Good morning,
I've setup my first relay. Until now everything seems to be working fine, but I keep getting mails from logcheck I don't know how to deal with.
The reported errors are:
"sm-mta[15148]: STARTTLS=client, relay=smtpin.rzone.de., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256".
Thank you for any hints!
Best wishes
Berta
On 23 Nov. 2016, at 18:25, Berta Gieselbusch berta@gieselbusch.de wrote:
Good morning,
I've setup my first relay. Until now everything seems to be working fine, but I keep getting mails from logcheck I don't know how to deal with.
The reported errors are:
"sm-mta[15148]: STARTTLS=client, relay=smtpin.rzone.de., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256".
Hi Berta,
This mail you just sent came from:
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (not verified))
Do you forward mail from your relay to an account on the same email provider? (Do you forward to the same email address you sent this mail from?)
If so, then it looks like your email provider has its TLS misconfigured. (It looks to me like they don't return any certificates at all.)
Here are the certificates in question: https://www.telesec.de/en/serverpass-en/support/download-area/category/74-te...
It appears that compatibility with sendmail is not a priority: https://www.telesec.de/en/serverpass-en/support/root-compatibility
Or perhaps TLS is misconfigured on your sendmail instance.
Or there's some kind of certificate chain error, where your server does not believe the root certificate that signed the smtp.rzone.de certificate.
In any case, it's nothing to do with Tor.
T
Relay=smtpin.rzone.de
Client CN is *.smtp.rzone.de
Maybe just a syntax error using smtpin instead of smtp?
On Nov 23, 2016 2:06 AM, "teor" teor2345@gmail.com wrote:
On 23 Nov. 2016, at 18:25, Berta Gieselbusch berta@gieselbusch.de
wrote:
Good morning,
I've setup my first relay. Until now everything seems to be working fine, but I keep getting mails from logcheck I don't know how to deal
with.
The reported errors are:
"sm-mta[15148]: STARTTLS=client, relay=smtpin.rzone.de., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256".
Hi Berta,
This mail you just sent came from:
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (not verified))
Do you forward mail from your relay to an account on the same email provider? (Do you forward to the same email address you sent this mail from?)
If so, then it looks like your email provider has its TLS misconfigured. (It looks to me like they don't return any certificates at all.)
Here are the certificates in question: https://www.telesec.de/en/serverpass-en/support/download-area/category/74- telesec-serverpass-de-2
It appears that compatibility with sendmail is not a priority: https://www.telesec.de/en/serverpass-en/support/root-compatibility
Or perhaps TLS is misconfigured on your sendmail instance.
Or there's some kind of certificate chain error, where your server does not believe the root certificate that signed the smtp.rzone.de certificate.
In any case, it's nothing to do with Tor.
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On 24 Nov. 2016, at 02:18, Tristan supersluether@gmail.com wrote:
Relay=smtpin.rzone.de
Client CN is *.smtp.rzone.de
Maybe just a syntax error using smtpin instead of smtp?
No, smtpin.rzone.de is the correct MX for gieselbusch.de, it's exactly what sendmail should be using to forward to any address at that domain:
$ dig MX gieselbusch.de
; <<>> DiG 9.8.3-P1 <<>> MX gieselbusch.de ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5602 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION: ;gieselbusch.de. IN MX
;; ANSWER SECTION: gieselbusch.de. 150 IN MX 5 smtpin.rzone.de.
;; ADDITIONAL SECTION: smtpin.rzone.de. 1724 IN A 81.169.145.97
Tim
On Nov 23, 2016 2:06 AM, "teor" teor2345@gmail.com wrote:
On 23 Nov. 2016, at 18:25, Berta Gieselbusch berta@gieselbusch.de wrote:
Good morning,
I've setup my first relay. Until now everything seems to be working fine, but I keep getting mails from logcheck I don't know how to deal with.
The reported errors are:
"sm-mta[15148]: STARTTLS=client, relay=smtpin.rzone.de., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256".
Hi Berta,
This mail you just sent came from:
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (not verified))
Do you forward mail from your relay to an account on the same email provider? (Do you forward to the same email address you sent this mail from?)
If so, then it looks like your email provider has its TLS misconfigured. (It looks to me like they don't return any certificates at all.)
Here are the certificates in question: https://www.telesec.de/en/serverpass-en/support/download-area/category/74-te...
It appears that compatibility with sendmail is not a priority: https://www.telesec.de/en/serverpass-en/support/root-compatibility
Or perhaps TLS is misconfigured on your sendmail instance.
Or there's some kind of certificate chain error, where your server does not believe the root certificate that signed the smtp.rzone.de certificate.
In any case, it's nothing to do with Tor.
T
-- Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP C855 6CED 5D90 A0C5 29F6 4D43 450C BA7F 968F 094B ricochet:ekmygaiu4rzgsk6n xmpp: teor at torproject dot org
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
T
Hey,
exactly, it's the same address.
Thank you for your detailed answer.
Unfortunately I don't know how TLS should be setup, so I wouldn't be able to find the mistake by my own.
On the other hand, I don't think it's (in my case) a really bad security problem. So I can deal with it.
Unfortunately I've to consider to close the relay because it's a vserver and numtcpsock is quit low (550). :-|
Have a nice day,
Berta
teor:
On 23 Nov. 2016, at 18:25, Berta Gieselbusch berta@gieselbusch.de wrote:
Good morning,
I've setup my first relay. Until now everything seems to be working fine, but I keep getting mails from logcheck I don't know how to deal with.
The reported errors are:
"sm-mta[15148]: STARTTLS=client, relay=smtpin.rzone.de., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256".
Hi Berta,
This mail you just sent came from:
Received: from mo6-p00-ob.smtp.rzone.de (mo6-p00-ob.smtp.rzone.de [IPv6:2a01:238:20a:202:5300::8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.smtp.rzone.de", Issuer "TeleSec ServerPass DE-2" (not verified))
Do you forward mail from your relay to an account on the same email provider? (Do you forward to the same email address you sent this mail from?)
If so, then it looks like your email provider has its TLS misconfigured. (It looks to me like they don't return any certificates at all.)
Here are the certificates in question: https://www.telesec.de/en/serverpass-en/support/download-area/category/74-te...
It appears that compatibility with sendmail is not a priority: https://www.telesec.de/en/serverpass-en/support/root-compatibility
Or perhaps TLS is misconfigured on your sendmail instance.
Or there's some kind of certificate chain error, where your server does not believe the root certificate that signed the smtp.rzone.de certificate.
In any case, it's nothing to do with Tor.
T
tor-relays@lists.torproject.org