[Pkg-openssl-devel] Bug#913129: openssl: TLS error (error 403 4.7.0 TLS handshake failed in sendmail logs)

BERTRAND Joël joel.bertrand at systella.fr
Wed Nov 7 10:21:44 GMT 2018 

Package: openssl
Version: 1.1.1-2
Severity: important

Dear Maintainer,

Last saturday, I have upgraded my testing server. This server acts as a mail
server running sendmail.

With stable openssl package, my server ran fine. With new package, sendmail
returns the obvious message :

dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed

I have removed TLS from SMTP configuration (Try_TLS: NO in /etc/mail/access) but
some MX requires TLS and I'm unable to send message to several MX. For rexample
orange.fr :

Nov  7 09:17:31 rayleigh sm-mta[10148]: ruleset=try_tls, arg1=smtp-in.orange.fr, relay=smtp-in.orange.fr, reject=550 5.7.1 <xxx at orange.fr>... do not try TLS with smtp-in.orange.fr [80.12.242.9]
Nov  7 09:17:31 rayleigh sm-mta[10148]: wA68PQwK006059: to=<xxx at orange.fr>, delay=23:52:05, xdelay=00:00:01, mailer=esmtp, pri=77460547, relay=smtp-in.orange.fr. [80.12.242.9], dsn=5.0.0, stat=Service unavailable

Second constatation : I use a patch (from sendmail 8.16) that allow sendmail to
automatically disable TLS when 4.7.0 error occurs.

With stable openssl, when sendmail tries to send message, SMTP always receives :
... dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed.

With testing package, sendmail randomly receives :
... dsn=4.0.0, stat=Deferred: 403 4.7.0 TLS handshake failed
or
... dsn=4.0.0, stat=Deferred

	Of course, I have read openssl installation instructions, but I haven't
	found any workaround.

	If I downgrade openssl to openssl_1.1.0f-3+deb9u2_amd64.deb, sendmail runs
	as expected.

	Best regards,

	JKB

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.18.0-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssl depends on:
ii  libc6      2.27-8
ii  libssl1.1  1.1.1-2

openssl recommends no packages.

Versions of packages openssl suggests:
ii  ca-certificates  20170717

-- no debconf information

More information about the Pkg-openssl-devel mailing list