[SOLVED] Sendmail failing to establish SSL connections
Posted: 2012/03/03 19:04:16
I doubt this could be a bug but after 10 hours of debugging I have to post. The only clue I have left is that regardless if the below lines are used in sendmail.mc or if I comment them out, I get the same SSL errors (140BA0C3, 140770FC, SSL_new, etc) but can't find anything helpful on these codes. The same certs/key are being used on port 443 (apache) and 995 (dovecot) and are working flawlessly so I know the issue has to be Sendmail.
What am I missing?
---== Installed Software ==---[font=Courier]
$ rpm -qa | grep sendmail
sendmail-cf-8.13.8-8.1.el5_7
sendmail-8.13.8-8.1.el5_7
[/font]
---== Sendmail.mc ==---[font=Courier]
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/www.t1shopper.com.ev.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/private/www.t1shopper.com.key')dnl
[/font]
---==Testing from remote server ==---[font=Courier]
$ openssl s_client -host www.t1shopper.com -port 465
CONNECTED(00000003)
7948:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583:
[/font]
---== Here's the mail log from from the above client request ==--- [font=Courier]
Mar 3 18:52:41 www sendmail[9360]: NOQUEUE: connect from [98.142.1.1]
Mar 3 18:52:41 www sendmail[9360]: AUTH: available mech=CRAM-MD5 DIGEST-MD5, allowed mech=LOGIN PLAIN
Mar 3 18:52:41 www sendmail[9360]: q23Iqfve009360: Milter: no active filter
Mar 3 18:52:41 www sendmail[9360]: STARTTLS=server: 9360:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:244:
Mar 3 18:52:41 www sendmail[9360]: q23Iqfve009360: [98.142.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to SSLMTA
[/font]
What am I missing?
---== Installed Software ==---[font=Courier]
$ rpm -qa | grep sendmail
sendmail-cf-8.13.8-8.1.el5_7
sendmail-8.13.8-8.1.el5_7
[/font]
---== Sendmail.mc ==---[font=Courier]
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/www.t1shopper.com.ev.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/private/www.t1shopper.com.key')dnl
[/font]
---==Testing from remote server ==---[font=Courier]
$ openssl s_client -host www.t1shopper.com -port 465
CONNECTED(00000003)
7948:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:583:
[/font]
---== Here's the mail log from from the above client request ==--- [font=Courier]
Mar 3 18:52:41 www sendmail[9360]: NOQUEUE: connect from [98.142.1.1]
Mar 3 18:52:41 www sendmail[9360]: AUTH: available mech=CRAM-MD5 DIGEST-MD5, allowed mech=LOGIN PLAIN
Mar 3 18:52:41 www sendmail[9360]: q23Iqfve009360: Milter: no active filter
Mar 3 18:52:41 www sendmail[9360]: STARTTLS=server: 9360:error:140BA0C3:SSL routines:SSL_new:null ssl ctx:ssl_lib.c:244:
Mar 3 18:52:41 www sendmail[9360]: q23Iqfve009360: [98.142.1.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to SSLMTA
[/font]