Want more timely Centmin Mod News Updates?
Become a Member

problem with WP Mail SMTP plugin

Discussion in 'Blogs & CMS usage' started by reallove0810, Oct 19, 2018.

  1. reallove0810

    reallove0810 New Member

    25
    10
    3
    Jan 3, 2015
    Ratings:
    +11
    Local Time:
    12:41 PM
    1.7.9
    5.5.41
    Hello,

    I'm using WP Mail SMTP plugin. But there was a problem while sending the test email.
    Anybody can help me to fix the problem.

    Thanks in advance!

    Log for debugging

    Versions:
    WordPress: 4.9.8
    WordPress MS: No
    PHP: 7.2.11
    WP Mail SMTP: 1.3.3

    Params:
    Mailer: smtp
    Constants: No
    ErrorInfo: SMTP connect() failed. PHPMailer/PHPMailer
    Host: smtp.yandex.com
    Port: 465
    SMTPSecure: ssl
    SMTPAutoTLS: bool(false)
    SMTPAuth: bool(true)

    Server:
    OpenSSL: Yes
    SMTP Debug:
    2018-10-19 09:47:30 Connection: opening to ssl://smtp.yandex.com:465, timeout=300, options=array (
    )
    2018-10-19 09:47:30 Connection: Failed to connect to server. Error number 2. "Error notice: stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages:
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    2018-10-19 09:47:30 Connection: Failed to connect to server. Error number 2. "Error notice: stream_socket_client(): Failed to enable crypto
    2018-10-19 09:47:30 Connection: Failed to connect to server. Error number 2. "Error notice: stream_socket_client(): unable to connect to ssl://smtp.yandex.com:465 (Unknown error)
    2018-10-19 09:47:30 SMTP ERROR: Failed to connect to server: (0)
    2018-10-19 09:47:30 SMTP connect() failed. PHPMailer/PHPMailer
     
  2. BamaStangGuy

    BamaStangGuy Active Member

    537
    163
    43
    May 25, 2014
    Ratings:
    +216
    Local Time:
    5:41 AM
    Is port 465 open in csf.conf?
     
  3. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    9:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    which version of centmin mod ? 123.09beta01 or 123.08stable ? when was last time you updated centmin mod and updated system via yum update ? i.e.
    Code (Text):
    yum -y update
    

    and if kernel updates exist, reboot server afterwards ? it could be your CA bundle servers are out of date too. If you haven't done yum updates in ages, it would be first thing i'd do yum update and server reboot as CA bundle certs are updated via yum too
    Code (Text):
    yum list installed ca-certificates -q | tr -s ' '
    Installed Packages
    ca-certificates.noarch 2018.2.22-70.0.el7_5 @updates
    

    Code (Text):
    rpm -ql ca-certificates 
    /etc/pki/ca-trust
    /etc/pki/ca-trust/README
    /etc/pki/ca-trust/ca-legacy.conf
    /etc/pki/ca-trust/extracted
    /etc/pki/ca-trust/extracted/README
    /etc/pki/ca-trust/extracted/java
    /etc/pki/ca-trust/extracted/java/README
    /etc/pki/ca-trust/extracted/java/cacerts
    /etc/pki/ca-trust/extracted/openssl
    /etc/pki/ca-trust/extracted/openssl/README
    /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    /etc/pki/ca-trust/extracted/pem
    /etc/pki/ca-trust/extracted/pem/README
    /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
    /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
    /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    /etc/pki/ca-trust/source
    /etc/pki/ca-trust/source/README
    /etc/pki/ca-trust/source/anchors
    /etc/pki/ca-trust/source/blacklist
    /etc/pki/ca-trust/source/ca-bundle.legacy.crt
    /etc/pki/java
    /etc/pki/java/cacerts
    /etc/pki/tls
    /etc/pki/tls/cert.pem
    /etc/pki/tls/certs
    /etc/pki/tls/certs/ca-bundle.crt
    /etc/pki/tls/certs/ca-bundle.trust.crt
    /etc/ssl
    /etc/ssl/certs
    /usr/bin/ca-legacy
    /usr/bin/update-ca-trust
    /usr/share/doc/ca-certificates-2018.2.22/README
    /usr/share/man/man8/ca-legacy.8.gz
    /usr/share/man/man8/update-ca-trust.8.gz
    /usr/share/pki
    /usr/share/pki/ca-trust-legacy
    /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
    /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
    /usr/share/pki/ca-trust-source
    /usr/share/pki/ca-trust-source/README
    /usr/share/pki/ca-trust-source/anchors
    /usr/share/pki/ca-trust-source/blacklist
    /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit
    


    csf firewall should of whitelisted TCP_OUT/TCP6_OUT for port 465 and 587 already CSF Firewall - CentminMod.com LEMP Nginx web stack for CentOS check via command
    Code (Text):
    egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf
    

    what if you switch from ssl/465 to tls/587 as per troubleshooting with PHPMailer scripts PHPMailer/PHPMailer

    and PHPMailer/PHPMailer
    what's output for command
    Code (Text):
    echo QUIT | openssl s_client -connect smtp.yandex.com:465
    

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/cacert.pem -connect smtp.gmail.com:587
    

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -connect smtp.gmail.com:587
    

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/cacert.pem -connect smtp.yandex.com:587
    

