I observe strange SSL error with my qmail installation. From what I could say after Googling around probably the certificate on the remote server is wrong. My certificates were generated by Gentoo ebuild scripts using openssl. This is what I have in qmail-send/current: @40000000446abde912916524 starting delivery 46: msg 7846309 to remote nobody@traveller.cz @40000000446abde9129178ac status: local 0/10 remote 1/20 @40000000446abde927487afc delivery 46: deferral: TLS_connect_failed:_error:14094417:SSL_routines:SSL3_READ_BYTES:sslv3_alert_illegal_parameter;_connected_to_193.85.2.77./ @40000000446abde92748926c status: local 0/10 remote 0/20 $ openssl s_client -starttls smtp -connect 193.85.2.77:25 CONNECTED(00000003) depth=1 /C=CZ/ST=Czech Republic/L=Prague/O=KPNQwest Czechia s.r.o./OU=Technical Department/CN=NOC Root CA/emailAddress=noc@kpnqwest.cz verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=CZ/ST=Czech Republic/L=Prague/O=GTS Czech a.s. - ICO63999501 - DIC004-63999501/OU=IPND/CN=prg.traveller.cz/emailAddress=hostmaster@cz.net i:/C=CZ/ST=Czech Republic/L=Prague/O=KPNQwest Czechia s.r.o./OU=Technical Department/CN=NOC Root CA/emailAddress=noc@kpnqwest.cz 1 s:/C=CZ/ST=Czech Republic/L=Prague/O=KPNQwest Czechia s.r.o./OU=Technical Department/CN=NOC Root CA/emailAddress=noc@kpnqwest.cz i:/C=CZ/ST=Czech Republic/L=Prague/O=KPNQwest Czechia s.r.o./OU=Technical Department/CN=NOC Root CA/emailAddress=noc@kpnqwest.cz --- Server certificate -----BEGIN CERTIFICATE----- MIIDSTCCArKgAwIBAgIBJzANBgkqhkiG9w0BAQQFADCBrjELMAkGA1UEBhMCQ1ox FzAVBgNVBAgTDkN6ZWNoIFJlcHVibGljMQ8wDQYDVQQHEwZQcmFndWUxIDAeBgNV BAoTF0tQTlF3ZXN0IEN6ZWNoaWEgcy5yLm8uMR0wGwYDVQQLExRUZWNobmljYWwg RGVwYXJ0bWVudDEUMBIGA1UEAxMLTk9DIFJvb3QgQ0ExHjAcBgkqhkiG9w0BCQEW D25vY0BrcG5xd2VzdC5jejAeFw0wNTAxMTgwOTQ2MzZaFw0wNjAxMTgwOTQ2MzZa MIG8MQswCQYDVQQGEwJDWjEXMBUGA1UECBMOQ3plY2ggUmVwdWJsaWMxDzANBgNV BAcTBlByYWd1ZTE3MDUGA1UEChMuR1RTIEN6ZWNoIGEucy4gLSBJQ082Mzk5OTUw MSAtIERJQzAwNC02Mzk5OTUwMTENMAsGA1UECxMESVBORDEZMBcGA1UEAxMQcHJn LnRyYXZlbGxlci5jejEgMB4GCSqGSIb3DQEJARYRaG9zdG1hc3RlckBjei5uZXQw gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJVtBv1ymq+hX7d4yw3Uq0ONrlp/ uRO8Ch2Rpm3fXmQFQIyAskFs3QXLZ50T3VVuG7sNZ4ns0M4010Ja1UXw5p2tLR0R wsKXNzrTZJ1brmv2jItBLbeYjGiPWtPBaiD28V74eSu+AZel7n+QSb7JlO0MEQyc uwgv0S0Lg/g0WexFAgMBAAGjZzBlMB8GA1UdIwQYMBaAFClk8peoQhRKhtDgJoaA kBmqh8MYMDQGA1UdJQQtMCsGCCsGAQUFBwMBBggrBgEFBQcDAgYKKwYBBAGCNwoD AwYJYIZIAYb4QgQBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAA+T8 kj5KnVKKdHGi0Sld98faOIQYwKvPEEHb6cTP6JhMqCnoi1yfTea6ZpozsAsyi5XY OOpptCM7UUNMzA26BFKBZLyyUn5AFgS+tk4BeFXn12fCJqzH+nSu2PqNTDZxRnid W0QwySUfFkB4+bnUqMUi/a2Rdp/QULp3LIuYWcQ= -----END CERTIFICATE----- subject=/C=CZ/ST=Czech Republic/L=Prague/O=GTS Czech a.s. - ICO63999501 - DIC004-63999501/OU=IPND/CN=prg.traveller.cz/emailAddress=hostmaster@cz.net issuer=/C=CZ/ST=Czech Republic/L=Prague/O=KPNQwest Czechia s.r.o./OU=Technical Department/CN=NOC Root CA/emailAddress=noc@kpnqwest.cz --- Acceptable client certificate CA names /C=CZ/ST=Czech Republic/L=Prague/O=KPNQwest Czechia s.r.o./OU=Technical Department/CN=NOC Root CA/emailAddress=noc@kpnqwest.cz --- SSL handshake has read 2597 bytes and written 317 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 0709DF21538485B73840882BB96A9F5837E6E1FCCFBB0ACE9DA152473570E42C Session-ID-ctx: Master-Key: 9076D79B03582D40343263B478DE7A74BBD52846C435AFA47B2FD6D85853C86C941563D0C174915719819D046A44B231 Key-Arg : None Start Time: 1147857712 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- 250-prg.traveller.cz Hello r3az252.chello.upc.cz [213.220.243.252], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-8BITMIME 250-SIZE 20000000 250-DSN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP DONE ^D $ http://sendmail.org/~ca/email/starttls.html https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=77225 man SSL_alert_type_string
This also happens with netqmail-1.05-r2.
Same issue with mail-mta/netqmail-1.05-r4.
Please supply a fix for the script then. Other than that, it works for me and many others.
If I understood well the problem is certificate on the remote side.
(In reply to comment #4) > If I understood well the problem is certificate on the remote side. Please report the problem to upstream. We distribute unmodified patches with netqmail, so we haven't caused it. Maybe also the remote site is broken. Ever tought of that?
"the problem is certificate on the remote side" ;)
(In reply to comment #6) > "the problem is certificate on the remote side" ;) Err, yes. Anyway, please get in contact with the remote site and try to figure out where exactly the problem lies. There's nothing we (Gentoo) could fix here.
It turned out the remote certificate has been expired.
