OpenSSL errors?

From The Network People, Inc. - Wiki
Jump to navigation Jump to search

OpenSSL errors

Q. Hi,

I have a user that received a failure notice while trying to send mail. Here is the interesting part:

   TLS connection to 70.84.121.108 died: error:00000000:lib(0):func(0):reason(0)
   I'm not going to try again; this message has been in the queue too long.

Some fail, some mail would get delivered many days later. Mail tests that I have sent the last few days and today are right on. I only seem to see this issue with the above host only.

Any idea on what this might be and how do I tell if it's my end or their end that's the issue?

It's a pretty old toaster on my end (3.4) yeah I know... it's in the works ;)


A. There were some issues with TLS and old Mail Toasters, but typically the problem was that OpenSSL was upgraded and qmail was not (and thus the issues). Upgrading OpenSSL and the latest toasterized qmail will likely fix it.

Unless it is the remote server that has the problem. In that case, you can turn off TLS for that host. See this man page: http://inoa.net/qmail-tls/qmail-remote.txt

Matt


TLS Error

I sat here baffled by this one and figured it out only by process of elimination.

I installed a new toaster, everything seemed fairly ok, until i tried sending mail to it from another toaster. in the logs of the originating toaster i was getting:

deferral: TLS_connect_failed:_error:0D07209B:asn1_encoding_routines:ASN1_get_object:too_longZConnected_to_61.71.61.81_but_connection_died (etc..)

i basically found nothing on the internet about this. hence my posting it here for the greater good.

I was getting similarly odd (though very different) errors trying to send mail from thunderbird, something about not being able to find any encryption protocol in common.

Thinking it was a certificate problem, i tried the same cert with courier and it went swimmingly, it was only when i discovered that submit works and smtp didn't that i compared the two run files and started disabling things.

It turns out that having fixcrio enabled was the problem.

fixcrio sounded like a good idea, but it seems that its functionality just destroys TLS. I didn't see this documented anywhere, so here it is.

-jerm