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -connect smtp.yandex.com:587
    

    posting code or output from commands to keep the formatting, you might want to use CODE tags for code How to use forum BBCODE code tags :)

    example
    Code (Text):
    echo QUIT | openssl s_client -connect smtp.yandex.com:465 
    CONNECTED(00000003)
    depth=2 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
    verify return:1
    depth=1 C = RU, O = Yandex LLC, OU = Yandex Certification Authority, CN = Yandex CA
    verify return:1
    depth=0 C = RU, O = Yandex LLC, OU = ITO, L = Moscow, ST = Russian Federation, CN = smtp.yandex.ru
    verify return:1
    ---
    Certificate chain
     0 s:/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
       i:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
     1 s:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
       i:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
     2 s:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
       i:/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MII... snipped...
    -----END CERTIFICATE-----
    subject=/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
    issuer=/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
    ---
    No client certificate CA names sent
    Peer signing digest: SHA512
    Server Temp Key: ECDH, P-256, 256 bits
    ---
    SSL handshake has read 4716 bytes and written 415 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 7E48BCA70444700111337D8BD0AAAEF084FCDD71770BA48C3D1969DE8ED45481
        Session-ID-ctx: 
        Master-Key: F06A42735EB5E49ED50B11E142E3EF89EA310684281BA09741E55655117285E60954F861FC10EF7062BEA510A7DE36AE
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - d6 7b d7 18 90 55 2b 6d-cc 25 ef d5 d9 8c 81 df   .{...U+m.%......
        0010 - 2d cb 27 52 15 34 eb 38-c2 5b 3c 5f 78 a8 f8 f1   -.'R.4.8.[<_x...
        0020 - cf 41 a2 d3 71 59 5a cb-bf ee c4 0f 1f 60 57 a0   .A..qYZ......`W.
        0030 - b7 42 48 57 bd af b8 ce-a7 ee 17 0b 6d 3d 9b 15   .BHW........m=..
        0040 - 0d 8f f2 69 58 40 70 b2-e1 64 63 87 50 c0 e2 32   [email protected]
        0050 - fa 1a 91 58 77 2e 19 98-a1 06 8d 4e 5b a9 96 39   ...Xw......N[..9
        0060 - 19 06 de 49 6f 46 48 2d-15 65 73 9a b2 f6 6b 60   ...IoFH-.es...k`
        0070 - ac a3 16 f8 50 4a af 58-4e a2 8d 29 44 ee 88 de   ....PJ.XN..)D...
        0080 - be f6 54 3f aa 3d 33 a3-91 20 0d e6 b6 f4 8b 8a   ..T?.=3.. ......
        0090 - 36 cf 3a e6 0e 63 56 a5-53 84 97 f9 9e 7b 3f 8c   6.:..cV.S....{?.
    
        Start Time: 1539984528
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    DONE
    


    Does it work with other 3rd party smtp servers like gmail etc ? or just yandex having issues ?
     
  4. reallove0810

    reallove0810 New Member

    25
    10
    3
    Jan 3, 2015
    Ratings:
    +11
    Local Time:
    12:41 PM
    1.7.9
    5.5.41
    Hello,

    I installed 123.09beta01 4 days ago.
    It works well with Gmail.

    Code (Text):
    yum list installed ca-certificates -q | tr -s ' '
    Installed Packages
    ca-certificates.noarch 2018.2.22-65.1.el6 @CentOS/6.10

    Code (Text):
    rpm -ql ca-certificates
    /etc/pki/ca-trust
    /etc/pki/ca-trust/README
    /etc/pki/ca-trust/ca-legacy.conf
    /etc/pki/ca-trust/extracted
    /etc/pki/ca-trust/extracted/README
    /etc/pki/ca-trust/extracted/java
    /etc/pki/ca-trust/extracted/java/README
    /etc/pki/ca-trust/extracted/java/cacerts
    /etc/pki/ca-trust/extracted/openssl
    /etc/pki/ca-trust/extracted/openssl/README
    /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
    /etc/pki/ca-trust/extracted/pem
    /etc/pki/ca-trust/extracted/pem/README
    /etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
    /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem
    /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    /etc/pki/ca-trust/source
    /etc/pki/ca-trust/source/README
    /etc/pki/ca-trust/source/anchors
    /etc/pki/ca-trust/source/blacklist
    /etc/pki/ca-trust/source/ca-bundle.legacy.crt
    /etc/pki/java
    /etc/pki/java/cacerts
    /etc/pki/tls
    /etc/pki/tls/cert.pem
    /etc/pki/tls/certs
    /etc/pki/tls/certs/ca-bundle.crt
    /etc/pki/tls/certs/ca-bundle.trust.crt
    /etc/ssl
    /etc/ssl/certs
    /usr/bin/ca-legacy
    /usr/bin/update-ca-trust
    /usr/share/doc/ca-certificates-2018.2.22/README
    /usr/share/man/man8/ca-legacy.8.gz
    /usr/share/man/man8/update-ca-trust.8.gz
    /usr/share/pki
    /usr/share/pki/ca-trust-legacy
    /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.default.crt
    /usr/share/pki/ca-trust-legacy/ca-bundle.legacy.disable.crt
    /usr/share/pki/ca-trust-source
    /usr/share/pki/ca-trust-source/README
    /usr/share/pki/ca-trust-source/anchors
    /usr/share/pki/ca-trust-source/blacklist
    /usr/share/pki/ca-trust-source/ca-bundle.neutral-trust.crt
    /usr/share/pki/ca-trust-source/ca-bundle.supplement.p11-kit
    /usr/share/pki/ca-trust-source/ca-bundle.trust.crt

    Code (Text):
    egrep '^TCP_|^TCP6_|^UDP_|^UDP6_' /etc/csf/csf.conf
    TCP_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
    TCP_OUT = "2525,465,1110,1194,9418,20,21,22,25,53,80,110,113,443,587,993,995"
    UDP_IN = "67,68,1110,33434:33534,20,21,53"
    UDP_OUT = "67,68,1110,33434:33534,20,21,53,113,123"
    TCP6_IN = "20,21,22,25,53,80,110,143,161,443,465,587,993,995,1110,1186,1194,81,9418,30001:50011"
    TCP6_OUT = "2525,465,20,21,22,25,53,80,110,113,443,587,993,995"
    UDP6_IN = "20,21,53"
    UDP6_OUT = "20,21,53,113,123"

