sendmail + STARTTLS w/ evolution = error:1408A0C1

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

sendmail + STARTTLS w/ evolution = error:1408A0C1

Andy W. Clements
Hello All,

I'm currently having a problem with setting up STARTTLS with my sendmail
on my FreeBSD 5.3 box.  I've used openssl to create the cert and key:

openssl dsaparam 1024 -out dsa1024.pem
openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem -keyout
mykey.pem

my version of openssl:
OpenSSL 0.9.7d 17 Mar 2004

I've recompiled sendmail to use ssl and then added the following to my
sendmail.cf:
define(`CERT_DIR', `/etc/mail/certs')dnl
define(`confCACERT_PATH', `CERT_DIR')dnl
define(`confCACERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_CERT', `CERT_DIR/mycert.pem')dnl
define(`confSERVER_KEY', `CERT_DIR/mykey.pem')dnl
define(`confCLIENT_CERT', `CERT_DIR/mycert.pem')dnl
define(`confCLIENT_KEY', `CERT_DIR/mykey.pem')dnl

However, when I attempt to connect the server with evolution, evolution
gives me an "unable to connect error."

Sendmail logs the following error:

Jun 15 13:53:41 zeppo sm-mta[17104]: j5FKrfYA017104: Milter: no active
filter
Jun 15 13:53:41 zeppo sm-mta[17104]: STARTTLS=server, error: accept
failed=-1, SSL_error=1, timedout=0, errno=0
Jun 15 13:53:41 zeppo sm-mta[17104]: STARTTLS=server:
17104:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:887:
Jun 15 13:53:41 zeppo sm-mta[17104]: j5FKrfYA017104: [65.125.115.243]
did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA


When I use the openssl client to connect, I get the following results:

misato.awclemen> openssl s_client -starttls smtp -connect
zeppo.candhsoftware.com:25
CONNECTED(00000003)
depth=0 /C=US/ST=Arizona/L=Tucson/O=C & H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/emailAddress=[hidden email]
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=US/ST=Arizona/L=Tucson/O=C & H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/emailAddress=[hidden email]
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Arizona/L=Tucson/O=C & H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/emailAddress=[hidden email]
   i:/C=US/ST=Arizona/L=Tucson/O=C & H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/emailAddress=[hidden email]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEojCCBGKgAwIBAgIBADAJBgcqhkjOOAQDMIGuMQswCQYDVQQGEwJVUzEQMA4G
A1UECBMHQXJpem9uYTEPMA0GA1UEBxMGVHVjc29uMR4wHAYDVQQKFBVDICYgSCBT
b2Z0d2FyZSBMLkwuQy4xFDASBgNVBAsTC0VuZ2luZWVyaW5nMSAwHgYDVQQDExd6
ZXBwby5jYW5kaHNvZnR3YXJlLmNvbTEkMCIGCSqGSIb3DQEJARYVYXdjQGNhbmRo
c29mdHdhcmUuY29tMB4XDTA1MDYxMzIyMDExOVoXDTA2MDYxMzIyMDExOVowga4x
CzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMQ8wDQYDVQQHEwZUdWNzb24x
HjAcBgNVBAoUFUMgJiBIIFNvZnR3YXJlIEwuTC5DLjEUMBIGA1UECxMLRW5naW5l
ZXJpbmcxIDAeBgNVBAMTF3plcHBvLmNhbmRoc29mdHdhcmUuY29tMSQwIgYJKoZI
hvcNAQkBFhVhd2NAY2FuZGhzb2Z0d2FyZS5jb20wggG2MIIBKwYHKoZIzjgEATCC
AR4CgYEAh/GZcaq+qODWgob4GOKQYoFn4/RE6ZVyfXWCqjlao/KjDV1pm1A+HqFb
eK6dU73hGlTijcZF+Iw8onD87rwdO1d/5GS+EBdYTriZYsU8QnJFfaNFY/iHkHof
BNIdvMl6bV56e4iFtwcAghAmBi9ZOn7gEetJYIYpiC/clpwFQasCFQDbWQOf3xN6
OuO3/x0OU2Gb3bShbQKBgA+d3bboMytLRWgGTLI0eNuWQ2j6l9YhO/T8naljgtu3
B5eOivFWvA/DA2Ljslx4pGtQ3xxqUeqGOYAcbfuoir4GZ+Zg6zz8PYxa6Hh9NWLb
RZeT85mPzGbFByGQ/41NOf/kHXKkPut2KPhnmAubfF44sjATk/nGkUufwa7UmDc7
A4GEAAKBgBQHIuOqNm3W35pTAViNelH13POl68dpgMR1hIMNRmb7cMwXv44aStE9
AjtEddLjXHs47pEigkD+9A4VMsqVPolTSyUARKUk/sqiSVq896t0D0WQ2pzQuiRP
BoCi0Zd2SJk/KtpxPVauaPBZSimscNhp2MsBcjNyLnzUQOaY1WVyo4IBDzCCAQsw
HQYDVR0OBBYEFINAkoeJs7TbPCwjksYGq7XKs5CLMIHbBgNVHSMEgdMwgdCAFINA
koeJs7TbPCwjksYGq7XKs5CLoYG0pIGxMIGuMQswCQYDVQQGEwJVUzEQMA4GA1UE
CBMHQXJpem9uYTEPMA0GA1UEBxMGVHVjc29uMR4wHAYDVQQKFBVDICYgSCBTb2Z0
d2FyZSBMLkwuQy4xFDASBgNVBAsTC0VuZ2luZWVyaW5nMSAwHgYDVQQDExd6ZXBw
by5jYW5kaHNvZnR3YXJlLmNvbTEkMCIGCSqGSIb3DQEJARYVYXdjQGNhbmRoc29m
dHdhcmUuY29tggEAMAwGA1UdEwQFMAMBAf8wCQYHKoZIzjgEAwMvADAsAhRyfUoO
9ZLFxZLGsijrAzbCSQLBXwIUfYf/FeKdY/embpVrLnTV942wOuk=
-----END CERTIFICATE-----
subject=/C=US/ST=Arizona/L=Tucson/O=C & H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/emailAddress=[hidden email]
issuer=/C=US/ST=Arizona/L=Tucson/O=C & H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/emailAddress=[hidden email]
---
Acceptable client certificate CA names
/C=US/ST=Arizona/L=Tucson/O=C & H Software
L.L.C./OU=Engineering/CN=zeppo.candhsoftware.com/emailAddress=[hidden email]
---
SSL handshake has read 1861 bytes and written 298 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-DSS-AES256-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-DSS-AES256-SHA
    Session-ID:
28239EBE3C499BDD7E00B2F0FE3A7645E65AC135348B8FE6F4990843579F94F7
    Session-ID-ctx:
    Master-Key:
5651D294B719C6C19FA743A0EE0EC7B1E00F2AD1AD8E70AD072715165690E0AC919193A5148AE24111BCA86433621264
    Key-Arg   : None
    Start Time: 1118876232
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
220 zeppo.candhsoftware.com ESMTP Sendmail 8.13.1/8.13.1; Wed, 15 Jun
2005 15:41:53 -0700 (MST)
helo misato.candhsoftware.com
250 zeppo.candhsoftware.com Hello [65.125.115.243], pleased to meet you
quit
221 2.0.0 zeppo.candhsoftware.com closing connection
closed

