Prev: Stats comp.mail.sendmail (last 7 days)
Next: Deferred: 403 4.7.0 TLS handshake failed
From: josefismael on 11 Aug 2010 16:01


I have a Sendmail question around forcing outbound TLS on a partner of
ours. Since they use a smarthost for inbound mail, I know I need to
use TLS_Rcpt.

The problem is, outbound messages keep failing when Hub passes the
message to Relay as that transaction isnt being encrypted (being on
the same box and all). Basically this is what I get:

Aug 11 11:46:47 myservername Hub[31581]: o7BGkDTj031564:
ruleset=tls_rcpt, arg1=user(a)externaldomain.com,
relay=localhost.mydomain.com., reject=503 5.7.0 encryption too weak 0
less than 128

Any ideas what I have to do? I'm thinking I need to either enable TLS
on the Hub>Relay transaction, or I need to find a way to not trigger
the tls_rcpt rule until the message goes to Relay.

any ideas are welcome - thanks in advance!

jm
From: ska on 12 Aug 2010 04:12
josefismael wrote:
> The problem is, outbound messages keep failing when Hub passes the
> message to Relay as that transaction isnt being encrypted (being on
> the same box and all). Basically this is what I get:
>
> Aug 11 11:46:47 myservername Hub[31581]: o7BGkDTj031564:
> ruleset=tls_rcpt, arg1=user(a)externaldomain.com,
> relay=localhost.mydomain.com., reject=503 5.7.0 encryption too weak 0
> less than 128
>
> Any ideas what I have to do? I'm thinking I need to either enable TLS
> on the Hub>Relay transaction, or I need to find a way to not trigger
> the tls_rcpt rule until the message goes to Relay.

Hmm, any idea why you use TLS on localhost at all? I mean, if you
relay to localhost, TLS is useless overhead.

Try_TLS:127.0.0.1 NO

turns it off in the client.

Regards, ska
From: josefismael on 12 Aug 2010 14:22

What you're describing is exactly what I have configured, and for the
exact same reasons.

The problem is that TLS_Rcpt seems to want every "link in the chain"
when sending the email to be encrypted, even when transmitting the
message between different Sendmail processes. Or so I assume.

jm
From: ska on 13 Aug 2010 06:04
josefismael wrote:
> What you're describing is exactly what I have configured, and for the
> exact same reasons.

How is a message injected into the MTA? I mean, if the relay is
"localhost.mydomain.com.", it is connecting _to_ that host IMHO.

BTW: Does 127.0.0.1 resolve to localhost.mydomain.com ?

Do you have other TLS requirements for your domain "mydomain.com" in
accessdb? If so, try adding

Try_TLS:localhost.mydomain.com. NO
SRV_Features:localhost.mydomain.com. SV

I never know, if you must include the final dot or must not or need
both.
 | 
Pages: 1
Prev: Stats comp.mail.sendmail (last 7 days)
Next: Deferred: 403 4.7.0 TLS handshake failed