FreeBSD 12.0-p3 sendmail openssl Google
Dave Cottlehuber
dch at skunkwerks.at
Wed May 1 17:49:41 UTC 2019
On Tue, 30 Apr 2019, at 22:57, David K. Gerry wrote:
> Greetings,
>
> I upgraded to FreeBSD 12.0-p3 on Wednesday using make installworld,
> mergemaster, etc. Since then I have not been able to recieve e-mail from
> Google with the following error in the mail log.
>
> Apr 30 18:14:07 john-steed sm-mta[32581]: STARTTLS=server, error: accept
> failed=-1, reason=sslv3 alert illegal parameter, SSL_error=1, errno=0,
------------------------^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^---------------------
Hi David,
TLDR: use TLS1.1 at minimum, preferred 1.2 & share more info to reduce
speculation. SSLv2 is vulnerable to a bunch of attacks.
I can't speak for sendmail config (it may help others if you share it) but
this looks like SSLv3 is not accepted by your mailserver, and presumably
you'll need to tweak something somewhere to address that. This
post is old https://mikeberggren.com/post/101178147946/sendmail-sslv3
but will probably point you in the right direction.
You can test this using openssl library. I used google here but test
your inbound smtp server.
$ openssl s_client -connect smtp.gmail.com:25 -starttls smtp -ssl3
CONNECTED(00000004)
34371043328:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:/usr/src/crypto/openssl/ssl/record/rec_layer_s3.c:1528:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 259 bytes and written 91 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : SSLv3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1556732024
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
so, gmail hates sslv3 as well but TLS1.2 is good:
$ openssl s_client -connect smtp.gmail.com:25 -starttls smtp -tls1_2
CONNECTED(00000004)
depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
verify return:1
depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
i:C = US, O = Google Trust Services, CN = Google Internet Authority G3
1 s:C = US, O = Google Trust Services, CN = Google Internet Authority G3
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEijCCA3KgAwIBAgIQaiGCOBlBFzCgFMqcMuRIjzANBgkqhkiG9w0BAQsFADBU
...
fhldLEHkmtdnfCFfmG0=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
issuer=C = US, O = Google Trust Services, CN = Google Internet Authority G3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3214 bytes and written 335 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: E23A7EC04F4D1412C8B68E6A1B14895B54A5D9A5202F9F8DD8E52667062AA080
Session-ID-ctx:
Master-Key: 6B78186FC15620CB267621F83FC0E720F21BC56DFDBE5FC84B2C7B9425D206133D57D8DCE5C873DE4FDFA6CCCFAAD160
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 100800 (seconds)
TLS session ticket:
0000 - 00 38 c4 3b 8c 9c cb 2d-d8 34 c9 1e f9 87 97 86 .8.;...-.4
...
00d0 - 25 d6 df 3d c7 12 d6 5d-dd ee %..=...]..
Start Time: 1556732472
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
250 SMTPUTF8
^C⏎
I'm curious whether your 11.x vs 12.x servers have a different response.
A+
Dave
More information about the freebsd-questions
mailing list