cancel
Showing results for 
Search instead for 
Did you mean: 

TLS / Sender refused due lack of security

If have an open case since one week, but no answer, yet.

Perhaps, anyone can hlep me here?

We have 6.7.2 HF4

Some senders are getting "only sporadic" an error from our ironmail: "Sender Refused due to lack of security".

mostly, the tls-connection is working fine with the sender.

RFC 3207 says:

"   If the SMTP server decides that the level of authentication or

   privacy is not high enough for it to continue, it SHOULD reply to

   every SMTP command from the client (other than a QUIT command) with

   the 554 reply code (with a possible text string such as "Command

   refused due to lack of security").

"

does anyone knows this problem and has hints for debugging this issue?

1 Reply

TLS / Sender refused due lack of security

Hi,

I found out 2 reasons for this error

Debugging for this can only be made by support as root.

or you could execute openssl from another server:

1. if the senders's domain is configured for required TLS, but sender has no TLS

openssl s_client -starttls smtp -verify -crlf -showcerts -connect  <IP>:25

verify depth is 0

CONNECTED(00000003)

didn't found starttls in server response, try anyway...

2. if the sender's Root CA or Intermediate Cert is expired/not correct

openssl s_client -starttls smtp -verify -crlf -showcerts -connect <IP>:25

verify depth is 0

CONNECTED(00000003)

depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International

Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD. 97

VeriSign verify error:num=20:unable to get local issuer certificate verify

return:0

91422:error:14090086 SL routines SL3_GET_SERVER_CERTIFICATE:certificate verify

failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:894: