|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: TLS handshake failure
From: Ed Sawicki (ed
alcpress.com)
Date: Wed Mar 01 2006 - 12:59:25 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Lutz Jaenicke wrote:
> On Wed, Mar 01, 2006 at 10:18:54AM -0800, Ed Sawicki wrote:
>
>>Recently, I setup TLS on Postfix 2.2.8. It is working fine for
>>inbound mail as this sample from the log shows:
>>
>>Feb 25 02:26:10 kmalone1 postfix/smtpd[18262]: connect from
>>smtp.treasurystrategies.com[207.86.60.118]
>>Feb 25 02:26:11 kmalone1 postfix/smtpd[18262]: setting up TLS connection
>>from smtp.treasurystrategies.com[207.86.60.118]
>>Feb 25 02:26:11 kmalone1 postfix/smtpd[18262]: TLS connection established
>>from smtp.treasurystrategies.com[207.86.60.118]: TLSv1 with cipher
>>DHE-RSA-AES256-SHA (256/256 bits)
>>
>>It does not work for outbound mail:
>>
>>Feb 25 02:26:33 kmalone1 postfix/smtp[18265]: initializing the client-side
>>TLS engine
>>Feb 25 02:26:33 kmalone1 postfix/smtp[18265]: setting up TLS connection to
>>TreasuryStrategies.com
>>Feb 25 02:26:33 kmalone1 postfix/smtp[18265]: warning: TLS library
>>problem: 18265:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad
>>record mac:s3_pkt.c:1052:SSL alert number 20:
>>Feb 25 02:26:33 kmalone1 postfix/smtp[18265]: 014349B234:
>>to=<infoTreasuryStrategies.com>,
>>relay=TreasuryStrategies.com[207.86.60.66], delay=0, status=deferred
>>(Cannot start TLS: handshake failure)
>>
>>The problem occurs with other remote TLS hosts as well.
>
>
> Hmm:
> openssl s_client -starttls smtp -connect 207.86.60.66:25
>
> CONNECTED(00000003)
> ....
> New, TLSv1/SSLv3, Cipher is AES256-SHA
> ...
> 220 treasurystrat.com ESMTP ready
>
> Mar 1 19:25:02 serv01 postfix/smtp[19029]: setting up TLS connection to TreasuryStrategies.com
> Mar 1 19:25:02 serv01 postfix/smtp[19029]: certificate verification failed for treasurystrategies.com: num=18:self signed certificate
> Mar 1 19:25:02 serv01 postfix/smtp[19029]: certificate peer name verificationfailed for treasurystrategies.com: CommonName mis-match: treasurystrat.com
> Mar 1 19:25:02 serv01 postfix/smtp[19029]: Unverified: subject_CN=treasurystrat.com, issuer=treasurystrat.com
> Mar 1 19:25:02 serv01 postfix/smtp[19029]: TLS connection established to TreasuryStrategies.com: TLSv1 with cipher AES256-SHA (256/256 bits)
> Mar 1 19:25:02 serv01 postfix/smtp[19029]: Server certificate could not be verified
> Mar 1 19:25:03 serv01 postfix/smtp[19029]: C65FA3691: to=<testtlsTreasuryStrategies.com>, relay=TreasuryStrategies.com[207.86.60.66], delay=3, status=sent (250 2.0.0 4405e6fe-00047687 Message accepted for delivery)
> Mar 1 19:25:03 serv01 postfix/qmgr[11771]: C65FA3691: removed
>
> What version of OpenSSL does your system use?
OpenSSL 0.9.8 05 Jul 2005
Ed
>
> Regards,
> Lutz
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]