[HELP] ssl_err=5 even though no TLS requested by recipient

[hakimoto]

Dear All,

we're running 11.5 here, works like a charm, on CentOS5, for quite some time now. Community Edition.

We can send and receive email fine with everyone, except one recipient, who can send to us, but not receive. The thing is that our log shows this (from /var/log/maillog):

Code: Select all

Nov 10 10:52:57 dkserver ldapmapper[2360]: accept new connection on 4
Nov 10 10:52:57 dkserver ldapmapper[2360]: anonymous bind (method=simple)
Nov 10 10:52:57 dkserver ldapmapper[2360]: search for mail=s.hakim.hamdani@dkgmdc.com
Nov 10 10:52:57 dkserver ldapmapper[2360]: search 1: for s.hakim.hamdani@dkgmdc.com at dkserver
Nov 10 10:52:57 dkserver ldapmapper[2360]: found matching entry
Nov 10 10:53:19 dkserver ldapmapper[2360]: search for mail=***@human.de
Nov 10 10:53:19 dkserver ldapmapper[2360]: search 1: for ***@human.de at dkserver
Nov 10 10:53:19 dkserver sendmail[12993]: nAA6Mv41012993: from=<S.Hakim.Hamdani@dkgmdc.com>, size=1503, class=0, nrcpts=1, msgid=<7814987.151257834168002.JavaMail.root@dkserver.dkgmdc.com>, proto=ESMTP, daemon=MTA, relay=localhost.localdomain [127.0.0.1]
Nov 10 10:53:19 dkserver ldapmapper[2360]: accept new connection on 5
Nov 10 10:53:19 dkserver ldapmapper[2360]: delete connection on 4
Nov 10 10:53:19 dkserver ldapmapper[2360]: anonymous bind (method=simple)
Nov 10 10:53:19 dkserver ldapmapper[2360]: search for mail=s.hakim.hamdani@dkgmdc.com
Nov 10 10:53:19 dkserver ldapmapper[2360]: search 1: for s.hakim.hamdani@dkgmdc.com at dkserver
Nov 10 10:53:19 dkserver ldapmapper[2360]: found matching entry
Nov 10 10:53:19 dkserver ldapmapper[2360]: search for mail=***@human.de
Nov 10 10:53:19 dkserver ldapmapper[2360]: search 1: for ***@human.de at dkserver
Nov 10 10:54:13 dkserver sendmail[13027]: STARTTLS=client, relay=mail.human.de., version=TLSv1/SSLv3, verify=FAIL, cipher=AES256-SHA, bits=256/256
Nov 10 10:54:33 dkserver sendmail[13027]: STARTTLS: read error=syscall error (-1), errno=104, get_error=error:00000000:lib(0):func(0):reason(0), retry=1, ssl_err=5
Nov 10 10:54:33 dkserver sendmail[13027]: nAA6Mv41012993: to=<***@human.de>, delay=00:01:14, xdelay=00:01:14, mailer=esmtp, pri=121503, relay=mail.human.de. [213.216.1.19], dsn=4.0.0, stat=Deferred: Connection reset by mail.human.de.
Nov 10 10:54:33 dkserver ldapmapper[2360]: delete connection on 5

I've ***'d the alias out for their privacy's sake. The other address is my own. It fails with ssl_err=5.

So I went and asked their admin who told me that "no TLS is required from our side and we only use plain sendmail connections", further he profferred this log:

Code: Select all

2009:11:10-10:21:22 astaro-2 exim[8471]: 2009-11-10 10:21:22 H=88-202-52-92.ip.skylogicnet.com (dkserver.dkgmdc.com)
[88.202.52.92]:60182 Warning: Exception matched: Skipping greylisting for this message
2009:11:10-10:21:22 astaro-2 exim[8471]: 2009-11-10 10:21:22 H=88-202-52-92.ip.skylogicnet.com (dkserver.dkgmdc.com)
[88.202.52.92]:60182 Warning: Exception matched: Skipping antispam for this message
2009:11:10-10:21:22 astaro-2 exim[8471]: 2009-11-10 10:21:22 H=88-202-52-92.ip.skylogicnet.com (dkserver.dkgmdc.com)
[88.202.52.92]:60182 Warning: human.de profile excludes greylisting: Skipping greylisting for this message
2009:11:10-10:21:22 astaro-2 exim[8471]: 2009-11-10 10:21:22 [88.202.52.92] F=<S.Hakim.Hamdani@dkgmdc.com> R=<***@human.de> Verifying recipient address with callout
2009:11:10-10:21:30 astaro-2 exim[8471]: 2009-11-10 10:21:30 SMTP connection from 88-202-52-92.ip.skylogicnet.com (dkserver.dkgmdc.com)
[88.202.52.92]:60182 lost while reading message data (header)
2009:11:10-10:21:30 astaro-2 exim[8471]: 2009-11-10 10:21:30 SSL_write error 5

Same error listed. SSL_write error 5. The point is they're not requesting a SSL / TLS connection. Our server initiates it, even though I SMTP'd to it the other day and TLS is NOT listed as a feature. They've included us in their global whitelist by IP and domain name, too.

This is giving me one royal headache. Can anyone shed light on this? I found a grand total of three post searching for this error, none of which actually make reference to it (strange search function, indeed), several others relating to sending to TLS hosts (even though theirs is NOT a TLS host, so I am told) and couldn't find any leads or answers. I've even looked in the sendmail reference. Nada.

ANY help will be MUCH appreciated as I'm at a loss as to where start looking to get these two talking to each other.

Thanks in advance, best wishes from Kabul,

Hakim

[ltward]

What you're seeing is sendmail functionality. See if you have STARTTLS configured for your sendmail:

# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 sxlab.mydomain.net ESMTP Sendmail 8.13.8/8.13.8; Thu, 19 Nov 2009 09:37:00 -0500
ehlo localhost
250-sxlab.mydomain.net Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 10240000
250-DSN
250-STARTTLS
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

The page at http://www.sendmail.org/m4/starttls.html#disable_starttls may be of help. It says, in part:
By default STARTTLS is used whenever possible. However, there are some broken MTAs that don't properly implement STARTTLS. To be able to send to (or receive from) those MTAs...

Best of luck.

[hakimoto]

Hello there,

in fact I'd checked that. It doesn't have TLS:

[hakim@dkserver ~]$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.localdomain (127.0.0.1).
Escape character is '^]'.
220 dkserver.dkgmdc.com ESMTP Sendmail 8.13.8/8.13.8; Tue, 24 Nov 2009 15:36:34 +0430
ehlo localhost
250-dkserver.dkgmdc.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP

That's why I'm surprised to see it trying to use TLS at all. Thanks for the link, I will give that a shot and report back!