Jump to content

SSL Error version 3.x


olecoot
 Share

Recommended Posts

Since upgrading to version 3.x (one is Linux and one is Windows), I have not been receiving the CPU load emails that are sent out daily. Checking the logs on the email server, I find there is a SSL error message. What has changed in the new version of PBXnSIP that deals with SSL/TLS? All of our version 2.x servers use the same email server and the CPU load emails have been coming through just fine.

 

Error:

 

Aug 28 07:26:06 server2 sendmail[3543]: NOQUEUE: connect from client.domain.com [111.111.111.111]

Aug 28 07:26:06 server2 sendmail[3543]: AUTH: available mech=ANONYMOUS LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: Milter: no active filter

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 220 server2.host-domain.net ESMTP Sendmail 8.13.8/8.13.8; Thu, 28 Aug 2008 07:26:06 -0500

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: <-- EHLO localhost

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-server2.host-domain.net Hello client.domain.com [111.111.111.111], pleased to meet you

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-ENHANCEDSTATUSCODES

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-PIPELINING

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-8BITMIME

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-SIZE

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-DSN

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-ETRN

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-STARTTLS

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250-DELIVERBY

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 250 HELP

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: <-- STARTTLS

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: --- 220 2.0.0 Ready to start TLS

Aug 28 07:26:06 server2 sendmail[3543]: STARTTLS=server, info: fds=7/4, err=1

Aug 28 07:26:06 server2 sendmail[3543]: STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1

Aug 28 07:26:06 server2 sendmail[3543]: STARTTLS=server: 3543:error:14089106:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:wrong message type:s3_srvr.c:2395:

Aug 28 07:26:06 server2 sendmail[3543]: m7SCQ6Zn003543: client.domain.com [111.111.111.111] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

Link to comment
Share on other sites

We are looking into this. There is a problem somewhere.

 

Could it have anything to do with <http_cert_file/> <http_tls_web/> in the pbx.xml file? These are not set, obviously.

 

Voice mail messages are being sent through the server to customer email servers without issue. I am receiving system messages such as CPU Limit, for example.

Link to comment
Share on other sites

Could it have anything to do with <http_cert_file/> <http_tls_web/> in the pbx.xml file? These are not set, obviously.

 

Voice mail messages are being sent through the server to customer email servers without issue. I am receiving system messages such as CPU Limit, for example.

 

I think most SMTP servers do not require a client certificate, so I don't think that is the problem. We just need a test account then we can give it a try.

Link to comment
Share on other sites

I think most SMTP servers do not require a client certificate, so I don't think that is the problem. We just need a test account then we can give it a try.

 

 

New development!

 

Discovered that the Windows version that is working is 3.0.0.2990 (Win32) ---- able to send messages

 

Linux version that is 3.0.0.2998 (Linux) ---- getting the error messages

 

Hope this helps

Link to comment
Share on other sites

New development!

 

Discovered that the Windows version that is working is 3.0.0.2990 (Win32) ---- able to send messages

 

Linux version that is 3.0.0.2998 (Linux) ---- getting the error messages

 

Hope this helps

 

I think the error was found (another thread), check out version http://pbxnsip.com/protect/pbxctrl-3.0.1.3012.exe.

Link to comment
Share on other sites

??? Still the 503 message ???

 

Are you sure the upgrade worked? Do you see the build number in the status screen?

 

 

Build number from the status screen 3.0.1.3012 (Linux).

 

 

When I try to use the "try me" link from the domain settings page or an attempt to send message as email:

 

Sep 2 06:52:45 appsvr-2 sendmail[32655]: NOQUEUE: connect from host.testdomain.net [xx.xx.xxx.xx]

Sep 2 06:52:45 appsvr-2 sendmail[32655]: AUTH: available mech=ANONYMOUS LOGIN PLAIN, allowed mech=EXTERNAL GSSAPI KERBEROS_V4 DIGEST-MD5 CRAM-MD5

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: Milter: no active filter

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 220 appsvr-2.domain.com ESMTP Sendmail 8.13.8/8.13.8; Tue, 2 Sep 2008 06:52:45 -0500

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: <-- EHLO localhost

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-appsvr-2.domain.com Hello host.testdomain.net [xx.xx.xx.xx], pleased to meet you

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-ENHANCEDSTATUSCODES

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-PIPELINING

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-8BITMIME

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-SIZE

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-DSN

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-ETRN

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-STARTTLS

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250-DELIVERBY

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 250 HELP

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: <-- STARTTLS

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: --- 220 2.0.0 Ready to start TLS

Sep 2 06:52:45 appsvr-2 sendmail[32655]: STARTTLS=server, info: fds=7/4, err=1

Sep 2 06:52:45 appsvr-2 sendmail[32655]: STARTTLS=server, error: accept failed=-1, SSL_error=1, errno=0, retry=-1

Sep 2 06:52:45 appsvr-2 sendmail[32655]: STARTTLS=server: 32655:error:14089106:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:wrong message type:s3_srvr.c:2395:

Sep 2 06:52:45 appsvr-2 sendmail[32655]: m82Bqjcx032655: host.testdomain.net [xx.xx.xx.xx] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA

 

the server continues to attempt until I delete the message from the spool directory.

 

I only have one other server that is on version 3.0 (win32) that was upgraded accidentally due to the packaging error. It is rev. 3.0.0.2990 and seems to be playing nicely with the same email server.

 

Edited to add: all of the Windows servers will be migrated to Linux eventually so it is of most importance that 3.0 works properly.

Link to comment
Share on other sites

OK. So for now, the work around is to disable TLS for the version 3.x problem server. This was done by putting the following line in the sendmail access file:

 

Srv_Features:Sever.sending-mail.com S

 

I can now receive CDRs and messages attached to emails from the server. As stated above, this is a work around while waiting for the fix.

Link to comment
Share on other sites

OK. So for now, the work around is to disable TLS for the version 3.x problem server. This was done by putting the following line in the sendmail access file:

 

Srv_Features:Sever.sending-mail.com S

 

I can now receive CDRs and messages attached to emails from the server. As stated above, this is a work around while waiting for the fix.

 

Okay, we analyzed the problem. The SMTP server requests a client certificate from the PBX and what the PBX sends does not make the server happy. Is it an option to put a certificate on the PBX that the server trusts? You don't have to buy a certificate; if you can generate your own organization certificate and make the SMTP server trust your organizations CA, then the problem should disappear.

 

But I think it makes sense to add an option to turn the SSL support off in email. Seems to be a major pain in the neck.

Link to comment
Share on other sites

Okay, we analyzed the problem. The SMTP server requests a client certificate from the PBX and what the PBX sends does not make the server happy. Is it an option to put a certificate on the PBX that the server trusts? You don't have to buy a certificate; if you can generate your own organization certificate and make the SMTP server trust your organizations CA, then the problem should disappear.

 

But I think it makes sense to add an option to turn the SSL support off in email. Seems to be a major pain in the neck.

 

Generating a certificate was the next step if the "work around" did not function as planned. I will agree however, that the ability to disable SSL support would be a good idea.

 

Out of curiosity, how is it that the my Windows server that is at an earlier version of 3.x (3.0.0.2990) is able to send through the same email server? Could it be that SSL support in that version is off by default?

 

Thank you for your help!

Link to comment
Share on other sites

Generating a certificate was the next step if the "work around" did not function as planned. I will agree however, that the ability to disable SSL support would be a good idea.

 

Out of curiosity, how is it that the my Windows server that is at an earlier version of 3.x (3.0.0.2990) is able to send through the same email server? Could it be that SSL support in that version is off by default?

 

Yes, SSL was introduced after this. Before, all emails were sent in plain text.

 

The next version will have a hidden global settings where we can turn the SSL support off for SMTP. In trusted datacenter environments it should be okay, and even more efficient.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...