I have no ideas what the error message in the sendmail log is telling
me, can someone give me a clue what needs to be done?

Thanks in advance,
Andy

--
Andy Clements
C & H Software L.L.C.
[hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sendmail + STARTTLS w/ evolution = error:1408A0C1

Claus Assmann
On Wed, Jun 15, 2005, Andy W. Clements wrote:

> I'm currently having a problem with setting up STARTTLS with my sendmail
> on my FreeBSD 5.3 box.  I've used openssl to create the cert and key:
>
> openssl dsaparam 1024 -out dsa1024.pem
> openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem -keyout
> mykey.pem

Try an RSA key instead, most systems have problems with DSA
(sendmail works fine however).

> Jun 15 13:53:41 zeppo sm-mta[17104]: STARTTLS=server:
> 17104:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:887:

Typical indication that the client doesn't support DSA.
You can use ssldump to see what's going on.

> I have no ideas what the error message in the sendmail log is telling
> me, can someone give me a clue what needs to be done?

1. See above.
2. See the source code (the OpenSSL error message kindly provides
that information).

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: sendmail + STARTTLS w/ evolution = error:1408A0C1

Andy W. Clements

On Wed, 2005-06-15 at 21:17 -0700, Claus Assmann wrote:

> On Wed, Jun 15, 2005, Andy W. Clements wrote:
>
> > I'm currently having a problem with setting up STARTTLS with my sendmail
> > on my FreeBSD 5.3 box.  I've used openssl to create the cert and key:
> >
> > openssl dsaparam 1024 -out dsa1024.pem
> > openssl req -x509 -nodes -newkey dsa:dsa1024.pem -out mycert.pem -keyout
> > mykey.pem
>
> Try an RSA key instead, most systems have problems with DSA
> (sendmail works fine however).
>


Just thought I would drop a note and say that using RSA instead of DSA
worked.  Thanks Claus!



--
Andy Clements
Chief Engineer
C & H Software L.L.C.
[hidden email]

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]