    TSL/587 output
    Code (Text):
    Versions:
    WordPress: 4.9.8
    WordPress MS: No
    PHP: 7.2.11
    WP Mail SMTP: 1.3.3
    
    Params:
    Mailer: smtp
    Constants: No
    ErrorInfo: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting
    Host: smtp.yandex.com
    Port: 587
    SMTPSecure: tls
    SMTPAutoTLS: bool(true)
    SMTPAuth: bool(true)
    
    Server:
    OpenSSL: Yes
    SMTP Debug:
    2018-10-20 11:49:46    Connection: opening to smtp.yandex.com:587, timeout=300, options=array (
    )
    2018-10-20 11:49:46    Connection: opened
    2018-10-20 11:49:47    SERVER -> CLIENT: 220 smtp4j.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
    2018-10-20 11:49:47    CLIENT -> SERVER: EHLO sweetaudio.vn
    2018-10-20 11:49:47    SERVER -> CLIENT: 250-smtp4j.mail.yandex.net
    250-8BITMIME
    250-PIPELINING
    250-SIZE 42991616
    250-STARTTLS
    250-AUTH LOGIN PLAIN XOAUTH2
    250-DSN
    250 ENHANCEDSTATUSCODES
    2018-10-20 11:49:47    CLIENT -> SERVER: STARTTLS
    2018-10-20 11:49:48    SERVER -> CLIENT: 220 Go ahead
    2018-10-20 11:49:48    SMTP Error: Could not connect to SMTP host.
    2018-10-20 11:49:48    CLIENT -> SERVER: QUIT
    2018-10-20 11:49:48    SERVER -> CLIENT: MIA3�B���˝�flK��    ��"v)ڲ�����] ��-�� �=�������gp$
    �Ke>I2*hW�N�`�
    l�!�N���z�v����q[�7�c�[email protected]�-o&=~�h^�o�5��"B1+�f�Dߜ7Ǒ(���J��S6't ~���z�dJ�]�vZLr��d��Y��ܟ)�Guuj.���9DJ$�CtJmw߆RQ+�D\��h�F�`&W�Z�yƺ�S60����� Yl+��&.���<+��&~�v�!��@ݮ�š�)�������G�?���π��d)͸��Ơ ���Q�i�TR�
    2018-10-20 11:49:48    SMTP ERROR: QUIT command failed: MIA3�B���˝�flK��    ��"v)ڲ�����] ��-�� �=�������gp$
    �Ke>I2*hW�N�`�
    l�!�N���z�v����q[�7�c�[email protected]�-o&=~�h^�o�5��"B1+�f�Dߜ7Ǒ(���J��S6't ~���z�dJ�]�vZLr��d��Y��ܟ)�Guuj.���9DJ$�CtJmw߆RQ+�D\��h�F�`&W�Z�yƺ�S60����� Yl+��&.���<+��&~�v�!��@ݮ�š�)�������G�?���π��d)͸��Ơ ���Q�i�TR�
    2018-10-20 11:49:48    Connection: closed
    2018-10-20 11:49:48    SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting

    Code (Text):
    echo QUIT | openssl s_client -connect smtp.yandex.com:465
    CONNECTED(00000003)
    depth=2 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    ---
    Certificate chain
     0 s:/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
       i:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
     1 s:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
       i:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
     2 s:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
       i:/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGazCCBVOgAwIBAgIQcUU9mJXW4OUs5Gf0JfLtsjANBgkqhkiG9w0BAQsFADBf
    MQswCQYDVQQGEwJSVTETMBEGA1UEChMKWWFuZGV4IExMQzEnMCUGA1UECxMeWWFu
    ZGV4IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQDEwlZYW5kZXggQ0Ew
    HhcNMTcxMDExMTMyNzI2WhcNMTkxMDExMTMyNzI2WjB3MQswCQYDVQQGEwJSVTET
    MBEGA1UECgwKWWFuZGV4IExMQzEMMAoGA1UECwwDSVRPMQ8wDQYDVQQHDAZNb3Nj
    b3cxGzAZBgNVBAgMElJ1c3NpYW4gRmVkZXJhdGlvbjEXMBUGA1UEAwwOc210cC55
    YW5kZXgucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTI5WsplxQ
    g7gZDCEmnbxHI0a0/cXtx0+Zwz7Y9TSFy0NI/SzYC+bgukWvsnvuIheM3yKpJ+cU
    Ss2G+K3nKOYDNJUezzziirhu3UVC/tZLD39orKKGAa6qmx5Dv2Z7/ynkOfKZjmXB
    t9HemoCItyM62YTD8AQQmkMCB4Kue+j2wm8fHxPtgIYuQzEtD9xCU9vANj6imgaM
    IlrM0cegknd6sWBDR074pDsBEUjg2GsNSqAo2nD0tvOGCFZ2qkIMLIjZgsCmtain
    nM7Xt+THw8ApMu9BVsgTyXMTfVC0CzfB1HbId1UzqIbILprB3iLrxCHn3K1F68ok
    WfBXBDY4gphTAgMBAAGjggMJMIIDBTAMBgNVHRMBAf8EAjAAMGkGA1UdHwRiMGAw
    L6AtoCuGKWh0dHA6Ly9jcmxzLnlhbmRleC5uZXQvY2VydHVtL3ljYXNoYTIuY3Js
    MC2gK6AphidodHRwOi8veWFuZGV4LmNybC5jZXJ0dW0ucGwveWNhc2hhMi5jcmww
    cQYIKwYBBQUHAQEEZTBjMCwGCCsGAQUFBzABhiBodHRwOi8veWFuZGV4Lm9jc3At
    cmVzcG9uZGVyLmNvbTAzBggrBgEFBQcwAoYnaHR0cDovL3JlcG9zaXRvcnkuY2Vy
    dHVtLnBsL3ljYXNoYTIuY2VyMB8GA1UdIwQYMBaAFDdc4xngso6hqE7Sz6vQ3OML
    XDVNMB0GA1UdDgQWBBTC1Kbatmr8y04cui/VCaPVq1mgKzAOBgNVHQ8BAf8EBAMC
    BaAwggEXBgNVHSAEggEOMIIBCjCCAQYGDCqEaAGG9ncCBQEKAjCB9TCB8gYIKwYB
    BQUHAgIwgeUwIBYZVW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjADAgECGoHAVXNh
    Z2Ugb2YgdGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdHJpY3RseSBzdWJqZWN0ZWQgdG8g
    dGhlIENFUlRVTSBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BT
    KSBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhlcmVpbiBhbmQgaW4gdGhlIHJl
    cG9zaXRvcnkgYXQgaHR0cHM6Ly93d3cuY2VydHVtLnBsL3JlcG9zaXRvcnkuMB0G
    A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMCBsAw
    egYDVR0RBHMwcYIOc210cC55YW5kZXgucnWCDnNtdHAueWFuZGV4LmJ5gg5zbXRw
    LnlhbmRleC5reoIPc210cC55YW5kZXguY29tgg5zbXRwLnlhbmRleC51YYISc210
    cC55YW5kZXguY29tLnRyggpzbXRwLnlhLnJ1MA0GCSqGSIb3DQEBCwUAA4IBAQA1
    GjyKSYMgaRVLGd4EWtB3oTkybDu5QrUXt/eoZiquzUqZwk7x9FRsEEirawKsrSS6
    FXcliRD7xcXneROVDZK1a4ur6974vn742B/lOx9T/7+6a8XQo4jz191zZWS3J47G
    dSvkMZPSdsZPxn7cDbAymFP4yw3b/aJJBFarpYTUixvRXZardO93VAFx157pCt/8
    3dN7jLWyYVWBvZh93JioukAu9uDt7Nzuq9XhTBLUzLnFFi4vXVsssKk7h3X2sMNU
    kZ3EPMAOSsvl9XY5RHZJs7BZubvGgnDxxGFfziP1XnTbL4MRCAXbdhwx3nmnQ3yZ
    nRG0DfdqYIuPGApFORYe
    -----END CERTIFICATE-----
    subject=/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
    issuer=/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 4716 bytes and written 373 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 41CBA81B57C06FB23ACE2F0B1773C912836CE0432EB936AEA943BF996EAD8778
        Session-ID-ctx:
        Master-Key: CEFB7E2F775F2FF0C0614F943F80E6035281C8B87BA9EB1D0CB582CC97C383C037290682E6A5591CDEEDD27564633ABB
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 8b c8 5e df f2 2e c8 a4-54 5d 47 dd 62 78 28 ce   ..^.....T]G.bx(.
        0010 - c3 47 30 0b ef 26 19 69-41 be 3f 00 5d a6 7b b4   .G0..&.iA.?.].{.
        0020 - b3 e7 14 df e5 27 7e ec-a7 fc 12 c6 8b 6a cc 8f   .....'~......j..
        0030 - 21 71 9e 00 2c 87 b8 92-49 59 37 12 da 61 7b 73   !q..,...IY7..a{s
        0040 - 7f c4 82 6a 05 d4 5c 5c-59 22 93 70 e1 ff 2d a3   ...j..\\Y".p..-.
        0050 - 31 a9 d0 a5 1d fd 0e eb-dd ce 15 df 08 09 e9 11   1...............
        0060 - 36 85 0f 66 66 52 ec a3-c4 64 e1 f8 f7 da 14 1a   6..ffR...d......
        0070 - ed 90 12 61 f7 c0 b8 c0-ee ea 4f 3c b3 52 6b b8   ...a......O<.Rk.
        0080 - b2 d0 71 e1 83 d7 5e bf-3b b1 f9 a9 2b aa 0d 57   ..q...^.;...+..W
        0090 - 39 11 dc 99 20 2d 8a 47-2f 65 da 7a 68 2b 7c ba   9... -.G/e.zh+|.
    
        Start Time: 1540036324
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)
    ---
    DONE

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/cacert.pem -connect smtp.gmail.com:587
    CONNECTED(00000003)
    depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
    verify return:1
    depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
       i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
     1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
       i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEgjCCA2qgAwIBAgIIcw4aTUbtGfswDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
    BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
    R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODEwMDIwNzMwMDBaFw0x
    ODEyMjUwNzMwMDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
    MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRcw
    FQYDVQQDDA5zbXRwLmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
    AQoCggEBAMhWOS2B82nfFtCX5qWqAMA2/OZwGX6xIO3w4IQtb4fBaXIvWAW/PHGL
    xBj1a7s2jFG3vKIK/BdNlRprcsX4BnnpG9a37E4mz3LpxhX3FpExNiqxadc8o0ub
    saR9S0T7L1HHlBrUJ7jvN0kwWBKMGiUONvgzhS20CbJuQIqTIEQlBemZ8/A9w+cD
    7Os9OWBjZYuvYD6Qnakejz4NHh0/MGz5h7jFAynHk8Cq44Tdr19kzAAnWkY1ESn4
    EcM2/GvcmwbWapuwkUWggkfrFEKnwK5/fNnK25LrvAMx9EohRvpGDOu9gx34kwQy
    07qGseiXa4sJma3FDAR2S6GjvEPH6esCAwEAAaOCAUIwggE+MBMGA1UdJQQMMAoG
    CCsGAQUFBwMBMBkGA1UdEQQSMBCCDnNtdHAuZ21haWwuY29tMGgGCCsGAQUFBwEB
    BFwwWjAtBggrBgEFBQcwAoYhaHR0cDovL3BraS5nb29nL2dzcjIvR1RTR0lBRzMu
    Y3J0MCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcC5wa2kuZ29vZy9HVFNHSUFHMzAd
    BgNVHQ4EFgQUQF2bWLe/WlRitxlz9wBQbdq3IIswDAYDVR0TAQH/BAIwADAfBgNV
    HSMEGDAWgBR3wrhQmmd2drEtwobQg6B+pn66SzAhBgNVHSAEGjAYMAwGCisGAQQB
    1nkCBQMwCAYGZ4EMAQICMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwucGtp
    Lmdvb2cvR1RTR0lBRzMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCJSPrc+G2+vipN
    YyoO9/0+7k5gIhpjiinUJZgcPH6X9gmALI8+O0vNMJSQKWnM5nWYz2nTqaFLPj4U
    o50XqzjmnNIf67+bWfETJDwgiSccqGVRfO0XVjug99M9r1w+dUKUuvAEcTc45vn4
    w5gmzOlTJApaYHvrhRO+8jVZ1Cc4Z1qwoFh15XX4q/Ootbi1NoUirum7qoXqJuC/
    kzb1qTeArNLOgcioe2bXdYnR4MZS2uGIukO8JIrzKJKfXrBQWv198kAh+8d7aVAH
    wnmPURDRFY+L7/oPpcrYYcHxwSAywmH3luFjjk2kiRaEIZG7nCPQ+MVvKVINqB+0
    6rIfH6df
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
    issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 3243 bytes and written 408 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 7859B259F97E21E416270B225E20995E7CE2927BD7B1BC501BFE02D0BEDDD030
        Session-ID-ctx:
        Master-Key: 0F3B39CC02B35D5EC2F4C123CA353CB9B980B30F83DF77F8C5AB95F341281749F5EB7B69AA9DD3F6ADF58579964D602B
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 100800 (seconds)
        TLS session ticket:
        0000 - 00 c1 61 4f 69 f3 5c 08-ba 6c b1 58 7c 8a 43 9a   ..aOi.\..l.X|.C.
        0010 - c0 f6 8e 5e 59 db 81 dc-06 a4 16 84 76 cc e6 0b   ...^Y.......v...
        0020 - 04 51 7c 19 00 3e 69 0a-73 f4 44 47 c1 48 74 70   .Q|..>i.s.DG.Htp
        0030 - bc 62 e5 ae 33 6b 88 ec-f2 30 9d 1c 17 73 7e 74   .b..3k...0...s~t
        0040 - 0b f9 bc f9 ed 2b 8c 90-30 47 4a 4b ae f1 56 8c   .....+..0GJK..V.
        0050 - e9 bc e2 38 e5 44 38 48-d0 ad d6 68 de 04 56 64   ...8.D8H...h..Vd
        0060 - 4c 2f e3 2b 68 20 0a f8-95 a3 44 e8 ba 8e 84 77   L/.+h ....D....w
        0070 - 02 fe 25 07 38 b8 a8 34-1c 6c 25 6a f3 c9 32 14   ..%.8..4.l%j..2.
        0080 - 92 13 59 de 1f d5 f3 91-83 a2 89 21 a0 26 44 73   ..Y........!.&Ds
        0090 - 0d c1 1a e5 4e e5 6a 84-50 d9 d3 4d 83 c5 72 dd   ....N.j.P..M..r.
        00a0 - 46 50 b0 9b 8a 3f 26 32-36 68 48 aa 2a 6e cd 8b   FP...?&26hH.*n..
        00b0 - 77 e5 7d b7 bb b7 75 da-ff dc 90 eb 4c b1 9c a8   w.}...u.....L...
        00c0 - 03 02 55 ac 37 66 52 bf-ff ae 98 02 34 77 a1 cf   ..U.7fR.....4w..
        00d0 - 67 5d bc b9 4b                                    g]..K
    
        Start Time: 1540036421
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    250 SMTPUTF8
    DONE

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -connect smtp.gmail.com:587
    CONNECTED(00000003)
    depth=2 OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
    verify return:1
    depth=1 C = US, O = Google Trust Services, CN = Google Internet Authority G3
    verify return:1
    depth=0 C = US, ST = California, L = Mountain View, O = Google LLC, CN = smtp.gmail.com
    verify return:1
    ---
    Certificate chain
     0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
       i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
     1 s:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
       i:/OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIEgjCCA2qgAwIBAgIIcw4aTUbtGfswDQYJKoZIhvcNAQELBQAwVDELMAkGA1UE
    BhMCVVMxHjAcBgNVBAoTFUdvb2dsZSBUcnVzdCBTZXJ2aWNlczElMCMGA1UEAxMc
    R29vZ2xlIEludGVybmV0IEF1dGhvcml0eSBHMzAeFw0xODEwMDIwNzMwMDBaFw0x
    ODEyMjUwNzMwMDBaMGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlh
    MRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRMwEQYDVQQKDApHb29nbGUgTExDMRcw
    FQYDVQQDDA5zbXRwLmdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
    AQoCggEBAMhWOS2B82nfFtCX5qWqAMA2/OZwGX6xIO3w4IQtb4fBaXIvWAW/PHGL
    xBj1a7s2jFG3vKIK/BdNlRprcsX4BnnpG9a37E4mz3LpxhX3FpExNiqxadc8o0ub
    saR9S0T7L1HHlBrUJ7jvN0kwWBKMGiUONvgzhS20CbJuQIqTIEQlBemZ8/A9w+cD
    7Os9OWBjZYuvYD6Qnakejz4NHh0/MGz5h7jFAynHk8Cq44Tdr19kzAAnWkY1ESn4
    EcM2/GvcmwbWapuwkUWggkfrFEKnwK5/fNnK25LrvAMx9EohRvpGDOu9gx34kwQy
    07qGseiXa4sJma3FDAR2S6GjvEPH6esCAwEAAaOCAUIwggE+MBMGA1UdJQQMMAoG
    CCsGAQUFBwMBMBkGA1UdEQQSMBCCDnNtdHAuZ21haWwuY29tMGgGCCsGAQUFBwEB
    BFwwWjAtBggrBgEFBQcwAoYhaHR0cDovL3BraS5nb29nL2dzcjIvR1RTR0lBRzMu
    Y3J0MCkGCCsGAQUFBzABhh1odHRwOi8vb2NzcC5wa2kuZ29vZy9HVFNHSUFHMzAd
    BgNVHQ4EFgQUQF2bWLe/WlRitxlz9wBQbdq3IIswDAYDVR0TAQH/BAIwADAfBgNV
    HSMEGDAWgBR3wrhQmmd2drEtwobQg6B+pn66SzAhBgNVHSAEGjAYMAwGCisGAQQB
    1nkCBQMwCAYGZ4EMAQICMDEGA1UdHwQqMCgwJqAkoCKGIGh0dHA6Ly9jcmwucGtp
    Lmdvb2cvR1RTR0lBRzMuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCJSPrc+G2+vipN
    YyoO9/0+7k5gIhpjiinUJZgcPH6X9gmALI8+O0vNMJSQKWnM5nWYz2nTqaFLPj4U
    o50XqzjmnNIf67+bWfETJDwgiSccqGVRfO0XVjug99M9r1w+dUKUuvAEcTc45vn4
    w5gmzOlTJApaYHvrhRO+8jVZ1Cc4Z1qwoFh15XX4q/Ootbi1NoUirum7qoXqJuC/
    kzb1qTeArNLOgcioe2bXdYnR4MZS2uGIukO8JIrzKJKfXrBQWv198kAh+8d7aVAH
    wnmPURDRFY+L7/oPpcrYYcHxwSAywmH3luFjjk2kiRaEIZG7nCPQ+MVvKVINqB+0
    6rIfH6df
    -----END CERTIFICATE-----
    subject=/C=US/ST=California/L=Mountain View/O=Google LLC/CN=smtp.gmail.com
    issuer=/C=US/O=Google Trust Services/CN=Google Internet Authority G3
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 3241 bytes and written 408 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 9E12E077428F1E37DD4BCFBE7521C5253DF1BFAE4FA7F67012F818E02A5DFE39
        Session-ID-ctx:
        Master-Key: F4D9A531FC7C9657E17A3EBD0A9605E2B324659844FD492450B5389F70C48566C4A4F22B768F660B201DC0883B11DA76
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 100800 (seconds)
        TLS session ticket:
        0000 - 00 c1 61 4f 69 f3 5c 08-ba 6c b1 58 7c 8a 43 9a   ..aOi.\..l.X|.C.
        0010 - 93 9a 7d 32 18 51 85 d5-23 20 6c b3 7f ad 6b 2c   ..}2.Q..# l...k,
        0020 - 12 2d 1e ec 87 30 d8 5a-3b 6c 54 17 d9 ab bf 55   .-...0.Z;lT....U
        0030 - 89 39 f1 2b 5b 30 fd 60-c7 90 d2 d5 b9 a9 ad 2c   .9.+[0.`.......,
        0040 - 78 d8 f4 e0 dc 26 e5 d1-bf 2c 01 cc 6f ae 98 df   x....&...,..o...
        0050 - 31 1d bb 09 83 76 76 e8-4e c9 69 a6 44 7a e5 58   1....vv.N.i.Dz.X
        0060 - d1 2d f6 c7 d4 f2 c0 f9-ae 43 c1 c7 4e 29 97 7b   .-.......C..N).{
        0070 - 49 a4 ed 30 02 63 85 ed-b5 df a7 0c e5 1c 3a f5   I..0.c........:.
        0080 - a6 51 c6 c2 74 30 cd c4-ce ad e1 c4 f4 62 8d 9d   .Q..t0.......b..
        0090 - 84 2e fe 83 f0 21 96 24-ad cb 25 6d 99 ba 93 8e   .....!.$..%m....
        00a0 - da c5 58 a0 70 e6 89 d2-cd 56 ea d3 2d 9d 73 94   ..X.p....V..-.s.
        00b0 - bb 93 e1 98 dd d4 4f b6-e8 8c 99 e7 e1 f6 c0 44   ......O........D
        00c0 - 76 b0 88 fa 9d 02 5a 07-36 bd 31 30 aa ae 04 94   v.....Z.6.10....
        00d0 - 0c 5d c6 78 d1                                    .].x.
    
        Start Time: 1540036497
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    250 SMTPUTF8
    DONE

