Problem with the smtps test (unspecified SSL error) 🔗 link

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

Xymon 4.2.3 here still. For some reason, smtps doesn't test properly.
I see the notes that smtps doesn't have a defined port. So, I started
off trying smtps:587:s in bb-hosts. That didn't work. Then I tried
adding the port to bb-services (normally that service has no port
listed). Nothing seems to change the response I get -- a yellow test
result with this phrase:

Service smtps on mail.umdnj.edu is not OK : Unexpected service response

...and this in bb-network.log:

2012-09-27 16:22:39 Unspecified SSL error in SSL_connect to submission
(19202/tcp) on host 10.32.15.162: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol

I don't know why there should be any problem here. Any idea what I
might do to dig deeper?

The OpenSSL version I'm using is 0.9.8p and works for everything else
just fine.

- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |user-ae4522577e16@xymon.invalid - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBktyAACgkQmb+gadEcsb7LCwCeIy6e5kYi0PpcConGsdoytezj
7Z0An1e5Xp3IqHhmOJtG784uK/PFnkkw
=JKRn
-----END PGP SIGNATURE-----

On 28 September 2012 06:29, Ryan Novosielski <user-ae4522577e16@xymon.invalid> wrote:

Xymon 4.2.3 here still. For some reason, smtps doesn't test properly.

From my tests, that server is not listening on port 587, or is being
blocked by a firewall/router.  But perhaps access is restricted.

Assuming port 587 is open to you, you can test the SSL negotiation using
openssl:

$ openssl s_client -connect mail.umdnj.edu:587 </dev/null

This should show you certificate details.  If it doesn't then there was no
(valid) SSL handshake.

At the very least, you should be able to connect with telnet:

$ telnet mail.umdnj.edu 587 </dev/null

This should show "Connected" and then immediately "Connection closed".  If
not, then you have a more elementary problem.  If you get "Connection
refused" then the service is probably not running.  If you get a timeout,
then there is probably a firewall/router blocking your packets.

Cheers
Jeremy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2012 10:58 PM, Jeremy Laidman wrote:

<http://mail.umdnj.edu:587>; </dev/null

$ telnet mail.umdnj.edu <http://mail.umdnj.edu>; 587 </dev/null

Thanks Jeremy. I knew the port was definitely open so that was not at
issue. But the openssl response is abnormal and seems to match what
Xymon is getting:

# /opt/csw/bin/openssl s_client -connect mail.umdnj.edu:587 < /dev/null
CONNECTED(00000004)
8388:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:s23_clnt.c:583:

Telnet seems to work as well but seems to work without SSL.

Trying 10.32.15.100...
Connected to mail.umdnj.edu.
Escape character is '^]'.
220 scpmmp1.umdnj.edu -- Server ESMTP (Oracle Communications Messaging
Exchange Server 7u4-22.01 64bit (built Apr 21 2011))

My current partially educated guess is this works via STARTTLS and not
straight SSL. Would you agree? That would seem to jive with this:

HELO umdnj.edu
250 scpmmp1.umdnj.edu OK, unknown [10.32.15.102].
STARTTLS
220 2.5.0 Go ahead with TLS negotiation.

I could have sworn my e-mail client was set for SSL, not STARTTLS, but
maybe it was set for "either" and I didn't notice. If that is the
case, it looks like I'm out of luck on testing that aspect of it:

http://lists.xymon.com/oldarchive/2005/08/msg00079.html

- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |user-ae4522577e16@xymon.invalid - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBqXQUACgkQmb+gadEcsb4wPACbBmkP9ZS5G8mGV3XIGDP6Z/eX
ifQAn0iGZuoXxRVPeT2JAnQxDXyfzGPl
=gyTr
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2012 02:22 AM, Jeremy Laidman wrote:

On 2 October 2012 13:18, Novosielski, Ryan <user-ae4522577e16@xymon.invalid

Agreed.  Although that post was from 7 years ago, and a lot has
happened since then.  For instance, STARTTLS is supported for
LDAPv3, so perhaps support for SMTP/STARTTLS is nigh.

At some point, Henrik has to draw a line at the depth of
multi-layer protocols he supports.  Perhaps it's time for an
external test script instead.  You can then add a bunch of other
email tests such as anti-relay, anti-virus, bogus sender domain,
etc.

While that is true (that one must draw the line somewhere), I think
STARTTLS is a common enough one-layer-deep protocol that is pretty
reasonable to support as it's used by a variety of things. Not worth
the amount of effort it sounded like was described in the earlier
post, but something to look toward when parts get rewritten I think.

Anyways, thanks so much for your pointers. Those couple of tests were
sitting broken for quite awhile, and I even had the OpenSSL output (it
appeared in the bbd test for my network machine), but for some reason
the fact that telnetting to the port and getting readable stuff back
very much implied no SSL escaped me earlier.

- -- 
- ---- _  _ _  _ ___  _  _  _
|Y#| |  | |\/| |  \ |\ |  | |Ryan Novosielski - Sr. Systems Programmer
|$&| |__| |  | |__/ | \| _| |user-ae4522577e16@xymon.invalid - 973/972.0922 (2-0922)
\__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBql9QACgkQmb+gadEcsb7lugCfSZBZ5yfWco8wqyA/bV2FR0fC
nGEAn0uosXIJHh5zRhA4Bf93r1ZBcgro
=oynN
-----END PGP SIGNATURE-----