Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 03 May 2019 03:07:56 -0400
From:      "Dave Cottlehuber" <dch@skunkwerks.at>
To:        freebsd-questions <freebsd-questions@freebsd.org>, "David K. Gerry" <david.k.gerry@gmail.com>
Subject:   Re: FreeBSD 12.0-p3 sendmail openssl Google
Message-ID:  <810e6613-999c-44eb-8903-adba57583713@www.fastmail.com>
In-Reply-To: <57666625-0fc4-4094-97b9-03adba03d3e2@www.fastmail.com>
References:  <d0703d2a-f13e-f4ea-65fc-db58abfe3269@gmail.com> <57666625-0fc4-4094-97b9-03adba03d3e2@www.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 1 May 2019, at 17:53, Dave Cottlehuber wrote:
> On Tue, 30 Apr 2019, at 22:57, David K. Gerry wrote:
> > Greetings,
> > 
> > 	I upgraded to FreeBSD 12.0-p3 on Wednesday using make installworld,
> > mergemaster, etc. Since then I have not been able to recieve e-mail from
> > Google with the following error in the mail log.
> > 
> > Apr 30 18:14:07 john-steed sm-mta[32581]: STARTTLS=server, error: accept
> > failed=-1, reason=sslv3 alert illegal parameter, SSL_error=1, errno=0,
> ------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^---------------------
> 
> Hi David,
> 
> TLDR: use TLS1.1 at minimum, preferred 1.2 & share more info to reduce
> speculation. SSLv2 is vulnerable to a bunch of attacks.

[moving reply back to list, content elided]

The error message from google is very clear: something is broken with
your SSL stuff, and you'll need to fix that first. The cause, unfortunately,
is not provided.

Using the openssl tool against your domain MX server shows this:

verify error:num=19:self signed certificate in certificate chain

I have a few tools for checking TLS for websites, but nothing for TLS
for SMTP etc. I found this, run by the EFF:

https://starttls-everywhere.org/ which showed 2 errors:

Failure: Name in cert doesn't match hostname: x509: 
ertificate is not valid for any names, but wanted to match mail.xyz

Failure: Certificate root is not trusted: x509: certificate signed by unknown authority

Hopefully that's enough for you to fix things.

https://forums.freebsd.org/threads/sendmail-and-letsencrypt.57675/ may be of interest.

A+
Dave

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?810e6613-999c-44eb-8903-adba57583713>