thr3ads.net - CentOS - [CentOS] Sendmail TLS verify=fail [Sep 2010]

If this information is useful, please help other people find it:
Share via:

Morten P.D. Stevens

2010-Sep-20 23:28 UTC

[CentOS] Sendmail TLS verify=fail

Hi,

I have a small question with sendmail and tls verification.

The tls verify fails on our internal/external sendmail servers.

For example:

STARTTLS=server, relay=mx1.imt-systems.com [89.146.219.60], version=TLSv1/SSLv3,
verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256

STARTTLS=server, relay=acsinet12.imt-systems.com [89.146.219.42],
version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256

What's the problem?

The sendmail tls certificate should be okay on both servers.

Here is the output of the openssl starttls check:

Server 1
[root at mx1 ~]# openssl s_client -starttls smtp -connect
acsinet12.imt-systems.com:25

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: FE604F9A1765705F518A416F824DDE0B4316C52F36A3171A1593DC503EB63404
    Session-ID-ctx:
    Master-Key:
57DB71C1E48CA6AC4E5C381B28915AF0A2D66F23D80919E05DFB77345586D6F63AD6C9A7929880E29045CD7D3ADD9556
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1285023670
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 HELP
quit
221 2.0.0 acsinet12.imt-systems.com closing connection

On the other server:

Server 2
[root at acsinet12 ~]# openssl s_client -starttls smtp -connect
mx1.imt-systems.com:25

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 4FEA16066A719033CEA69C185EDDA504CA8EDB1BB572C21A6BEB303F15F76621
    Session-ID-ctx:
    Master-Key:
615713E2500A52E996F2BB27F3A6A0CF9A471212805120BCC81623656327A9B6184BBB61F6CF28D6E62408397CF2D221
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Compression: 1 (zlib compression)
    Start Time: 1285024237
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
250 HELP
quit
221 2.0.0 mx1.imt-systems.com closing connection

The verify return code: 0 (ok) seems to be okay on both servers?

Here is the sendmail TLS configuration:

(Server 1)
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/mx1.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/mx1.key')dnl
define(`confCLIENT_CERT', `/etc/pki/tls/certs/mx1.crt')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/certs/mx1.key')dnl

(Server 2)
define(`confCACERT_PATH', `/etc/pki/tls/certs')dnl
define(`confCACERT', `/etc/pki/tls/certs/ca-bundle.crt')dnl
define(`confSERVER_CERT', `/etc/pki/tls/certs/acsinet12.crt')dnl
define(`confSERVER_KEY', `/etc/pki/tls/certs/acsinet12.key')dnl
define(`confCLIENT_CERT', `/etc/pki/tls/certs/acsinet12.crt')dnl
define(`confCLIENT_KEY', `/etc/pki/tls/certs/acsinet12.key')dnl

Does anyone know something about this issue? (verify=fail)

Thank you.

Best regards,

Morten

Alexander Dalloz

2010-Sep-21 07:55 UTC

head link

[CentOS] Sendmail TLS verify=fail

Am 21.09.2010 01:28, schrieb Morten P.D. Stevens:> Hi,
> 
> I have a small question with sendmail and tls verification.
> 
> The tls verify fails on our internal/external sendmail servers.
> 
> For example:
> 
> STARTTLS=server, relay=mx1.imt-systems.com [89.146.219.60],
version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
> 
> STARTTLS=server, relay=acsinet12.imt-systems.com [89.146.219.42],
version=TLSv1/SSLv3, verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256
> 
> What's the problem?
That means the server side does not know the CA of the certificate
presented by the client.

http://www.sendmail.org/m4/starttls.html
> The sendmail tls certificate should be okay on both servers.
> Does anyone know something about this issue? (verify=fail)
http://www.sendmail.org/m4/starttls.html

Nothing serious. Just a log note.
> Thank you.
> 
> Best regards,
> 
> Morten
Alexander

Seemingly Similar Threads

Search for more seemingly similar threads

CentOS - Sep 2010 - Sendmail TLS verify=fail

[CentOS] Sendmail TLS verify=fail

[CentOS] Sendmail TLS verify=fail

Seemingly Similar Threads