Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Air is water with holes in it.

computers / comp.mail.sendmail / Re: Deferred 403 4.7.0 TLS handshake failed

SubjectAuthor
* Deferred 403 4.7.0 TLS handshake failedmarkr...@gmail.com
`* Re: Deferred 403 4.7.0 TLS handshake failedClaus Aßmann
 `* Re: Deferred 403 4.7.0 TLS handshake failedMarco Moock
  `* Re: Deferred 403 4.7.0 TLS handshake failedmarkr...@gmail.com
   `- Re: Deferred 403 4.7.0 TLS handshake failedMarco Moock

1
Deferred 403 4.7.0 TLS handshake failed

<8dcac4a7-5d22-470c-ae1f-21f19bc3ec7cn@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=752&group=comp.mail.sendmail#752

  copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:a05:622a:1742:b0:400:9f40:e4f4 with SMTP id l2-20020a05622a174200b004009f40e4f4mr750921qtk.6.1687818345800;
Mon, 26 Jun 2023 15:25:45 -0700 (PDT)
X-Received: by 2002:a81:431f:0:b0:576:8882:f37f with SMTP id
q31-20020a81431f000000b005768882f37fmr3520506ywa.5.1687818345492; Mon, 26 Jun
2023 15:25:45 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Mon, 26 Jun 2023 15:25:45 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=209.6.28.22; posting-account=W1NlGgoAAABT7cu0nJ0MQR1GnY0NxRye
NNTP-Posting-Host: 209.6.28.22
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <8dcac4a7-5d22-470c-ae1f-21f19bc3ec7cn@googlegroups.com>
Subject: Deferred 403 4.7.0 TLS handshake failed
From: markrlon...@gmail.com (markr...@gmail.com)
Injection-Date: Mon, 26 Jun 2023 22:25:45 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 1494
 by: markr...@gmail.com - Mon, 26 Jun 2023 22:25 UTC

I'm now using sendmail that only supports TLSv1.2 and 1.3 My old one used TLSv1/SSLv3,.

In any event, I've now encountered 2 small email servers (I think personal ones) that our server couldn't send email to. The emails get stuck in the outgoing queue with the error message:

403 4.7.0 TLS handshake failed

I had to put Try_TLS NO entries for them in /etc/access, in order for the email to be sent out.

Is there any other way to deal with this issue? Thanks.

Thanks. - Mark
l

Re: Deferred 403 4.7.0 TLS handshake failed

<u7dspu$1cq$1@news.misty.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=753&group=comp.mail.sendmail#753

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!news.misty.com!.POSTED.veps.esmtp.org!not-for-mail
From: INVALID_...@esmtp.org (Claus Aßmann)
Newsgroups: comp.mail.sendmail
Subject: Re: Deferred 403 4.7.0 TLS handshake failed
Date: Tue, 27 Jun 2023 01:41:18 -0400 (EDT)
Organization: MGT Consulting
Sender: <ml+sendmail(-no-copies-please)@esmtp.org>
Message-ID: <u7dspu$1cq$1@news.misty.com>
References: <8dcac4a7-5d22-470c-ae1f-21f19bc3ec7cn@googlegroups.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 27 Jun 2023 05:41:18 -0000 (UTC)
Injection-Info: news.misty.com; posting-host="veps.esmtp.org:155.138.203.148";
logging-data="1434"; mail-complaints-to="abuse@misty.com"
Mail-Copies-To: never
X-Newsreader: trn 4.0-test77 (Sep 1, 2010)
Originator: ca@x2.esmtp.org (Claus Assmann)
 by: Claus Aßmann - Tue, 27 Jun 2023 05:41 UTC

markr...@gmail.com wrote:
> I'm now using sendmail that only supports TLSv1.2 and 1.3 My old one

Why?

> 403 4.7.0 TLS handshake failed

> Is there any other way to deal with this issue? Thanks.

Don't restrict the TLS versions.

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Re: Deferred 403 4.7.0 TLS handshake failed

<u7duuk$1ap8g$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=754&group=comp.mail.sendmail#754

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.mail.sendmail
Subject: Re: Deferred 403 4.7.0 TLS handshake failed
Date: Tue, 27 Jun 2023 08:17:56 +0200
Organization: A noiseless patient Spider
Lines: 15
Message-ID: <u7duuk$1ap8g$1@dont-email.me>
References: <8dcac4a7-5d22-470c-ae1f-21f19bc3ec7cn@googlegroups.com>
<u7dspu$1cq$1@news.misty.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Injection-Date: Tue, 27 Jun 2023 06:17:56 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="4f8a4c05d00bd94fc7eb52f70785293b";
logging-data="1402128"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/vnWeIxJ8aHdKCXDlN/4wG"
Cancel-Lock: sha1:ArmgUmB3HnxbqxpsVwJnYK3dA9A=
 by: Marco Moock - Tue, 27 Jun 2023 06:17 UTC

Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:

> markr...@gmail.com wrote:
> > I'm now using sendmail that only supports TLSv1.2 and 1.3 My old
> > one
>
> Why?

Older SSL versions are treated insecure, so many administrators disable
them.

I dunno if every OpenSSL build shipped with various operating systems
still supports the old SSL and TLS version or if they simply removed
them because only a small amount of people rely on them.

