Failed to connect to SMTP host serverdomain.ext. 220 2.0.0 SMTP server ready. SMTPClient: SSL handshake error: 1C7Ah

Mindwatering Incorporated

Author: Tripp W Black

Created: 03/09/2016 at 10:16 PM

 

Category:
Domino Server Issues Troubleshooting
Mail Routing

Issue:
Servers are failing in TLS handshake for Outgoing SMTP. The following debug statements have been added.
DEBUG_SSL_ALL=3
SSL_TRACE_KEYFILEREAD=1

DEBUG_SLL_HANDSHAKE=2

The following is observed when the negotiation begins:
03/09/2016 10:00:50.79 PM ReadKeyfile> Reading keyfile /local/notesdata/keyfile.kyr

The problem is that the keyfile isn't keyfile.kyr. It's a custom file name. It appears that the outgoing SMTP settings using the server doc's keyfile field when the server is using Internet Site docs instead. Unfortunately, there isn't an Outgoing SMTP Internet Site document yet. We actually found we knew this back in 2004 but had forgotten since the error message and situation were different: Database 'Support Reference', View 'Support Library\By Category', Document 'SMTP SSL "Keyring File Access Error" Receiving and Sending Mail'. So open up a PMR with IBM. There has been a SPR for this issue for quite some time (more than 12 years), but it set to low priority.

Fixed - Update:
Sometime around R10, and HCL Domino, the server document now has an Outgoing Keyring field on the Internet Ports tab of the server document. The field help says to make sure the kyr extension is added. In addition, with later 12.0.x and the bypassing of the keyring kyr files w/Certificate Store (the ability to list the names by name), we can also use the same domain entry in CertStore.nsf, as well.
Server document --> Ports --> Internet Ports --> Outgoing TLS Key file name


__________________

Confirmed issue exists in Domino 8.5.3, Domino 9.0.1.

Handling the Keyring File Issue in Earlier Domino Releases:
I changed the server document's Basic tab field to Load Internet Sites docs from Enabled to Disabled.
Admin client --> Configuration (tab) --> Server Documents view (left) --> Edit server doc --> Basics (tab on doc)


Switch to Ports tab, and update the Ports section updating the kyfile.kyr to the actual file name. Save the server document, re-open and then change the Load Internet Internet Sites field back to Enabled, and finally retested successfully.
Server doc --> Ports tab --> Internet Ports tab.

The keyring file will now be updated.
03/09/2016 10:15:40.45 PM ReadKeyfile> Reading keyfile /local/notesdata/mydomain.ext.kyr


__________________

Additional Troubleshooting for Incoming SMTP Mail:
If you see 123.123.123.123 connected, and then see 0 messages received with no other error, then you can enable SMTPDebug=n.
Example, in the Domino console > set config SMTPDebug=3

This notes.ini variable is very useful for generic SMTP and SMTP STARTTLS errors. It prints each of the commands that are received to Domino and Domino's answer.
1 - Enable minimal logging of the SMTP listener
2 - Enable information logging of data sent and received along with some additional debugging information. This setting indicates commands and responses being received/sent along with the number of bytes being transmitted. However, it does not include the text that is transmitted.
3 - Enable verbose logging of data sent and received. Along with the information recorded at setting 2, this level shows the actual text received/sent via SMTP. Note that this does not include the text body of messages.
4 - This is the most verbose setting.


Additional Troubleshooting for Outgoing SMTP Mail:
If you are seeing a sending SMTP error, the corresponding debug INI variable is: SMTPClientDebug=n.




Note:
Remember to remove the debug variables from the notes.ini.


previous page