[CentOS] Sendmail TLS verify=fail

Mon Sep 20 23:28:04 UTC 2010
Morten P.D. Stevens <mstevens at imt-systems.com>

Hi,

I have a small question with sendmail and tls verification.

The tls verify fails on our internal/external sendmail servers.

For example:

STARTTLS=server, relay=mx1.imt-systems.com [89.146.219.60], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256

STARTTLS=server, relay=acsinet12.imt-systems.com [89.146.219.42], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256

What's the problem?

The sendmail tls certificate should be okay on both servers.

Here is the output of the openssl starttls check:

Server 1
[root at mx1 ~]# openssl s_client -starttls smtp -connect acsinet12.imt-systems.com:25

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: FE604F9A1765705F518A416F824DDE0B4316C52F36A3171A1593DC503EB63404
    Session-ID-ctx:
    Master-Key: 57DB71C1E48CA6AC4E5C381B28915AF0A2D66F23D80919E05DFB77345586D6F63AD6C9A7929880E29045CD7D3ADD9556
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1285023670
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 HELP
quit
221 2.0.0 acsinet12.imt-systems.com closing connection

On the other server:

Server 2
[root at acsinet12 ~]# openssl s_client -starttls smtp -connect mx1.imt-systems.com:25

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 4FEA16066A719033CEA69C185EDDA504CA8EDB1BB572C21A6BEB303F15F76621
    Session-ID-ctx:
    Master-Key: 615713E2500A52E996F2BB27F3A6A0CF9A471212805120BCC81623656327A9B6184BBB61F6CF28D6E62408397CF2D221
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Compression: 1 (zlib compression)
    Start Time: 1285024237
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 HELP
quit
221 2.0.0 mx1.imt-systems.com closing connection

The verify return code: 0 (ok) seems to be okay on both servers?

Here is the sendmail TLS configuration:

(Server 1)
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/mx1.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/mx1.key')dnl
define(`confCLIENT_CERT', `/etc/pki/tls/certs/mx1.crt')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/certs/mx1.key')dnl

(Server 2)
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/acsinet12.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/acsinet12.key')dnl
define(`confCLIENT_CERT', `/etc/pki/tls/certs/acsinet12.crt')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/certs/acsinet12.key')dnl

Does anyone know something about this issue? (verify=fail)

Thank you.

Best regards,

Morten