Hi,
I have a small question with sendmail and tls verification.
The tls verify fails on our internal/external sendmail servers.
For example:
STARTTLS=server, relay=mx1.imt-systems.com [89.146.219.60], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
STARTTLS=server, relay=acsinet12.imt-systems.com [89.146.219.42], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
What's the problem?
The sendmail tls certificate should be okay on both servers.
Here is the output of the openssl starttls check:
Server 1 [root@mx1 ~]# openssl s_client -starttls smtp -connect acsinet12.imt-systems.com:25
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: FE604F9A1765705F518A416F824DDE0B4316C52F36A3171A1593DC503EB63404 Session-ID-ctx: Master-Key: 57DB71C1E48CA6AC4E5C381B28915AF0A2D66F23D80919E05DFB77345586D6F63AD6C9A7929880E29045CD7D3ADD9556 Key-Arg : None Krb5 Principal: None Start Time: 1285023670 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 HELP quit 221 2.0.0 acsinet12.imt-systems.com closing connection
On the other server:
Server 2 [root@acsinet12 ~]# openssl s_client -starttls smtp -connect mx1.imt-systems.com:25
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: zlib compression Expansion: zlib compression SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 4FEA16066A719033CEA69C185EDDA504CA8EDB1BB572C21A6BEB303F15F76621 Session-ID-ctx: Master-Key: 615713E2500A52E996F2BB27F3A6A0CF9A471212805120BCC81623656327A9B6184BBB61F6CF28D6E62408397CF2D221 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Compression: 1 (zlib compression) Start Time: 1285024237 Timeout : 300 (sec) Verify return code: 0 (ok) --- 250 HELP quit 221 2.0.0 mx1.imt-systems.com closing connection
The verify return code: 0 (ok) seems to be okay on both servers?
Here is the sendmail TLS configuration:
(Server 1) define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/mx1.crt')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/mx1.key')dnl define(`confCLIENT_CERT', `/etc/pki/tls/certs/mx1.crt')dnl define(`confCLIENT_KEY', `/etc/pki/tls/certs/mx1.key')dnl
(Server 2) define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl define(`confSERVER_CERT', `/etc/pki/tls/certs/acsinet12.crt')dnl define(`confSERVER_KEY', `/etc/pki/tls/certs/acsinet12.key')dnl define(`confCLIENT_CERT', `/etc/pki/tls/certs/acsinet12.crt')dnl define(`confCLIENT_KEY', `/etc/pki/tls/certs/acsinet12.key')dnl
Does anyone know something about this issue? (verify=fail)
Thank you.
Best regards,
Morten
Am 21.09.2010 01:28, schrieb Morten P.D. Stevens:
Hi,
I have a small question with sendmail and tls verification.
The tls verify fails on our internal/external sendmail servers.
For example:
STARTTLS=server, relay=mx1.imt-systems.com [89.146.219.60], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
STARTTLS=server, relay=acsinet12.imt-systems.com [89.146.219.42], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
What's the problem?
That means the server side does not know the CA of the certificate presented by the client.
http://www.sendmail.org/m4/starttls.html
The sendmail tls certificate should be okay on both servers.
Does anyone know something about this issue? (verify=fail)
http://www.sendmail.org/m4/starttls.html
Nothing serious. Just a log note.
Thank you.
Best regards,
Morten
Alexander
Update: Problem solved
Solution: The old certificate was a SSL server certificate only. For TLS receiving/sending you need a certificate with SSL client and SSL server purposes.
Best regards,
Morten
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Alexander Dalloz Sent: Tuesday, September 21, 2010 9:55 AM To: CentOS mailing list Subject: Re: [CentOS] Sendmail TLS verify=fail
Am 21.09.2010 01:28, schrieb Morten P.D. Stevens:
Hi,
I have a small question with sendmail and tls verification.
The tls verify fails on our internal/external sendmail servers.
For example:
STARTTLS=server, relay=mx1.imt-systems.com [89.146.219.60],
version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
STARTTLS=server, relay=acsinet12.imt-systems.com [89.146.219.42],
version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
What's the problem?
That means the server side does not know the CA of the certificate presented by the client.
http://www.sendmail.org/m4/starttls.html
The sendmail tls certificate should be okay on both servers.
Does anyone know something about this issue? (verify=fail)
http://www.sendmail.org/m4/starttls.html
Nothing serious. Just a log note.
Thank you.
Best regards,
Morten
Alexander _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos