critical qmail bug on centos after microupdate #57

[gatwtal]

Hello,

after the last automatic update of plesk panel (10.4.4, microupdate #57) qmail is no longer able to deliver emails to web.de/gmx.de mailboxes. Before the update this worked fine.
The error log shows messages like:

Dec 10 16:25:44 web01 qmail-remote-handlers[19876]: Handlers Filter before-remote for qmail started ...
Dec 10 16:25:44 web01 qmail-remote-handlers[19876]: from=***@***.de
Dec 10 16:25:44 web01 qmail-remote-handlers[19876]: to=***@web.de
Dec 10 16:25:44 web01 qmail: 1386689144.224948 delivery 2525: deferral:
TLS_connect_failed:_error:100AE081:elliptic_curve_routines:EC_GROUP_new_by_curve_name:unknown_groupZConnected_to_213.165.67.120_but_connection_died._er
ror:100AE081:elliptic_curve_routines:EC_GROUP_new_by_curve_name:unknown_group_(#4.4.2)/

No other changes were performed on the server (centos 6.2).

I already tried to disable the TLS connection by placing files in /var/qmail/control/notlshosts like gmx.de or mx00.gmx.net but nothing works but qmail still uses TLS for those domains

I really need help here. We have about 45000 emails in queue (after sending a newsletter).

Best regards
Martin

 

[atomicturtle]

Its probably because your openssl library) is out of date. A really important update for that came out in CentOS 6.5 recently.

 

[gatwtal]

No, the Centos 6.5 update doesn't help. This is a problem in all centos/redhat release when using tls - a bug report can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=1019390#c2
I also have confirmation from another German user that 6.5 makes no difference here.
Something changed with the last plesk update at december 3rd. Before this update it did work (probably because tls wasn't used when communicating with web.de/gmx.de).

 

[gatwtal]

It seems the plesk update installed openssl 1.0.1-e15 which introduced the problem. openssl 1.0.1-e16 fixes this problem (update with yum update openssl).

 

[JTRipper]

thanks for sharing gatwtal!

 

[SaschaCap]

Thank you gatwtal. It works

 

[poppsworld.com]

Is is possible that this bug is alive... again with the latest openssl-updates? When sending e-mails via TLS (qmail + openssl 16.el6_5.14) we receive errors like this

Jul 29 05:16:31 XXX qmail: 1406603791.854933 delivery 1559: deferral: TLS_connect_failed;_connected_to_XXX.XXX.XXX.XXX./
Jul 29 05:16:31 XXX qmail: 1406603791.854953 status: local 0/10 remote 0/20