[Mimedefang] OFF-TOPIC: Heartbleed Information / OpenSSL 1.0.1 TLS Incompatibility w/Sendmail and Exchange 2003

Kevin A. McGrail KMcGrail at PCCC.com
Thu Apr 10 15:52:06 EDT 2014


I thought this might be a good list where some people might care/comment 
on a TLS/Sendmail issue we uncovered while dealing with Heartbleed.

We're using Sendmail 8.14.5 on a machine that had OpenSSL 1.0.0j. As a 
safety measure due to heartbleed, we upgraded to open OpenSSL 1.0.1g.

We then found that we had a server running Microsoft Exchange 2003 that 
we could not email.  After turning on full logs we found it appeared to 
be a TLS error.

STARTTLS=read: 1800:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong 
version number:s3_pkt.c:337:
STARTTLS: read error=generic SSL error (-1), errno=0, 
get_error=error:00000000:lib(0):func(0):reason(0), retry=99, ssl_err=1
STARTTLS=client, SSL_shutdown failed: -1

We then use try_tls <server> no in access and that worked.

We also then switched back to OpenSSL 1.0.0j and TLS worked again.

We then upgraded to 1.0.0l and TLS continued to work.

For those in a similar boat, this appears to be what Claus Assman refers 
to as a "cipher list too long" bug where: "... this server has the 
Exchange 2003 cipher-count limit problem. When RC4-SHA and RC4-MD5 are 
too low on the cipher-list, TLS breaks."

He then recommends that "you need to set a different cipher list for 
those servers. " from 

To do this, re-compile sendmail with -D_FFR_TLS_1 and change your cipher 

echo "APPENDDEF(\`conf_sendmail_ENVDEF', \`-D_FFR_TLS_1')"  >> 

You can also check if you have this feature with sendmail -d0.14 -bt < 
/dev/null | grep FFR

Then add this to your mc and compile:

dnl# Do not allow SSLv2 and weak ciphers:dnl


This change at least got us from 4.0.0, stat=Deferred: Input/output 
error to 403 4.7.0 TLS handshake failed which at least was accurate 
because before that we thought maybe the ISP was the issue.

Then after lots of playing around, we determined if we added RC4-MD5 
right to the front of the ciphers that Microsoft appeared to connect and 
other servers negotiated appropriate strong ciphers.  So we ended up 
using this:


This worked and thanks to Claus for his original post.  I thought more 
people might need this help because of the prevalence of Exchange 2003 
servers in the real-world and the sudden explosion of upgraded OpenSSL 


More information about the MIMEDefang mailing list