1 Reply Latest reply on Feb 25, 2011 8:30 AM by schnuppa3

    TLS / Sender refused due lack of security

    schnuppa3

      If have an open case since one week, but no answer, yet.

      Perhaps, anyone can hlep me here?

       

      We have 6.7.2 HF4

      Some senders are getting "only sporadic" an error from our ironmail: "Sender Refused due to lack of security".

      mostly, the tls-connection is working fine with the sender.

       

       

      RFC 3207 says:

      "   If the SMTP server decides that the level of authentication or

         privacy is not high enough for it to continue, it SHOULD reply to

         every SMTP command from the client (other than a QUIT command) with

         the 554 reply code (with a possible text string such as "Command

         refused due to lack of security").

      "

       

      does anyone knows this problem and has hints for debugging this issue?

        • 1. TLS / Sender refused due lack of security
          schnuppa3

          Hi,

           

          I found out 2 reasons for this error

           

          Debugging for this can only be made by support as root.

          or you could execute openssl from another server:

           

           

          1. if the senders's domain is configured for required TLS, but sender has no TLS

           

          openssl s_client -starttls smtp -verify -crlf -showcerts -connect  <IP>:25

          verify depth is 0

          CONNECTED(00000003)

          didn't found starttls in server response, try anyway...

           

           

           

           

          2. if the sender's Root CA or Intermediate Cert is expired/not correct

           

          openssl s_client -starttls smtp -verify -crlf -showcerts -connect <IP>:25

          verify depth is 0

          CONNECTED(00000003)

          depth=1 /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International

          Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD. 97

          VeriSign verify error:num=20:unable to get local issuer certificate verify

          return:0

          91422:error:14090086 SL routines SL3_GET_SERVER_CERTIFICATE:certificate verify

          failed:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_clnt.c:894:

          1 of 1 people found this helpful