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/cacert.pem -connect smtp.yandex.com:587
    CONNECTED(00000003)
    depth=2 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    ---
    Certificate chain
     0 s:/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
       i:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
     1 s:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
       i:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
     2 s:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
       i:/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGazCCBVOgAwIBAgIQcUU9mJXW4OUs5Gf0JfLtsjANBgkqhkiG9w0BAQsFADBf
    MQswCQYDVQQGEwJSVTETMBEGA1UEChMKWWFuZGV4IExMQzEnMCUGA1UECxMeWWFu
    ZGV4IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQDEwlZYW5kZXggQ0Ew
    HhcNMTcxMDExMTMyNzI2WhcNMTkxMDExMTMyNzI2WjB3MQswCQYDVQQGEwJSVTET
    MBEGA1UECgwKWWFuZGV4IExMQzEMMAoGA1UECwwDSVRPMQ8wDQYDVQQHDAZNb3Nj
    b3cxGzAZBgNVBAgMElJ1c3NpYW4gRmVkZXJhdGlvbjEXMBUGA1UEAwwOc210cC55
    YW5kZXgucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTI5WsplxQ
    g7gZDCEmnbxHI0a0/cXtx0+Zwz7Y9TSFy0NI/SzYC+bgukWvsnvuIheM3yKpJ+cU
    Ss2G+K3nKOYDNJUezzziirhu3UVC/tZLD39orKKGAa6qmx5Dv2Z7/ynkOfKZjmXB
    t9HemoCItyM62YTD8AQQmkMCB4Kue+j2wm8fHxPtgIYuQzEtD9xCU9vANj6imgaM
    IlrM0cegknd6sWBDR074pDsBEUjg2GsNSqAo2nD0tvOGCFZ2qkIMLIjZgsCmtain
    nM7Xt+THw8ApMu9BVsgTyXMTfVC0CzfB1HbId1UzqIbILprB3iLrxCHn3K1F68ok
    WfBXBDY4gphTAgMBAAGjggMJMIIDBTAMBgNVHRMBAf8EAjAAMGkGA1UdHwRiMGAw
    L6AtoCuGKWh0dHA6Ly9jcmxzLnlhbmRleC5uZXQvY2VydHVtL3ljYXNoYTIuY3Js
    MC2gK6AphidodHRwOi8veWFuZGV4LmNybC5jZXJ0dW0ucGwveWNhc2hhMi5jcmww
    cQYIKwYBBQUHAQEEZTBjMCwGCCsGAQUFBzABhiBodHRwOi8veWFuZGV4Lm9jc3At
    cmVzcG9uZGVyLmNvbTAzBggrBgEFBQcwAoYnaHR0cDovL3JlcG9zaXRvcnkuY2Vy
    dHVtLnBsL3ljYXNoYTIuY2VyMB8GA1UdIwQYMBaAFDdc4xngso6hqE7Sz6vQ3OML
    XDVNMB0GA1UdDgQWBBTC1Kbatmr8y04cui/VCaPVq1mgKzAOBgNVHQ8BAf8EBAMC
    BaAwggEXBgNVHSAEggEOMIIBCjCCAQYGDCqEaAGG9ncCBQEKAjCB9TCB8gYIKwYB
    BQUHAgIwgeUwIBYZVW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjADAgECGoHAVXNh
    Z2Ugb2YgdGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdHJpY3RseSBzdWJqZWN0ZWQgdG8g
    dGhlIENFUlRVTSBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BT
    KSBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhlcmVpbiBhbmQgaW4gdGhlIHJl
    cG9zaXRvcnkgYXQgaHR0cHM6Ly93d3cuY2VydHVtLnBsL3JlcG9zaXRvcnkuMB0G
    A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMCBsAw
    egYDVR0RBHMwcYIOc210cC55YW5kZXgucnWCDnNtdHAueWFuZGV4LmJ5gg5zbXRw
    LnlhbmRleC5reoIPc210cC55YW5kZXguY29tgg5zbXRwLnlhbmRleC51YYISc210
    cC55YW5kZXguY29tLnRyggpzbXRwLnlhLnJ1MA0GCSqGSIb3DQEBCwUAA4IBAQA1
    GjyKSYMgaRVLGd4EWtB3oTkybDu5QrUXt/eoZiquzUqZwk7x9FRsEEirawKsrSS6
    FXcliRD7xcXneROVDZK1a4ur6974vn742B/lOx9T/7+6a8XQo4jz191zZWS3J47G
    dSvkMZPSdsZPxn7cDbAymFP4yw3b/aJJBFarpYTUixvRXZardO93VAFx157pCt/8
    3dN7jLWyYVWBvZh93JioukAu9uDt7Nzuq9XhTBLUzLnFFi4vXVsssKk7h3X2sMNU
    kZ3EPMAOSsvl9XY5RHZJs7BZubvGgnDxxGFfziP1XnTbL4MRCAXbdhwx3nmnQ3yZ
    nRG0DfdqYIuPGApFORYe
    -----END CERTIFICATE-----
    subject=/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
    issuer=/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 4989 bytes and written 408 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 45D421DAD5328B281963EEF68FF44F3C240C7555FAEA8D60BF6C3B9C8BF18C0C
        Session-ID-ctx:
        Master-Key: D9CF9D91CE604B11BF88185405DD0F2D6FBE8D6B8883927673001C7B405BAAE181F74206652D905AD7FE1F067B40964C
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 8b c8 5e df f2 2e c8 a4-54 5d 47 dd 62 78 28 ce   ..^.....T]G.bx(.
        0010 - b1 08 10 07 cf 61 34 76-21 7b c2 e2 f3 b5 9e 97   .....a4v!{......
        0020 - d0 1c d2 8f b5 91 b1 75-57 5f 10 c7 41 67 89 fa   .......uW_..Ag..
        0030 - 5c ec a8 f2 d9 0f a1 b1-36 fe c2 0d 4d c3 b3 27   \.......6...M..'
        0040 - 87 0a 60 fb b4 86 45 88-00 fe bd f2 bc d4 af 55   ..`...E........U
        0050 - 52 0e 3d 81 ed 72 ff 19-72 2b 29 0d af e8 04 e8   R.=..r..r+).....
        0060 - a8 17 ed a7 77 ad 86 ac-b5 a7 7f b1 68 f1 77 7d   ....w.......h.w}
        0070 - 0e 63 14 00 8e d1 3e 2c-70 45 d6 ff 16 e7 94 aa   .c....>,pE......
        0080 - a8 05 c1 fc d9 8d c2 a2-11 98 56 16 d1 44 cb b8   ..........V..D..
        0090 - 4d 3a 0b a3 6a b6 b6 15-f0 28 6a d2 52 ce 02 1f   M:..j....(j.R...
    
