Home / server / Questions / 559536
Accepted
Spacedust
Asked: 2013-12-06 11:10:54 +0800 CST

TLS connect failed: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac while sending mail via Qmail

  • 772

I'm trying to send e-mail to one of the biggest polish hosting companies and their servers are refusing to receive it with message:

TLS connect failed: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac; connected to 89.161.199.168.
I'm not going to try again; this message has been in the queue too long.

I've contacted this company and got reply:

"Our verification showed that server mail.domainhere.pl is trying to connect to our server via SSL/TLS protocol. Such form of connection is not supported by our server, but I would like to note that our servers are configured properly and match current RFC standards. The following method of establishing connection is non-standard for communication between the servers."

I'm using Qmailtoaster on CentOS 6.5 64-bit. It happens even if I don't use SSL in my mail client !

Example of my SMTP config:

    #!/bin/sh

QMAILDUID=`id -u qmaild`
NOFILESGID=`id -g qmaild`
MAXSMTPD=`cat /var/qmail/control/concurrencyincoming`
BLACKLIST=`cat /var/qmail/control/blacklists`
SMTPD="/var/qmail/bin/qmail-smtpd"
TCP_CDB="/etc/tcprules.d/tcp.smtp.cdb"
RBLSMTPD="/usr/bin/rblsmtpd"
HOSTNAME=`hostname`
VCHKPW="/home/vpopmail/bin/vchkpw"
RECORDIO="/usr/bin/recordio"

### MR -- incresing SOFTLIMITVAR if not enough (example: because 'login fail')
if [ `uname -m` = 'x86_64' ] ; then
        SOFTLIMITVAR="72000000"
else
        SOFTLIMITVAR="18000000"
fi

IP=0
PORT=25

### MR -- SSL must using SMTPS=1 and SSL=1 but non-SSL only SSL=0 (without SMTPS=0)
export SMTPAUTH="!" \
        SSL=0 \
        REQUIRE_AUTH=0 \
        FORCE_TLS=0 \
        DENY_TLS=0 \
        AUTH=1 \
        REQUIRE_AUTH=0 \
        ALLOW_INSECURE_AUTH=1

### MR -- spamhaus.org recommended for not using $RBLSMTPD $BLACKLIST entry before $SMTPD
exec /usr/bin/softlimit -m $SOFTLIMITVAR \
        /usr/bin/tcpserver -v -R -H -l $HOSTNAME -x $TCP_CDB -c "$MAXSMTPD" \
        -u "$QMAILDUID" -g "$NOFILESGID" $IP $PORT $RECORDIO \
        $SMTPD $VCHKPW /bin/true 2>&1

How to correct this ?

smtp

2 Answers

  1. If /var/qmail/control/notlshosts/host.dom.ain is present, no TLS is tried on this host.

    add a file with the name of the mx domain you're sending to to /var/qmail/control/notlshosts/ to disable TLS only for that domain.

    (if notlshosts does not exists):

    mkdir /var/qmail/control/notlshosts

    then, create file:

    touch /var/qmail/control/notlshosts/example.com

    edit: Superbiji is correct, file name should be the mx hostname of the domain, not just the domain.

    so

    touch /var/qmail/control/notlshosts/mx.example.com

    is a more fitting example, or whatever 

    dig example.com MX

    returns

    • 2
  2. Best Answer

    Solution is very simple:

    mkdir /var/qmail/control/tlshosts/exhaustivelist

    This will turn off TLS for all domains:

       tlshosts/exhaustivelist
        if this file exists no TLS will  be  tried  on  hosts
        other than those for which a file tlshosts/<FQDN>.pem
        exists.

    There is no even need to restart qmail ;)

    • 1