), ipnet: 66.111.4.0/24(-4.54), asn: 11403(-3.27), country: US(-0.06)]; MID_RHS_WWW(0.50)[]; RCVD_IN_DNSWL_LOW(-0.10)[29.4.111.66.list.dnswl.org : 127.0.5.1] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 May 2019 17:49:41 -0000 On Tue, 30 Apr 2019, at 22:57, David K. Gerry wrote: > Greetings, >=20 > I upgraded to FreeBSD 12.0-p3 on Wednesday using make installworld, > mergemaster, etc. Since then I have not been able to recieve e-mail fr= om > Google with the following error in the mail log. >=20 > Apr 30 18:14:07 john-steed sm-mta[32581]: STARTTLS=3Dserver, error: ac= cept > failed=3D-1, reason=3Dsslv3 alert illegal parameter, SSL_error=3D1, er= rno=3D0, ------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^---------------= ------ Hi David, TLDR: use TLS1.1 at minimum, preferred 1.2 & share more info to reduce speculation. SSLv2 is vulnerable to a bunch of attacks. I can't speak for sendmail config (it may help others if you share it) b= ut this looks like SSLv3 is not accepted by your mailserver, and presumably= you'll need to tweak something somewhere to address that. This post is old https://mikeberggren.com/post/101178147946/sendmail-sslv3 but will probably point you in the right direction. You can test this using openssl library. I used google here but test your inbound smtp server. $ openssl s_client -connect smtp.gmail.com:25 -starttls smtp -ssl3 CONNECTED(00000004) 34371043328:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert prot= ocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1528:SSL = alert number 70 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 259 bytes and written 91 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID:=20 Session-ID-ctx:=20 Master-Key:=20 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1556732024 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no --- so, gmail hates sslv3 as well but TLS1.2 is good: $ openssl s_client -connect smtp.gmail.com:25 -starttls smtp -tls1_2 CONNECTED(00000004) depth=3D2 OU =3D GlobalSign Root CA - R2, O =3D GlobalSign, CN =3D Globa= lSign verify return:1 depth=3D1 C =3D US, O =3D Google Trust Services, CN =3D Google Internet = Authority G3 verify return:1 depth=3D0 C =3D US, ST =3D California, L =3D Mountain View, O =3D Google= LLC, CN =3D smtp.gmail.com verify return:1 --- Certificate chain 0 s:C =3D US, ST =3D California, L =3D Mountain View, O =3D Google LLC,= CN =3D smtp.gmail.com i:C =3D US, O =3D Google Trust Services, CN =3D Google Internet Autho= rity G3 1 s:C =3D US, O =3D Google Trust Services, CN =3D Google Internet Autho= rity G3 i:OU =3D GlobalSign Root CA - R2, O =3D GlobalSign, CN =3D GlobalSign= --- Server certificate -----BEGIN CERTIFICATE----- MIIEijCCA3KgAwIBAgIQaiGCOBlBFzCgFMqcMuRIjzANBgkqhkiG9w0BAQsFADBU ... fhldLEHkmtdnfCFfmG0=3D -----END CERTIFICATE----- subject=3DC =3D US, ST =3D California, L =3D Mountain View, O =3D Google= LLC, CN =3D smtp.gmail.com issuer=3DC =3D US, O =3D Google Trust Services, CN =3D Google Internet A= uthority G3 --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 3214 bytes and written 335 bytes Verification: OK --- New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 Session-ID: E23A7EC04F4D1412C8B68E6A1B14895B54A5D9A5202F9F8DD8E52667= 062AA080 Session-ID-ctx:=20 Master-Key: 6B78186FC15620CB267621F83FC0E720F21BC56DFDBE5FC84B2C7B94= 25D206133D57D8DCE5C873DE4FDFA6CCCFAAD160 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 100800 (seconds) TLS session ticket: 0000 - 00 38 c4 3b 8c 9c cb 2d-d8 34 c9 1e f9 87 97 86 .8.;...-.4 ... 00d0 - 25 d6 df 3d c7 12 d6 5d-dd ee %..=3D...].= . Start Time: 1556732472 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- 250 SMTPUTF8 ^C=E2=8F=8E =20 I'm curious whether your 11.x vs 12.x servers have a different response.= A+ Dave