Re: Deferred 403 4.7.0 TLS handshake failed

<e470ae47-ea5d-49ce-af96-b1a32c73d47bn@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=755&group=comp.mail.sendmail#755

  copy link   Newsgroups: comp.mail.sendmail
X-Received: by 2002:a05:622a:41c6:b0:402:f9d7:c652 with SMTP id ce6-20020a05622a41c600b00402f9d7c652mr16347qtb.6.1688018329380;
Wed, 28 Jun 2023 22:58:49 -0700 (PDT)
X-Received: by 2002:a37:b6c6:0:b0:762:30f4:492a with SMTP id
g189-20020a37b6c6000000b0076230f4492amr2286000qkf.9.1688018329172; Wed, 28
Jun 2023 22:58:49 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!209.85.160.216.MISMATCH!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.mail.sendmail
Date: Wed, 28 Jun 2023 22:58:48 -0700 (PDT)
In-Reply-To: <u7duuk$1ap8g$1@dont-email.me>
Injection-Info: google-groups.googlegroups.com; posting-host=209.6.28.22; posting-account=W1NlGgoAAABT7cu0nJ0MQR1GnY0NxRye
NNTP-Posting-Host: 209.6.28.22
References: <8dcac4a7-5d22-470c-ae1f-21f19bc3ec7cn@googlegroups.com>
<u7dspu$1cq$1@news.misty.com> <u7duuk$1ap8g$1@dont-email.me>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <e470ae47-ea5d-49ce-af96-b1a32c73d47bn@googlegroups.com>
Subject: Re: Deferred 403 4.7.0 TLS handshake failed
From: markrlon...@gmail.com (markr...@gmail.com)
Injection-Date: Thu, 29 Jun 2023 05:58:49 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
 by: markr...@gmail.com - Thu, 29 Jun 2023 05:58 UTC

On Tuesday, June 27, 2023 at 2:17:59 AM UTC-4, Marco Moock wrote:
> Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:
>
> > markr...@gmail.com wrote:
> > > I'm now using sendmail that only supports TLSv1.2 and 1.3 My old one
> >
> > Why?
> Older SSL versions are treated insecure, so many administrators disable them.

You are correct. The problem is with openssl. Unless compiled manually, sslv3 is not available any longer as
shipped with ubuntu.

I can fix outgoing emails using the Try_TLS feature in /etc/access. But that doesn't seem to help incoming connections. I get these error messages:

Jun 29 01:46:26 psfcmail2 sm-mta[1374683]: STARTTLS=server, error: accept failed=-1, reason=no suitable signature algorithm, SSL_error=1, errno=0, retry=-1, relay

I guess I'm just going to ignore them, since there are so few sites that are causing a problem.

Re: Deferred 403 4.7.0 TLS handshake failed

<u7j8lf$233jn$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=756&group=comp.mail.sendmail#756

  copy link   Newsgroups: comp.mail.sendmail
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: mo0...@posteo.de (Marco Moock)
Newsgroups: comp.mail.sendmail
Subject: Re: Deferred 403 4.7.0 TLS handshake failed
Date: Thu, 29 Jun 2023 08:34:23 +0200
Organization: A noiseless patient Spider
Lines: 34
Message-ID: <u7j8lf$233jn$1@dont-email.me>
References: <8dcac4a7-5d22-470c-ae1f-21f19bc3ec7cn@googlegroups.com>
<u7dspu$1cq$1@news.misty.com>
<u7duuk$1ap8g$1@dont-email.me>
<e470ae47-ea5d-49ce-af96-b1a32c73d47bn@googlegroups.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Injection-Date: Thu, 29 Jun 2023 06:34:23 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="ec90e2562e4447673dd739290964719c";
logging-data="2199159"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19CS1flv5SJIGy+FXE2cT37"
Cancel-Lock: sha1:idF4OqGtMit9TuoxX9JIrFW/JAs=
 by: Marco Moock - Thu, 29 Jun 2023 06:34 UTC

Am 28.06.2023 schrieb "markr...@gmail.com" <markrlondon@gmail.com>:

> On Tuesday, June 27, 2023 at 2:17:59 AM UTC-4, Marco Moock wrote:
> > Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:
> >
> > > markr...@gmail.com wrote:
> > > > I'm now using sendmail that only supports TLSv1.2 and 1.3 My
> > > > old one
> > >
> > > Why?
> > Older SSL versions are treated insecure, so many administrators
> > disable them.
>
> You are correct. The problem is with openssl. Unless compiled
> manually, sslv3 is not available any longer as shipped with ubuntu.
>
> I can fix outgoing emails using the Try_TLS feature in /etc/access.

Maybe also look at confTLS_FALLBACK_TO_CLEAR.

> But that doesn't seem to help incoming connections. I get these
> error messages:
>
> Jun 29 01:46:26 psfcmail2 sm-mta[1374683]: STARTTLS=server, error:
> accept failed=-1, reason=no suitable signature algorithm,
> SSL_error=1, errno=0, retry=-1, relay

In access_db:
Srv_Features:mailout.domain.com S
https://sendmaid.org/21-sslv3-in-sendmail-abschalten

Although, they control their TLS settings. They might refuse to connect
to you at all if TLS isn't available and they enforce the usage of TLS.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor