Sendmail messages rejected from Microsoft when using TLS

opensslsendmail

I'm going to preface this with a statement that I am no expert in sendmail. I rarely use it, but in this situation I have to for my client.

Background:

A client of mine has a mail server running Debian 7.7, Sendmail 8.14.4, and OpenSSL 1.0.1e. It generates emails (stuff like account reset) and sends them to customers. I'll call it "Server A".

Messages sent from Server A to any mail server at the domain *.outlook.com (which strangely doesn't include @outlook.com messages, those are handled by hotmail) were being deferred due to a failed TLS handshake. This is only a problem for servers owned by Microsoft; everything else is working. The error in the log looked something like:

sendmail[22213]: ruleset=tls_server, arg1=SOFTWARE, relay=mail.protection.outlook.com, reject=403 4.7.0 TLS handshake

sendmail[22213]: s2L9EakQ022098: to=<blah@microsoft.com>, delay=00:00:55, xdelay=00:00:31, mailer=esmtp, pri=181653, relay=mail.protection.outlook.com. [145.123.225.25], dsn=4.0.0, stat=Deferred

Note: These logs are made up because my client doesn't want things copied and pasted less they accidentally leak sensitive data. The information is there, I just typed it by hand so ignore typos, etc.

That was all I could get from the logs, even with the logs on 15 (Beyond that, the system started to become disk bound).

Problem:

A tcpdump of the handshake showed that Server A was connecting to the outlook.com, EHLO went sucessfully, Server A initiated STARTTLS, outlook.com then responded with its certificate chain. All of this went normally.

Then after Server A received the microsoft certificate chain, Server A sent its own client certificate. Outlook.com then dropped the connection.

Our client certificates are self-signed certificates that we use for intraorganizational verification and shouldn't go out to outlook.com.

From my limited knowledge, my best guess is that outlook.com is requesting the client certificate for verification (or at least sendmail thinks its requesting the certificate), which sendmail on Server A is obliging. Outlook.com is then dropping the connection, either because the certificate is invalid or it is not what it was expecting.

Two questions:

Why is sendmail sending the client certificate to outlook.com as part of STARTTLS?
Is there a way that I can prevent sendmail from sending client certificates to servers outside our domain, even if the server requests it? From the experiments I've done, outlook.com will accept the message if I simply ignore the certificate request and send the message.

Before anyone suggests it, I have already created a access map that prevents TLS from connections with some IP addresses associated with Microsoft. This isn't a good permanent solution because I would prefer using TLS, and the list of IP address has to be manually maintained, which is a bother.

Best Answer

Welcome to Serverfault! :-)

Have you explicitly configured SendMail to use TLS? If not, out of the box, SendMail will still try to perform opportunistic TLS operations with a zero-byte client certificate. I assume this is what you're seeing? For more information on this (oddity?) check out @MadHatter's excellent response here: https://serverfault.com/a/514180/21875

So, with that said, I'll respond to your questions in the order they were asked:

Why is sendmail sending the client certificate to outlook.com as part of STARTTLS?

When two MTAs are attempting to establish a secure tunnel for STARTTLS, it's normal for them to negotiate security information and exchange public certificates so they can securely encrypt information to one another. If sendmail didn't provide a client certificate to outlook.com, the outlook.com mail servers wouldn't have a way to encrypt responses/acknowledgements back to sendmail.

Is there a way that I can prevent sendmail from sending client certificates to servers outside our domain, even if the server requests it? From the experiments I've done, outlook.com will accept the message if I simply ignore the certificate request and send the message.

You have a few options:

Option #1: Implement a per-server / per-domain exception rule. This can be done by adding Try_TLS:<broken.server> NO to your access table. It sounds like you're already doing this but it's important to note that the "broken.server" part can be an IP, MX record (microsoft-com.mail.protection.outlook.com), or partial MX record (outlook.com).

Option #2: Implement a bypass rule for all domains. This can be done by adding Try_TLS: NO to your access table (no need to specify IPs).

Technically, you could also hack the sendmail.mc file to prevent sendmail from checking for TLS capability at all. I wouldn't recommend doing this though since it requires delicate changes.

Related Solutions

Sendmail: SMTP host name lookup failure

I'm going out on a bit of a limb here, but I think the problem is your remote host ...

getmxrr(smtp-server.nycap.rr.com, droplocalhost=1)
getmxrr: res_search(smtp-server.nycap.rr.com) failed (errno=110, h_errno=2)
<zeno@biyg.net>... Deferred: Name server: smtp-server.nycap.rr.com: host name lookup failure

It looks like res_search is the culprit here and what it's searching for (smtp-server.nycap.rr.com) is producing the error. According to netdb.h (I think) that error is either non-authoritative host or SRVFAIL.

Checking dns, it does look like something's wrong with that host (please forgive the use of nslookup) :

Non-authoritative answer:
Name:   smtp-server.nycap.rr.com
Address: 75.180.132.33

nslookup
> set q=ptr
> 75.180.132.33

Non-authoritative answer:
33.132.180.75.in-addr.arpa      name = cdptpa-omtalb.mail.rr.com.

I want to say it looks like a forward/reverse mismatch, but I could be wrong. It could just be one bad entry in their mailcluster. I'm thinking the reason that it works in the debug mode is that ruleset 3 is skipped and part of that ruleset is doing reverse lookups on the destination mailserver.

You might be able to solve this with a mailertable, that would go a ways towards fingering DNS info as the culprit. Take a look at this -- Solving hostname lookup failures in sendmail

Centos – How to change sendmail fallback behavior if TLS handshake fails

According to this thread, the fallback feature tls_failures was implemented in this patch. Apparently this will use plain text automatically after a certain number of TLS handshake failures.

Note: this patch is integrated in 8.16 (at least available as snapshot)

As of this post, 8.16 is not yet released, so for now you will have to use /etc/mail/access or /etc/mail/access_db as Seth suggested, and be sure to rebuild the .db using makemap hash /etc/mail/access < /etc/mail/access

As for security risks of using tls_failures globally; considering that this is opportunistic TLS to begin with, I think that refraining from using this new option would only help in some really fringe cases where the recipient mailserver is temporarily reconfigured and later corrected.

Best Answer

Related Solutions

Sendmail: SMTP host name lookup failure

Centos – How to change sendmail fallback behavior if TLS handshake fails

Related Topic