<p>I've just seen a similar problem and posted details (including a session log) in a separate topic here:</p><p> http://community.pmail.com/forums/thread/45424.aspx</p><p><span style="font-size: 10pt;">Googling the error I saw had some interesting results, as discussed here:</span><span style="font-size: 10pt;"> </span></p><p>http://openssl.6102.n7.nabble.com/openssl-update-1-0-1f-to-1-0-1g-broke-sendmail-SSL23-GET-SERVER-HELLO-tlsv1-alert-decode-error-td49242.html</p><p><span style="font-size: 10pt;">In this case it looks like a fix implemented in 1.0.1g of OpenSSL caused some compatibility issues in certain mail servers, resulting in the same error I saw with Mercury 4.8.  Mercury 4.8 shipped for me with OpenSSL 1.0.1h.  Not sure if the same issue is still in the 'h' release, but it seems related.</span></p><p>Mark </p><p> </p>

<p>Running Mercury 4.8 latest and greatest, since enabling SSL on MercuryE, we have noticed a fairly large number of domains that TLS fails on.  I am able to send to these domains by setting an exception in the SSL and access control tab of the MercuryE config dialog.  These domains, or at least those that I have tested so far all pass tests on http://www.checktls.com/perl/TestReceiver.pl a very nice on line SSL/TLS tester for email.  We are able to send to these domains with Gmail accounts.  I have tried a few different versions of OpenSSL, and have finally reverted back to the one used by the 4.8 installer, all behave the same.  Probably the most notable domain that is easy to test against is avaya.com, the maker of VOIP phone stuff, big company with multiple mail hosts, easy to test against.</p><p>Is there an issue with SSL here or do we have something else going on?</p><p>Gus </p>

Can you give more details on how MercuryE fails?  A session log may help.

<p>After sending to any user at the affected domains, the MercuryE logs show</p><p><b>550 #5.1.0 Address rejected.</b> </p><p>The MercuryE window on the server machine shows</p><p><b>[!] STARTTLS negotiation failed on server</b> (ip address of server)</p><p> The sender eventually gets a message from the postmaster that shows</p><p><b>*** someuser@somedomain.com</b></p><p>after the standard "The attached message has failed" message with no error message included.</p><p>I did try to enable sessions logging on a test one this morning, however no log was generated.  Its been a long time since I have tried sessions logging, but for whatever reason is not working this am.</p><p>If you want to try on another copy of Mercury try</p><p>test@avaya.com</p><p>or</p><p>test@nordicsemi.no</p><p>the user test does not exist, however with SSL failing we never get that message back.  It would sure be nice of the SSL errors were to get logged with the rest of the info in the logs for that module. </p><p> </p>

<a href="https://www.ssllabs.com/index.html" rel="noreferrer"><img src="https://ssllabs.com/images/qualys-ssl-labs-logo.png" alt="SSL Labs logo" title="SSL Labs logo" height="55" width="341"></a> <a href="https://www.ssllabs.com/index.html" rel="noreferrer">Home</a> <a href="https://www.ssllabs.com/projects/index.html" rel="noreferrer">Projects</a> <a href="https://www.qualys.com/" rel="noreferrer">Qualys.com</a> <a href="https://www.ssllabs.com/about/contact.html" rel="noreferrer">Contact</a> <br clear="all"> <b>You are here: </b> <a href="https://www.ssllabs.com/index.html" rel="noreferrer">Home</a> > <a href="https://www.ssllabs.com/projects/index.html" rel="noreferrer">Projects</a> > <a href="https://www.ssllabs.com/ssltest/index.html" rel="noreferrer">SSL Server Test</a> > avaya.com SSL Report: avaya.com <b>Assessed on:</b>  Wed, 09 Dec 2015 15:59:37 UTC <b> | HIDDEN</b> | <a href="https://www.ssllabs.com/ssltest/analyze.html?d=avaya.com&hideResults=on&clearCache=on">Clear cache</a> <a href="https://www.ssllabs.com/ssltest/index.html" rel="noreferrer">Scan Another >></a> <table id="multiTable" border="0" cellpadding="10"> <tbody><tr> <th> </th> <th>Server</th> <th>Domain(s)</th> <th>Test time</th> <th>Grade</th> </tr> <tr> </tr><tr> <td align="center">1</td> <td> <b><a href="https://www.ssllabs.com/ssltest/analyze.html?d=avaya.com&s=184.24.230.237&hideResults=on">184.24.230.237</a></b> a184-24-230-237.deploy.static.akamaitechnologies.com Ready </td> <td> <p> www.avaya.com </p> </td> <td width="180"> Wed, 09 Dec 2015 15:57:39 UTC <b>Duration:</b> 65.490 sec </td> <td align="center"> B </td> </tr> <tr> </tr><tr> <td align="center">2</td> <td> <b><a href="https://www.ssllabs.com/ssltest/analyze.html?d=avaya.com&s=135.11.53.87&hideResults=on">135.11.53.87</a></b> avaya.co.cr <b>No secure protocols supported</b> </td> <td> <p> avaya.com </p> </td> <td width="180"> Wed, 09 Dec 2015 15:58:45 UTC <b>Duration:</b> 52.555 sec </td> <td align="center"> - </td> </tr> </tbody></table> <b>Warning:</b> <u>Inconsistent server configuration</u> <p>SSL Report v1.20.28</p> <table border="0" cellpadding="5" cellspacing="0" width="910"><tbody><tr><td> Copyright © 2009-2015 <a href="https://www.qualys.com/">Qualys, Inc</a>. All Rights Reserved. </td><td align="right"> <a href="https://www.ssllabs.com/about/terms.html" rel="noreferrer">Terms and Conditions</a></td></tr></tbody></table>

<a href="https://www.ssllabs.com/index.html" rel="noreferrer"><img src="https://ssllabs.com/images/qualys-ssl-labs-logo.png" alt="SSL Labs logo" title="SSL Labs logo" height="55" width="341"></a> <a href="https://www.ssllabs.com/index.html" rel="noreferrer">Home</a> <a href="https://www.ssllabs.com/projects/index.html" rel="noreferrer">Projects</a> <a href="https://www.qualys.com/" rel="noreferrer">Qualys.com</a> <a href="https://www.ssllabs.com/about/contact.html" rel="noreferrer">Contact</a> <br clear="all"> <b>You are here: </b> <a href="https://www.ssllabs.com/index.html" rel="noreferrer">Home</a> > <a href="https://www.ssllabs.com/projects/index.html" rel="noreferrer">Projects</a> > <a href="https://www.ssllabs.com/ssltest/index.html" rel="noreferrer">SSL Server Test</a> > nordicsemi.no SSL Report: nordicsemi.no (194.19.86.155) <b>Assessed on:</b>  Wed, 09 Dec 2015 17:04:11 UTC <b> | HIDDEN</b> | <a href="https://www.ssllabs.com/ssltest/analyze.html?d=nordicsemi.no&hideResults=on&clearCache=on">Clear cache</a> <a href="https://www.ssllabs.com/ssltest/index.html" rel="noreferrer">Scan Another »</a> <br clear="all"> <u><b>Certificate name mismatch </b></u> <a href="https://www.ssllabs.com/ssltest/analyze.html?d=nordicsemi.no&hideResults=on&ignoreMismatch=on&clearCache=on">Click here to ignore the mismatch and proceed with the tests</a> <p>Try these other domain names (extracted from the certificates):</p> <ul><li><a href="https://www.ssllabs.com/ssltest/analyze.html?d=www.nordicsemi.com&hideResults=on">www.nordicsemi.com</a></li></ul> <p><b>What does this mean?</b></p> <p>We were able to retrieve a certificate for this site, but the domain names listed in it do not match the domain name you requested us to inspect. It's possible that:</p> <ul><li>The web site does not use SSL, but shares an IP address with some other site that does. </li><li>The web site no longer exists, yet the domain name still points to the old IP address, where some other site is now hosted. </li><li>The web site uses a content delivery network (CDN) that does not support SSL. </li><li>The domain name is an alias for a web site whose main name is different, but the alias was not included in the certificate by mistake. </li></ul> <p>SSL Report v1.20.28</p> <table border="0" cellpadding="5" cellspacing="0" width="910"><tbody><tr><td> Copyright © 2009-2015 <a href="https://www.qualys.com/">Qualys, Inc</a>. All Rights Reserved. </td><td align="right"> <a href="https://www.ssllabs.com/about/terms.html" rel="noreferrer">Terms and Conditions</a></td></tr></tbody></table>

