[lug] help with mail logs

[Nate Duehr]

On Friday 16 January 2004 06:56 am, Ryan Wheaton wrote:

Guesses, below.  :-)

> I was perusing the logs on one of my list servers, and I came across
> the following entries:
>
> STARTTLS=client, relay=mx1c1.megamailservers.com., version=TLSv1/SSLv3,
> verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256: 1 Time(s)
>     STARTTLS=client, relay=webmail.vanion.com., version=TLSv1/SSLv3,
> verify=FAIL, cipher=DES-CBC3-SHA, bits=168/168: 1 Time(s)
>     STARTTLS=client, relay=mail.randomwalk.com., version=TLSv1/SSLv3,
> verify=FAIL, cipher=DHE-RSA-AES256-SHA, bits=256/256: 1 Time(s)
>     STARTTLS=client, relay=davegrover.com., version=TLSv1/SSLv3,
> verify=FAIL, cipher=AES256-SHA, bits=256/256: 1 Time(s)

Can't tell if this is outgoing or incoming from this log file snippet.

> there are people from the randomwalk.com and davegrover.com that are
> members of lists on the box.  Does this mean that the messages did not
> reach them?  Or is it their mail servers responding, probing me to see
> if I'm an open relay?

Assuming this is outbound, it looks like your mail server has TLS (SSL) 
support and is trying to make SSL-enabled connections to webservers that 
are reporting they have the capability during the outbound attempt.  You 
probably have a self-signed SSL key that's failing the SSL check attempt.  
Or they do.

To see if the mail is actually going out you'd have to see if your server 
is falling back to standard SMTP later or just continually trying with 
TLS and then bouncing the messages.

If you're not using TLS for people to relay through your machine (with 
some SMTP AUTH type setup) or so you can have an encrypted session with 
your mailserver from "on the road" or something, you may just want to 
disable TLS altogether.  Depending on your needs.

I'm just taking a guess at this here, as that snippet's not much to go 
on...

-- 
Nate Duehr, nate at natetech.com