Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Deferred 403 4.7.0 TLS handshake failed
635 views
Skip to first unread message
markr...@gmail.com
Jun 26, 2023, 6:25:46 PM6/26/23
to
I'm now using sendmail that only supports TLSv1.2 and 1.3 My old one used TLSv1/SSLv3,.
In any event, I've now encountered 2 small email servers (I think personal ones) that our server couldn't send email to. The emails get stuck in the outgoing queue with the error message:
403 4.7.0 TLS handshake failed
I had to put Try_TLS NO entries for them in /etc/access, in order for the email to be sent out.
Is there any other way to deal with this issue? Thanks.
Thanks. - Mark
l
In any event, I've now encountered 2 small email servers (I think personal ones) that our server couldn't send email to. The emails get stuck in the outgoing queue with the error message:
403 4.7.0 TLS handshake failed
I had to put Try_TLS NO entries for them in /etc/access, in order for the email to be sent out.
Is there any other way to deal with this issue? Thanks.
Thanks. - Mark
l
Claus Aßmann
Jun 27, 2023, 1:41:20 AM6/27/23
to
Why?
> 403 4.7.0 TLS handshake failed
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
> 403 4.7.0 TLS handshake failed
> Is there any other way to deal with this issue? Thanks.
Don't restrict the TLS versions.
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
Marco Moock
Jun 27, 2023, 2:17:59 AM6/27/23
to
Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:
> markr...@gmail.com wrote:
> > I'm now using sendmail that only supports TLSv1.2 and 1.3 My old
> > one
>
> Why?
Older SSL versions are treated insecure, so many administrators disable
> markr...@gmail.com wrote:
> > I'm now using sendmail that only supports TLSv1.2 and 1.3 My old
> > one
>
> Why?
them.
I dunno if every OpenSSL build shipped with various operating systems
still supports the old SSL and TLS version or if they simply removed
them because only a small amount of people rely on them.
markr...@gmail.com
Jun 29, 2023, 1:58:50 AM6/29/23
to
On Tuesday, June 27, 2023 at 2:17:59 AM UTC-4, Marco Moock wrote:
> Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:
>
> > markr...@gmail.com wrote:
> > > I'm now using sendmail that only supports TLSv1.2 and 1.3 My old one
> >
> > Why?
> Older SSL versions are treated insecure, so many administrators disable them.
You are correct. The problem is with openssl. Unless compiled manually, sslv3 is not available any longer as
> Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:
>
> > markr...@gmail.com wrote:
> > > I'm now using sendmail that only supports TLSv1.2 and 1.3 My old one
> >
> > Why?
> Older SSL versions are treated insecure, so many administrators disable them.
shipped with ubuntu.
I can fix outgoing emails using the Try_TLS feature in /etc/access. But that doesn't seem to help incoming connections. I get these error messages:
Jun 29 01:46:26 psfcmail2 sm-mta[1374683]: STARTTLS=server, error: accept failed=-1, reason=no suitable signature algorithm, SSL_error=1, errno=0, retry=-1, relay
I guess I'm just going to ignore them, since there are so few sites that are causing a problem.
Marco Moock
Jun 29, 2023, 2:34:26 AM6/29/23
to
Am 28.06.2023 schrieb "markr...@gmail.com" <markr...@gmail.com>:
> On Tuesday, June 27, 2023 at 2:17:59 AM UTC-4, Marco Moock wrote:
> > Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:
> >
> > > markr...@gmail.com wrote:
> > > > I'm now using sendmail that only supports TLSv1.2 and 1.3 My
> > > > old one
> > >
> > > Why?
> > Older SSL versions are treated insecure, so many administrators
> > disable them.
>
> You are correct. The problem is with openssl. Unless compiled
> manually, sslv3 is not available any longer as shipped with ubuntu.
>
> I can fix outgoing emails using the Try_TLS feature in /etc/access.
Maybe also look at confTLS_FALLBACK_TO_CLEAR.
> On Tuesday, June 27, 2023 at 2:17:59 AM UTC-4, Marco Moock wrote:
> > Am 27.06.2023 um 01:41:18 Uhr schrieb Claus Aßmann:
> >
> > > markr...@gmail.com wrote:
> > > > I'm now using sendmail that only supports TLSv1.2 and 1.3 My
> > > > old one
> > >
> > > Why?
> > Older SSL versions are treated insecure, so many administrators
> > disable them.
>
> You are correct. The problem is with openssl. Unless compiled
> manually, sslv3 is not available any longer as shipped with ubuntu.
>
> I can fix outgoing emails using the Try_TLS feature in /etc/access.
> But that doesn't seem to help incoming connections. I get these
> error messages:
>
> Jun 29 01:46:26 psfcmail2 sm-mta[1374683]: STARTTLS=server, error:
> accept failed=-1, reason=no suitable signature algorithm,
> SSL_error=1, errno=0, retry=-1, relay
Srv_Features:mailout.domain.com S
https://sendmaid.org/21-sslv3-in-sendmail-abschalten
Although, they control their TLS settings. They might refuse to connect
to you at all if TLS isn't available and they enforce the usage of TLS.
0 new messages