Sendmail TLS verify=fail

09-20-2010, 11:28 PM

Hi,

I have a small question with sendmail and tls verification.

The tls verify fails on our internal/external sendmail servers.

For example:

STARTTLS=server, relay=mx1.imt-systems.com [89.146.219.60], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256

STARTTLS=server, relay=acsinet12.imt-systems.com [89.146.219.42], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256

What's the problem?

The sendmail tls certificate should be okay on both servers.

Here is the output of the openssl starttls check:

Server 1
[root@mx1 ~]# openssl s_client -starttls smtp -connect acsinet12.imt-systems.com:25

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: FE604F9A1765705F518A416F824DDE0B4316C52F36A3171A15 93DC503EB63404
Session-ID-ctx:
Master-Key: 57DB71C1E48CA6AC4E5C381B28915AF0A2D66F23D80919E05D FB77345586D6F63AD6C9A7929880E29045CD7D3ADD9556
Key-Arg : None
Krb5 Principal: None
Start Time: 1285023670
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 HELP
quit
221 2.0.0 acsinet12.imt-systems.com closing connection

On the other server:

Server 2
[root@acsinet12 ~]# openssl s_client -starttls smtp -connect mx1.imt-systems.com:25

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 4FEA16066A719033CEA69C185EDDA504CA8EDB1BB572C21A6B EB303F15F76621
Session-ID-ctx:
Master-Key: 615713E2500A52E996F2BB27F3A6A0CF9A471212805120BCC8 1623656327A9B6184BBB61F6CF28D6E62408397CF2D221
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Compression: 1 (zlib compression)
Start Time: 1285024237
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
250 HELP
quit
221 2.0.0 mx1.imt-systems.com closing connection

The verify return code: 0 (ok) seems to be okay on both servers?

Here is the sendmail TLS configuration:

(Server 1)
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/mx1.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/mx1.key')dnl
define(`confCLIENT_CERT', `/etc/pki/tls/certs/mx1.crt')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/certs/mx1.key')dnl

(Server 2)
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/acsinet12.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/acsinet12.key')dnl
define(`confCLIENT_CERT', `/etc/pki/tls/certs/acsinet12.crt')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/certs/acsinet12.key')dnl

Does anyone know something about this issue? (verify=fail)

Thank you.

Best regards,

Morten

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

09-21-2010, 07:55 AM

Am 21.09.2010 01:28, schrieb Morten P.D. Stevens:
> Hi,
>
> I have a small question with sendmail and tls verification.
>
> The tls verify fails on our internal/external sendmail servers.
>
> For example:
>
> STARTTLS=server, relay=mx1.imt-systems.com [89.146.219.60], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
>
> STARTTLS=server, relay=acsinet12.imt-systems.com [89.146.219.42], version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
>
> What's the problem?

That means the server side does not know the CA of the certificate
presented by the client.

http://www.sendmail.org/m4/starttls.html

> The sendmail tls certificate should be okay on both servers.

> Does anyone know something about this issue? (verify=fail)

http://www.sendmail.org/m4/starttls.html

Nothing serious. Just a log note.

> Thank you.
>
> Best regards,
>
> Morten

Alexander
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

09-21-2010, 11:32 AM

Update: Problem solved

Solution: The old certificate was a SSL server certificate only. For TLS receiving/sending you need a certificate with SSL client and SSL server purposes.

Best regards,

Morten

> -----Original Message-----
> From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On
> Behalf Of Alexander Dalloz
> Sent: Tuesday, September 21, 2010 9:55 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] Sendmail TLS verify=fail
>
> Am 21.09.2010 01:28, schrieb Morten P.D. Stevens:
> > Hi,
> >
> > I have a small question with sendmail and tls verification.
> >
> > The tls verify fails on our internal/external sendmail servers.
> >
> > For example:
> >
> > STARTTLS=server, relay=mx1.imt-systems.com [89.146.219.60],
> version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA,
> bits=256/256
> >
> > STARTTLS=server, relay=acsinet12.imt-systems.com [89.146.219.42],
> version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA,
> bits=256/256
> >
> > What's the problem?
>
> That means the server side does not know the CA of the certificate
> presented by the client.
>
> http://www.sendmail.org/m4/starttls.html
>
> > The sendmail tls certificate should be okay on both servers.
>
> > Does anyone know something about this issue? (verify=fail)
>
> http://www.sendmail.org/m4/starttls.html
>
> Nothing serious. Just a log note.
>
> > Thank you.
> >
> > Best regards,
> >
> > Morten
>
> Alexander
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos