25 January 2010

403 4.7.0 TLS handshake failed

The subject above is an error I found in my maillogs (/var/log/maillog) when trying to figure out why periodic emails from a server had stopped. I was running the default sendmail on FreeBSD 7.2, though what I've found should be broadly applicable to many versions of sendmail on many OSes.

Let there be no doubt, I'm not a mail expert. I nearly cried this weekend when I discovered I'd be troubleshooting sendmail first thing Monday morning. What follows are the essentials of the shortest path I found to solution.

In the logs, find the host(s) (the remote MTA's rejecting your mail) or domains that are causing the error. I'm not even going to try to clean-up and paste log file excerpts here. But, on the line that contains the error "403 4.7.0 TLS handshake failed" there should also be a variable called "relay" and the corresponding value will be the culprit. For example, "relay=problemhost.example.com".

For each problem host, place a line like this into the "/etc/mail/access" configuration file (which you may need to create):
Try_TLS:problemhost.example.com NO
Try_TLS:problem2.example.com NO
Now, you've got to [re-]create the "access.db" file. On FreeBSD, this is done by entering the "/etc/mail" directory and running "make maps". Now, to make it effective you just need to restart the MTA. This could be done via the start-up scripts, but is done equally well from "/etc/mail" with the command "make restart-mta". ... Here comes the mail. :)

P.s. This link was my biggest clue. Also, try reading "/etc/mail/Makefile".
P.p.s. I'd say that the admin of the problem relay had changed his config.s or software and this solution was really just working around their arbitrary [dumb] changes. C'est la vie.