<p>SSL labs is testing the cert on the web server for the domain, not the mail server.  There is no reason anyone needs to use the same cert for email as they do for other services.  Try the tests at http://www.checktls.com/perl/TestReceiver.pl which test the mail server.  And yes I know some of these have self signed certs, there are plenty of others out there with self signed certs that work just fine.</p><p>Try sending an email to test@nordicsemi.no and watch the MercuryE screen on the server see what is happening.  Sent from another mail system it works. </p>

Certificate 1 of 4 in chain:
subject= /OU=Domain Control Validated/CN=*.nordicsemi.no
issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2                                              

Certificate 2 of 4 in chain:
subject= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2                                                

Certificate 3 of 4 in chain:
subject= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
issuer= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority                                                  

Certificate 4 of 4 in chain:
subject= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
issuer= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority                                                    

Certificate 1 of 4 in chain:
subject= /OU=Domain Control Validated/CN=*.nordicsemi.no
issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2                                                                                                          

Certificate 2 of 4 in chain:
subject= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2                                                                                                            

Certificate 3 of 4 in chain:
subject= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
issuer= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority                                                                                                              

Certificate 4 of 4 in chain:
subject= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
issuer= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority                                                                                                                

<p>[quote]</p><p>There is no reason anyone needs to use the same cert for email as they do for other services.  Try the tests at http://www.checktls.com/perl/TestReceiver.pl which test the mail server.  And yes I know some of these have self signed certs, there are plenty of others out there with self signed certs that work just fine.</p><p>[/quote] </p><p>Hmm. Would you pay for different certs for different services for the same domain? Not me. Self signed certs produce warning messages if you forgot to import them. I do not know how Mercury32 responds... </p><p> </p><p>nordicsemi.no seems to be okay now but avaya.com produces a validation problem. </p><p>[quote]</p><h2> TestReceiver </h2> <p class="cf_line">CheckTLS Confidence Factor for<b> "test@nordicsemi.no"</b>: 100</p> <div id="Matrix"> <table class="matrix"> <tbody><tr class="toprow"> <td>MX Server</td> <td>Pref</td> <td>Con- nect</td> <td>All- owed</td> <td>Can Use</td> <td>TLS Adv</td> <td>Cert OK</td> <td>TLS Neg</td> <td>Sndr OK</td> <td>Rcvr OK</td> </tr> <tr> <td class="mx"> mx01.nordicsemi.no [194.19.86.146] </td> <td class="pref">10</td> <td class="success"> <span class="text">OK</span> <span class="time">(127ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(363ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(130ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(127ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(741ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(131ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(129ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(131ms)</span> </td> </tr> <tr> <td class="mx"> mx02.nordicsemi.no [194.19.86.151] </td> <td class="pref">20</td> <td class="success"> <span class="text">OK</span> <span class="time">(128ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(131ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(130ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(128ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(675ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(147ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(131ms)</span> </td> <td class="success"> <span class="text">OK</span> <span class="time">(131ms)</span> </td> </tr> <tr class="totalrow"> <td class="totalleftrow">Average</td> <td> </td><td>100%</td> <td>100%</td> <td>100%</td> <td>100%</td> <td>100%</td> <td>100%</td> <td>100%</td> <td>100%</td> </tr> </tbody></table> </div> <p class="note">(double click matrix to select all for copy and paste)</p> <table id="rerun"> <caption>Run same test with:</caption> <tbody><tr> <td> <form action="http://www.checktls.com/perl/TestReceiver.pl" method="post"> </form> </td></tr></tbody></table><table id="rerun"><tbody><tr><td><form action="http://www.checktls.com/perl/TestReceiver.pl" method="post"> </form> </td> <td> <form action="http://www.checktls.com/perl/TestReceiver.pl" method="post"> </form> </td></tr></tbody></table><table id="rerun"><tbody><tr><td><form action="http://www.checktls.com/perl/TestReceiver.pl" method="post"> </form> </td> <td> <form action="http://www.checktls.com/perl/TestReceiver.pl" method="post"> </form> </td></tr></tbody></table><table id="rerun"><tbody><tr><td><form action="http://www.checktls.com/perl/TestReceiver.pl" method="post"> <input id="email" name="EMAIL" class="text" value="test@nordicsemi.no" type="text"> <a href="http://www.checktls.com/testreceiver.html" class="button">Instructions</a> <a href="http://www.checktls.com/tests.html" class="button">About Tests</a> </form> </td> </tr> </tbody></table> <p> </p><p class="note"> Note: you can run many tests at once and/or schedule tests with <a href="http://www.checktls.com/batchtest.html">BatchTest</a>. </p> <p class="note"> Note: use the <a href="http://www.checktls.com/perl/TestReceiver.pl?FULL">FULL version</a> to test servers with custom IP addresses, ports, authentications, and/or timeouts. </p> <p class="note"> See <a href="http://www.checktls.com/policy_email.html">email policy</a>. We <em>will not</em> use addresses. Use of any test is explicit agreement to <a href="http://www.checktls.com/policy_aup.html">Acceptable Use Policy</a>. </p> <hr class="separator"> <p class="note">(double click in detail below to select all for copy and paste)</p> <p class="negline"> </p> <p>Checking test@nordicsemi.no</p> <p>looking up MX hosts on domain "nordicsemi.no" </p><ol id="mxlist"><li>mx01.nordicsemi.no (preference:10)</li><li>mx02.nordicsemi.no (preference:20)</li></ol> <p class="trying">Trying TLS on mx01.nordicsemi.no[194.19.86.146] (10):</p> <table class="detail"> <tbody><tr class="toprow"> <th class="time">seconds</th> <th class="tofrom"> </th> <th class="text">test stage and result</th> </tr> <tr class="text"> <td class="time">[000.127]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">Connected to server</span> </td> </tr> <tr class="tome"> <td class="time">[000.490]</td> <td class="tofrom"><--</td> <td class="text"> <span class="normal">220 ironport01.nordicsemi.no ESMTP</span> </td> </tr> <tr class="text"> <td class="time">[000.490]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">We are allowed to connect</span> </td> </tr> <tr class="fromme"> <td class="time">[000.490]</td> <td class="tofrom">--></td> <td class="text"> <span class="normal">EHLO checktls.com</span> </td> </tr> <tr class="tome"> <td class="time">[000.619]</td> <td class="tofrom"><--</td> <td class="text"> <span class="normal">250-ironport01.nordicsemi.no 250-8BITMIME 250-SIZE 54525952 250 STARTTLS</span> </td> </tr> <tr class="text"> <td class="time">[000.620]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">We can use this server</span> </td> </tr> <tr class="text"> <td class="time">[000.620]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">TLS is an option on this server</span> </td> </tr> <tr class="fromme"> <td class="time">[000.620]</td> <td class="tofrom">--></td> <td class="text"> <span class="normal">STARTTLS</span> </td> </tr> <tr class="tome"> <td class="time">[000.747]</td> <td class="tofrom"><--</td> <td class="text"> <span class="normal">220 Go ahead with TLS</span> </td> </tr> <tr class="text"> <td class="time">[000.747]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">STARTTLS command works on this server</span> </td> </tr> <tr class="text"> <td class="time">[001.324]</td> <td class="tofrom"> </td> <td class="text"> <span class="normal">SSLVersion in use: TLSv1</span> </td> </tr> <tr class="text"> <td class="time">[001.324]</td> <td class="tofrom"> </td> <td class="text"> <span class="normal">Cipher in use: AES128-SHA</span> </td> </tr> <tr class="text"> <td class="time">[001.324]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">Connection converted to SSL</span> </td> </tr> <tr class="text"> <td class="time">[001.413]</td> <td class="tofrom"> </td> <td class="text"> <span class="normal"> <pre class="cert">Certificate 1 of 4 in chain: subject= /OU=Domain Control Validated/CN=*.nordicsemi.no issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 </pre> </span> </td> </tr> <tr class="text"> <td class="time">[001.438]</td> <td class="tofrom"> </td> <td class="text"> <span class="normal"> <pre class="cert">Certificate 2 of 4 in chain: subject= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 issuer= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 </pre> </span> </td> </tr> <tr class="text"> <td class="time">[001.463]</td> <td class="tofrom"> </td> <td class="text"> <span class="normal"> <pre class="cert">Certificate 3 of 4 in chain: subject= /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2 issuer= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority </pre> </span> </td> </tr> <tr class="text"> <td class="time">[001.488]</td> <td class="tofrom"> </td> <td class="text"> <span class="normal"> <pre class="cert">Certificate 4 of 4 in chain: subject= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority issuer= /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority </pre> </span> </td> </tr> <tr class="text"> <td class="time">[001.488]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">Cert VALIDATED: ok</span> </td> </tr> <tr class="text"> <td class="time">[001.488]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">Cert Hostname VERIFIED (mx01.nordicsemi.no = *.nordicsemi.no)</span> </td> </tr> <tr class="fromme"> <td class="time">[001.489]</td> <td class="tofrom">~~></td> <td class="text"> <span class="normal">EHLO checktls.com</span> </td> </tr> <tr class="tome"> <td class="time">[001.619]</td> <td class="tofrom"><~~</td> <td class="text"> <span class="normal">250-ironport01.nordicsemi.no 250-8BITMIME 250 SIZE 54525952</span> </td> </tr> <tr class="text"> <td class="time">[001.620]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">TLS successfully started on this server</span> </td> </tr> <tr class="fromme"> <td class="time">[001.620]</td> <td class="tofrom">~~></td> <td class="text"> <span class="normal">MAIL FROM:<test@checktls.com></span> </td> </tr> <tr class="tome"> <td class="time">[001.748]</td> <td class="tofrom"><~~</td> <td class="text"> <span class="normal">250 sender <test@checktls.com> ok</span> </td> </tr> <tr class="text"> <td class="time">[001.748]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">Sender is OK</span> </td> </tr> <tr class="fromme"> <td class="time">[001.749]</td> <td class="tofrom">~~></td> <td class="text"> <span class="normal">RCPT TO:<test@nordicsemi.no></span> </td> </tr> <tr class="tome"> <td class="time">[001.878]</td> <td class="tofrom"><~~</td> <td class="text"> <span class="normal">250 recipient <test@nordicsemi.no> ok</span> </td> </tr> <tr class="text"> <td class="time">[001.879]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">Recipient OK, E-mail address proofed</span> </td> </tr> <tr class="fromme"> <td class="time">[001.879]</td> <td class="tofrom">~~></td> <td class="text"> <span class="normal">QUIT</span> </td> </tr> <tr class="tome"> <td class="time">[002.041]</td> <td class="tofrom"><~~</td> <td class="text"> <span class="normal">221 ironport01.nordicsemi.no</span> </td> </tr> </tbody></table> <p class="trying">Trying TLS on mx02.nordicsemi.no[194.19.86.151] (20):</p> <table class="detail"><tbody><tr class="toprow"> <th class="time">seconds</th> <th class="tofrom"> </th> <th class="text">test stage and result</th> </tr> <tr class="text"> <td class="time">[000.128]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">Connected to server</span> </td> </tr> <tr class="tome"> <td class="time">[000.258]</td> <td class="tofrom"><--</td> <td class="text"> <span class="normal">220 ironport02.nordicsemi.no ESMTP</span> </td> </tr> <tr class="text"> <td class="time">[000.259]</td> <td class="tofrom"> </td> <td class="text"> <span class="success">We are allowed to connect</span> </td> </tr> <tr class="fromme"> <td class="time">[000.259]</td> <td class="tofrom">--></td> <td class="text"> <span class="normal">EHLO checktls.com</span> </td> </tr> <tr class="tome"> <td class="time">[000.388]</td> <td class="tofrom"><--</td> <td class="text"> <span class="normal">250-ironport02.nordicsemi.no 250-8BITMIME 250-SIZE 54525952 250 STARTTLS</span> </td> </tr> <tr class="text"> <td class="time">[000.389]</td> <td class="tofrom"> </td> <td class="text">