# SSL SMTP fail after certificate update



## micski (Nov 4, 2014)

FreeBSD with Sendmail. Certificates were updated using the same procedure as last time and Sendmail was restarted. However, after this action, SSL SMTP at port 465 is now instantly rejected - and the following error is written to the mail log.


```
Nov  4 15:25:18 xxx sm-mta[1854]: STARTTLS=server: 1854:error:xxx:SSL routines:SSL_new:null ssl ctx:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/ssl_lib.c:249:
Nov  4 15:25:18 xxx sm-mta[1854]: xxx: xxx [xxx] did not issue MAIL/EXPN/VRFY/ETRN during connection to TLSMTA
```

I verified, that all certificates are the updated ones, that they do in fact exist at the right path, and, that they readable by Sendmail.


----------



## micski (Nov 5, 2014)

Are there no security or mail experienced users, who can help on this? Maybe just clarify, whether the fault is within OpenSSL?


----------



## micski (Nov 6, 2014)

Thanks for the help, guys. As it often does with FreeBSD, the solution comes down to a complete system reinstall.


----------



## wblock@ (Nov 7, 2014)

Two days, and you're ready to go with the "Windows solution"?  Why not ask on the freebsd-questions mailing lists?  I use Sendmail, but not the certificates, so I did not comment.  Probably the situation with others, too.


----------



## micski (Nov 18, 2014)

Thanks. However, it was a running system with users, so I had limited time. I had a more experienced person, than myself, look into it. The conclusion was, that some bad thing had been compiled into Sendmail during this certificate update. Probably something, related to the heartbleed. This caused SSL to fail. However, updating the same SSL stopped with errors, that related to the system only beeing 9.3 and not 10.

I will keep the mailing list in mind, when in search of fast reply. Thanks.


----------



## drhowarddrfine (Nov 19, 2014)

micski said:


> The conclusion was, that some bad thing had been compiled into Sendmail during this certificate update. Probably something, related to the heartbleed.


That's a significant leap to reach that conclusion.


micski said:


> As it often does with FreeBSD, the solution comes down to a complete system reinstall.


I have not done that since I first started using FreeBSD 10 years ago when I didn't know anything. Not that I know anything now but I know more than I did back then.


----------



## DutchDaemon (Nov 19, 2014)

micski said:


> Thanks for the help, guys. As it often does with FreeBSD, the solution comes down to a complete system reinstall.



Really? I haven't done that since a FreeBSD 5 -> FreeBSD 6 migration, and once for a 32-bit -> 64-bit migration. As it often does with FreeBSD, the solution comes down to understanding what you're doing. It really does.


----------



## rmoe (Nov 20, 2014)

Unfortunately you provide next to no information (OpenSSL version? ciphers/algorithms allowed?, ...) and additionally black out information in the error message.
When asking for help it's usually wise to provide all needed info. Wiser anyway than nuking one's running server.

Wild guess: Your (Open)SSL configuration is standard but quite some of the algorithms are subpar or even dangerously lousy (and meanwhile not any more accepted). Depending on the openSSL version used there's obviously different code at line 249. But that's roughly the direction I'd look.

The second (line of the) error message is probably sendmail idiocy with sendmail stupidly talking about SMTP errors no matter why the connection establishment failed.


----------



## micski (Nov 20, 2014)

I did take a look at line 249 - and went from there. However, as my knowledge in cryptography ciphers, algorithms and libraries is limited, and the lack of human readable hints within the short error message was limited, my quest for solution was not successful - and I turned for help with the information, I had. The system was standard. That is why I assumed, that the source of the problems had to come from the regular updates. This was later confirmed to me - and the Heartbleed updates was mentioned to give this exact problem. I know, that there are alternatives to Sendmail "stupidity". However, as Sendmail is the standard MTA in FreeBSD, and I prefer keeping FreeBSD standard in the hope, that it stays fast, stable and solid, I use it.

I am surprised to learn, that I am the only one in this thread, who has seen some FreeBSD systems break down, though rare, from simple updates like this. It is not long time ago, I saw another FreeBSD system break down. It happened as a result of the official procedure to change from ports to "the new" pkg system on a version 9 system. The system was rendered useless. You can always argue, "if the problem comes down to" a lack of knowledge at the user side of the terminal. However, if 15 years of FreeBSD practice and technical reading is not enough, and friends with even more experience than myself, I am not sure, that many people will ever live long enough to obtain a level of knowledge, that can keep Sendmail and SSL running on FreeBSD through 2+ major versions. If you are able to do this, I admire your skills and should probably read your books and personal FreeBSD blogs. Meanwhile, I will just have to seek help like any other humble student - and reinstall over and over until it gets right.


----------



## rmoe (Nov 20, 2014)

Calm down, micski, I did not intend to provoke you 

sendmail is indeed (for whatever doubtful reasons ...) the standard SMTP server on FreeBSD. If updating to 9.3 or 10.0 lead to a serious problem with sendmail more than very rarely then, I guess, that problem would be well known.

And no, it's not your fault to not be a crypto expert.

But you see, lacking information there isn't much we can do to help, no matter how good our  intentions are.

I suggest you provide as a starting point some basic system info (like FreeBSD version, CPU/architecture), openSSL version and a full error message (blacking only really private items).


----------



## kpa (Nov 20, 2014)

Instead of full reinstall of the whole OS you can start from scratch by removing all installed packages with `pkg delete -a` followed with `rm -rf /usr/local/*` and then remove all port/package related settings in /etc/rc.conf. Do save any configuration files from /usr/local/etc in case you did some non-trivial configuration changes that take time to re-do, same with the settings in /etc/rc.conf, you can comment them out so you can re-enable them when needed.


----------



## Pavel Merdin (May 28, 2016)

It seems like one of top results in Google points to here.
Just wanted to share my experience with this error in case somebody else catches that. I had the same error when I just changed cert files without changing anything else.
By following a link to a similar problems I found a suggestion to check file permissions.
It seems like I had 644 on the key file. When I changed it to 400 sendmail started accepting messages again.
After that I looked thoroughly into logs and found that sendmail indeed warns about that after it (re-)starts. But the message is lost within hundreds of other messages it produces.

```
May 28 01:01:30 mailserver sm-mta[81500]: STARTTLS=server: file /etc/mail/certs/cert.key unsafe: Group readable file
```


----------

