olecoot Posted August 28, 2008 Report Posted August 28, 2008 Since upgrading to version 3.x (one is Linux and one is Windows), I have not been receiving the CPU load emails that are sent out daily. Checking the logs on the email server, I find there is a SSL error message. What has changed in the new version of PBXnSIP that deals with SSL/TLS? All of our version 2.x servers use the same email server and the CPU load emails have been coming through just fine. Error: Aug 28 07:26:06 server2 sendmail[3543]: NOQUEUE: connect from client.domain.com [111.111.111.111] Aug 28 07:26:06 server2 sendmail[3543]: AUTH: available mech=ANONYMOUS LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: Milter: no active filter Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 220 server2.host-domain.net ESMTP Sendmail 8.13.8/8.13.8; Thu, 28 Aug 2008 07:26:06 -0500 Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: <-- EHLO localhost Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-server2.host-domain.net Hello client.domain.com [111.111.111.111], pleased to meet you Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-ENHANCEDSTATUSCODES Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-PIPELINING Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-8BITMIME Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-SIZE Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-DSN Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-ETRN Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-STARTTLS Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-DELIVERBY Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250 HELP Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: <-- STARTTLS Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 220 2.0.0 Ready to start TLS Aug 28 07:26:06 server2 sendmail[3543]: STARTTLS=server, info: fds=7/4, err=1 Aug 28 07:26:06 server2 sendmail[3543]: STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1 Aug 28 07:26:06 server2 sendmail[3543]: STARTTLS=server: 3543:error:14089106:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:wrong message type:s3_srvr.c:2395: Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: client.domain.com [111.111.111.111] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Quote
Vodia PBX Posted August 28, 2008 Report Posted August 28, 2008 We are looking into this. There is a problem somewhere. Quote
olecoot Posted August 28, 2008 Author Report Posted August 28, 2008 We are looking into this. There is a problem somewhere. Could it have anything to do with <http_cert_file/> <http_tls_web/> in the pbx.xml file? These are not set, obviously. Voice mail messages are being sent through the server to customer email servers without issue. I am receiving system messages such as CPU Limit, for example. Quote
Vodia PBX Posted August 28, 2008 Report Posted August 28, 2008 Could it have anything to do with <http_cert_file/> <http_tls_web/> in the pbx.xml file? These are not set, obviously. Voice mail messages are being sent through the server to customer email servers without issue. I am receiving system messages such as CPU Limit, for example. I think most SMTP servers do not require a client certificate, so I don't think that is the problem. We just need a test account then we can give it a try. Quote
olecoot Posted August 29, 2008 Author Report Posted August 29, 2008 I think most SMTP servers do not require a client certificate, so I don't think that is the problem. We just need a test account then we can give it a try. New development! Discovered that the Windows version that is working is 3.0.0.2990 (Win32) ---- able to send messages Linux version that is 3.0.0.2998 (Linux) ---- getting the error messages Hope this helps Quote
Vodia PBX Posted August 29, 2008 Report Posted August 29, 2008 New development! Discovered that the Windows version that is working is 3.0.0.2990 (Win32) ---- able to send messages Linux version that is 3.0.0.2998 (Linux) ---- getting the error messages Hope this helps I think the error was found (another thread), check out version http://pbxnsip.com/protect/pbxctrl-3.0.1.3012.exe. Quote
olecoot Posted August 29, 2008 Author Report Posted August 29, 2008 I think the error was found (another thread), check out version http://pbxnsip.com/protect/pbxctrl-3.0.1.3012.exe. I don't really want to touch the Windows Server right now. Live customers. The Linux server is a test server. Is there a RedHat Linux update? Quote
Vodia PBX Posted August 30, 2008 Report Posted August 30, 2008 I don't really want to touch the Windows Server right now. Live customers. The Linux server is a test server. Is there a RedHat Linux update? Try http://pbxnsip.com/protect/pbxctrl-rhes4-3.0.1.3012. Quote
olecoot Posted September 2, 2008 Author Report Posted September 2, 2008 Try http://pbxnsip.com/protect/pbxctrl-rhes4-3.0.1.3012. Still receiving the same error after applying new build. Quote
Vodia PBX Posted September 2, 2008 Report Posted September 2, 2008 Still receiving the same error after applying new build. ??? Still the 503 message ??? Are you sure the upgrade worked? Do you see the build number in the status screen? Quote
olecoot Posted September 2, 2008 Author Report Posted September 2, 2008 ??? Still the 503 message ??? Are you sure the upgrade worked? Do you see the build number in the status screen? Build number from the status screen 3.0.1.3012 (Linux). When I try to use the "try me" link from the domain settings page or an attempt to send message as email: Sep 2 06:52:45 appsvr-2 sendmail[32655]: NOQUEUE: connect from host.testdomain.net [xx.xx.xxx.xx] Sep 2 06:52:45 appsvr-2 sendmail[32655]: AUTH: available mech=ANONYMOUS LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5 Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: Milter: no active filter Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 220 appsvr-2.domain.com ESMTP Sendmail 8.13.8/8.13.8; Tue, 2 Sep 2008 06:52:45 -0500 Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: <-- EHLO localhost Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-appsvr-2.domain.com Hello host.testdomain.net [xx.xx.xx.xx], pleased to meet you Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-ENHANCEDSTATUSCODES Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-PIPELINING Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-8BITMIME Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-SIZE Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-DSN Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-ETRN Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-STARTTLS Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-DELIVERBY Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250 HELP Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: <-- STARTTLS Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 220 2.0.0 Ready to start TLS Sep 2 06:52:45 appsvr-2 sendmail[32655]: STARTTLS=server, info: fds=7/4, err=1 Sep 2 06:52:45 appsvr-2 sendmail[32655]: STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1 Sep 2 06:52:45 appsvr-2 sendmail[32655]: STARTTLS=server: 32655:error:14089106:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:wrong message type:s3_srvr.c:2395: Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: host.testdomain.net [xx.xx.xx.xx] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA the server continues to attempt until I delete the message from the spool directory. I only have one other server that is on version 3.0 (win32) that was upgraded accidentally due to the packaging error. It is rev. 3.0.0.2990 and seems to be playing nicely with the same email server. Edited to add: all of the Windows servers will be migrated to Linux eventually so it is of most importance that 3.0 works properly. Quote
olecoot Posted September 2, 2008 Author Report Posted September 2, 2008 OK. So for now, the work around is to disable TLS for the version 3.x problem server. This was done by putting the following line in the sendmail access file: Srv_Features:Sever.sending-mail.com S I can now receive CDRs and messages attached to emails from the server. As stated above, this is a work around while waiting for the fix. Quote
Vodia PBX Posted September 3, 2008 Report Posted September 3, 2008 OK. So for now, the work around is to disable TLS for the version 3.x problem server. This was done by putting the following line in the sendmail access file: Srv_Features:Sever.sending-mail.com S I can now receive CDRs and messages attached to emails from the server. As stated above, this is a work around while waiting for the fix. Okay, we analyzed the problem. The SMTP server requests a client certificate from the PBX and what the PBX sends does not make the server happy. Is it an option to put a certificate on the PBX that the server trusts? You don't have to buy a certificate; if you can generate your own organization certificate and make the SMTP server trust your organizations CA, then the problem should disappear. But I think it makes sense to add an option to turn the SSL support off in email. Seems to be a major pain in the neck. Quote
olecoot Posted September 3, 2008 Author Report Posted September 3, 2008 Okay, we analyzed the problem. The SMTP server requests a client certificate from the PBX and what the PBX sends does not make the server happy. Is it an option to put a certificate on the PBX that the server trusts? You don't have to buy a certificate; if you can generate your own organization certificate and make the SMTP server trust your organizations CA, then the problem should disappear. But I think it makes sense to add an option to turn the SSL support off in email. Seems to be a major pain in the neck. Generating a certificate was the next step if the "work around" did not function as planned. I will agree however, that the ability to disable SSL support would be a good idea. Out of curiosity, how is it that the my Windows server that is at an earlier version of 3.x (3.0.0.2990) is able to send through the same email server? Could it be that SSL support in that version is off by default? Thank you for your help! Quote
Vodia PBX Posted September 3, 2008 Report Posted September 3, 2008 Generating a certificate was the next step if the "work around" did not function as planned. I will agree however, that the ability to disable SSL support would be a good idea. Out of curiosity, how is it that the my Windows server that is at an earlier version of 3.x (3.0.0.2990) is able to send through the same email server? Could it be that SSL support in that version is off by default? Yes, SSL was introduced after this. Before, all emails were sent in plain text. The next version will have a hidden global settings where we can turn the SSL support off for SMTP. In trusted datacenter environments it should be okay, and even more efficient. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.