-   Slackware (
-   -   sendmail error (

WiseDraco 12-27-2013 07:00 AM

sendmail error
i get new for me error, when try to send mail to one of address:

Dec 22 04:58:29 sten sm-mta[31252]: STARTTLS=client,, version=TLSv1/SSLv3, verify=FAIL, cipher=CAMELLIA256-SHA, bits=256/256

Dec 22 04:58:29 sten sm-mta[31252]: STARTTLS: read error=generic SSL error (-1), errno=0, get_error=error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record
mac, retry=1, ssl_err=1

Dec 22 04:58:29 sten sm-mta[31252]: rBH9OxpV022923: to=<siri@domain>, ctladdr=<john@domain> (1003/100), delay=4+17:33:28, xdelay=00:00:03, mailer=esmtp, pri=247016
85, [], dsn=4.0.0, stat=Deferred: Input/output error

try to resend that mail after it get back after five days, and get the same.
can anyone tell me, what direction i must to look and so on?
with another recipients i do not have similar problems, all work.
on other hand - i do not sure, i have an ssl3 links to another my email respondents.

my mailserver is slackware64 14.0 with default sendmail....

thanks on advice

gengisdave 12-28-2013 02:35 PM

i think the problem is related to SSL, don't know if caused by TX errors or error in encryption/decryption; what version on ssl are you using?

WiseDraco 12-29-2013 04:13 AM


i do some research in logfiles, and found, earlier, when mail going ok, there also be a STARTTLS error, but not a second error:

10:24:18 sten sm-mta[22477]: STARTTLS=client,, version=TLSv1/SSLv3, verify=FAIL, cipher=CAMELLIA256-SHA, bits=256/256
10:24:36 sten sm-mta[22477]: rB38OFgO022473: to=<siri@allen>, ctladdr=<john@domain> (1003/100), delay=00:00:21, xdelay=00:00:20, mailer=esmtp, pri=7121323, [], dsn=2.0.0, stat=Sent (OK id=1VnlHO-0003f5-GW)

i restarted sendmail ( ./rc.sendmail restart ), but in that direction no changes...

gengisdave 12-29-2013 05:23 AM

took a quick look at the sendmail source (i have 8.14.7 installed); the error is in file ./sendmail/sfsasl.c, function tls_read (line 717). The function SSL_read fails and returns a value of 0, according to 'man SSL_read' this means it was an improper shutdown.

According to 'man SSL_get_error', SSL_ERROR_SSL is a protocol error. Try to upgade to SSL-1.0.1e and see if it happens again.

WiseDraco 12-29-2013 06:13 AM

but i do not change or touch my mailserver configuration for several months - and that problem get out about a two or so weeks ago. very strange. now i update openssl and openssl solibs to 1.0.1e and see, what happens

PS upgrades, restart sendmail - and get a

Dec 29 13:13:44 sten sm-mta[20472]: starting daemon (8.14.5): SMTP+queueing@00:25:00
Dec 29 13:13:44 sten sm-msp-queue[20475]: starting daemon (8.14.5): queueing@00:25:00
Dec 29 13:13:47 sten sm-mta[20473]: STARTTLS=client,, version=TLSv1/SSLv3, verify=FAIL, cipher=CAMELLIA256-SHA, bits=256/256
Dec 29 13:13:53 sten sm-mta[20473]: rBQF73KP004757: to=<siri@allent>, ctladdr=<john@domain> (1003/100), delay=2+20:06:50, xdelay=00:00:09, maile
r=esmtp, pri=15083832, [], dsn=2.0.0, stat=Sent (OK id=1VxEJa-0003xb-Qu)

EG look, now it's works!
thank you very much!
but interesting, where is reason? because in my side there not be any changes for long time, and all works until suddently stops. there may cause by other side ( ellentech) upgraded their openssl and there starting some incompatibility between the machines?

gengisdave 12-29-2013 06:29 AM

it seems so, in the last version they changed some protocol behaviour. if upgrading isn't a solution, or you can't do that, you have to force some protocol in place of another

WiseDraco 12-29-2013 07:25 AM

ok, thank you again.
the first string, version=TLSv1/SSLv3, verify=FAIL
is, as i understand, because i have no SSL certificates? and if i have a selfmade certificates, without authority signed, i also do not have a good working ssl protocol on mail, as it is with http / apache ( https) ?
its not a big deal, simply want a bit more understand in that topic...

gengisdave 12-29-2013 07:43 AM

the server don't know the CA of the certificate your sendmail is using; for an home sendmail it's quite normal, simply, the server doesn't trust you by certificate, but you can have other credentials, like user/pass login

All times are GMT -5. The time now is 12:52 PM.