1. Forum
  2. Usenet
  3. COMP.MAIL.SENDMAIL

  • Deferred 403 4.7.0 TLS handshake failed

    From markrlondon@gmail.com@21:1/5 to All on Mon Jun 26 15:25:45 2023
    I'm now using sendmail that only supports TLSv1.2 and 1.3 My old one used TLSv1/SSLv3,.

    In any event, I've now encountered 2 small email servers (I think personal ones) that our server couldn't send email to. The emails get stuck in the outgoing queue with the error message:

    403 4.7.0 TLS handshake failed

    I had to put Try_TLS NO entries for them in /etc/access, in order for the email to be sent out.

    Is there any other way to deal with this issue? Thanks.

    Thanks. - Mark
    l

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Claus =?iso-8859-1?Q?A=DFmann?= @21:1/5 to markr...@gmail.com on Tue Jun 27 01:41:18 2023
    markr...@gmail.com wrote:
    I'm now using sendmail that only supports TLSv1.2 and 1.3 My old one

    Why?

    403 4.7.0 TLS handshake failed

    Is there any other way to deal with this issue? Thanks.

    Don't restrict the TLS versions.

    --
    Note: please read the netiquette before posting. I will almost never
    reply to top-postings which include a full copy of the previous
    article(s) at the end because it's annoying, shows that the poster
    is too lazy to trim his article, and it's wasting the time of all readers.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Tue Jun 27 08:17:56 2023
    Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:

    markr...@gmail.com wrote:
    I'm now using sendmail that only supports TLSv1.2 and 1.3 My old
    one

    Why?

    Older SSL versions are treated insecure, so many administrators disable
    them.

    I dunno if every OpenSSL build shipped with various operating systems
    still supports the old SSL and TLS version or if they simply removed
    them because only a small amount of people rely on them.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From markrlondon@gmail.com@21:1/5 to Marco Moock on Wed Jun 28 22:58:48 2023
    On Tuesday, June 27, 2023 at 2:17:59 AM UTC-4, Marco Moock wrote:
    Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:

    markr...@gmail.com wrote:
    I'm now using sendmail that only supports TLSv1.2 and 1.3 My old one

    Why?
    Older SSL versions are treated insecure, so many administrators disable them.

    You are correct. The problem is with openssl. Unless compiled manually, sslv3 is not available any longer as
    shipped with ubuntu.

    I can fix outgoing emails using the Try_TLS feature in /etc/access. But that doesn't seem to help incoming connections. I get these error messages:

    Jun 29 01:46:26 psfcmail2 sm-mta[1374683]: STARTTLS=server, error: accept failed=-1, reason=no suitable signature algorithm, SSL_error=1, errno=0, retry=-1, relay

    I guess I'm just going to ignore them, since there are so few sites that are causing a problem.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Marco Moock@21:1/5 to All on Thu Jun 29 08:34:23 2023
    Am 28.06.2023 schrieb "markr...@gmail.com" <markrlondon@gmail.com>:

    On Tuesday, June 27, 2023 at 2:17:59 AM UTC-4, Marco Moock wrote:
    Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:

    markr...@gmail.com wrote:
    I'm now using sendmail that only supports TLSv1.2 and 1.3 My
    old one

    Why?
    Older SSL versions are treated insecure, so many administrators
    disable them.

    You are correct. The problem is with openssl. Unless compiled
    manually, sslv3 is not available any longer as shipped with ubuntu.

    I can fix outgoing emails using the Try_TLS feature in /etc/access.

    Maybe also look at confTLS_FALLBACK_TO_CLEAR.

    But that doesn't seem to help incoming connections. I get these
    error messages:

    Jun 29 01:46:26 psfcmail2 sm-mta[1374683]: STARTTLS=server, error:
    accept failed=-1, reason=no suitable signature algorithm,
    SSL_error=1, errno=0, retry=-1, relay

    In access_db:
    Srv_Features:mailout.domain.com S https://sendmaid.org/21-sslv3-in-sendmail-abschalten

    Although, they control their TLS settings. They might refuse to connect
    to you at all if TLS isn't available and they enforce the usage of TLS.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)