        Start Time: 1540036617
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)
    ---
    250 ENHANCEDSTATUSCODES
    DONE

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -connect smtp.yandex.com:587
    CONNECTED(00000003)
    depth=2 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    ---
    Certificate chain
     0 s:/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
       i:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
     1 s:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
       i:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
     2 s:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
       i:/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGazCCBVOgAwIBAgIQcUU9mJXW4OUs5Gf0JfLtsjANBgkqhkiG9w0BAQsFADBf
    MQswCQYDVQQGEwJSVTETMBEGA1UEChMKWWFuZGV4IExMQzEnMCUGA1UECxMeWWFu
    ZGV4IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQDEwlZYW5kZXggQ0Ew
    HhcNMTcxMDExMTMyNzI2WhcNMTkxMDExMTMyNzI2WjB3MQswCQYDVQQGEwJSVTET
    MBEGA1UECgwKWWFuZGV4IExMQzEMMAoGA1UECwwDSVRPMQ8wDQYDVQQHDAZNb3Nj
    b3cxGzAZBgNVBAgMElJ1c3NpYW4gRmVkZXJhdGlvbjEXMBUGA1UEAwwOc210cC55
    YW5kZXgucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTI5WsplxQ
    g7gZDCEmnbxHI0a0/cXtx0+Zwz7Y9TSFy0NI/SzYC+bgukWvsnvuIheM3yKpJ+cU
    Ss2G+K3nKOYDNJUezzziirhu3UVC/tZLD39orKKGAa6qmx5Dv2Z7/ynkOfKZjmXB
    t9HemoCItyM62YTD8AQQmkMCB4Kue+j2wm8fHxPtgIYuQzEtD9xCU9vANj6imgaM
    IlrM0cegknd6sWBDR074pDsBEUjg2GsNSqAo2nD0tvOGCFZ2qkIMLIjZgsCmtain
    nM7Xt+THw8ApMu9BVsgTyXMTfVC0CzfB1HbId1UzqIbILprB3iLrxCHn3K1F68ok
    WfBXBDY4gphTAgMBAAGjggMJMIIDBTAMBgNVHRMBAf8EAjAAMGkGA1UdHwRiMGAw
    L6AtoCuGKWh0dHA6Ly9jcmxzLnlhbmRleC5uZXQvY2VydHVtL3ljYXNoYTIuY3Js
    MC2gK6AphidodHRwOi8veWFuZGV4LmNybC5jZXJ0dW0ucGwveWNhc2hhMi5jcmww
    cQYIKwYBBQUHAQEEZTBjMCwGCCsGAQUFBzABhiBodHRwOi8veWFuZGV4Lm9jc3At
    cmVzcG9uZGVyLmNvbTAzBggrBgEFBQcwAoYnaHR0cDovL3JlcG9zaXRvcnkuY2Vy
    dHVtLnBsL3ljYXNoYTIuY2VyMB8GA1UdIwQYMBaAFDdc4xngso6hqE7Sz6vQ3OML
    XDVNMB0GA1UdDgQWBBTC1Kbatmr8y04cui/VCaPVq1mgKzAOBgNVHQ8BAf8EBAMC
    BaAwggEXBgNVHSAEggEOMIIBCjCCAQYGDCqEaAGG9ncCBQEKAjCB9TCB8gYIKwYB
    BQUHAgIwgeUwIBYZVW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjADAgECGoHAVXNh
    Z2Ugb2YgdGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdHJpY3RseSBzdWJqZWN0ZWQgdG8g
    dGhlIENFUlRVTSBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BT
    KSBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhlcmVpbiBhbmQgaW4gdGhlIHJl
    cG9zaXRvcnkgYXQgaHR0cHM6Ly93d3cuY2VydHVtLnBsL3JlcG9zaXRvcnkuMB0G
    A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMCBsAw
    egYDVR0RBHMwcYIOc210cC55YW5kZXgucnWCDnNtdHAueWFuZGV4LmJ5gg5zbXRw
    LnlhbmRleC5reoIPc210cC55YW5kZXguY29tgg5zbXRwLnlhbmRleC51YYISc210
    cC55YW5kZXguY29tLnRyggpzbXRwLnlhLnJ1MA0GCSqGSIb3DQEBCwUAA4IBAQA1
    GjyKSYMgaRVLGd4EWtB3oTkybDu5QrUXt/eoZiquzUqZwk7x9FRsEEirawKsrSS6
    FXcliRD7xcXneROVDZK1a4ur6974vn742B/lOx9T/7+6a8XQo4jz191zZWS3J47G
    dSvkMZPSdsZPxn7cDbAymFP4yw3b/aJJBFarpYTUixvRXZardO93VAFx157pCt/8
    3dN7jLWyYVWBvZh93JioukAu9uDt7Nzuq9XhTBLUzLnFFi4vXVsssKk7h3X2sMNU
    kZ3EPMAOSsvl9XY5RHZJs7BZubvGgnDxxGFfziP1XnTbL4MRCAXbdhwx3nmnQ3yZ
    nRG0DfdqYIuPGApFORYe
    -----END CERTIFICATE-----
    subject=/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
    issuer=/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 4989 bytes and written 408 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: C3152038FD6915F43DCAF67B7849DB0BB5D33B93B3FAD0800947AF8EE36320D1
        Session-ID-ctx:
        Master-Key: 5E0777E6B8AA5CFBB4EC8831EFAC6FB86A7A35A619555E84812CFCCD675F5ECDBBF0F93A393D8A3CE601D5BD97499EB5
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - a0 5e 7b 46 0e 19 d9 bf-27 c8 38 0c a0 1d f5 a3   .^{F....'.8.....
        0010 - 72 d6 e3 f1 66 c5 9d 13-e7 43 b2 5d d5 f7 b1 8d   r...f....C.]....
        0020 - 0a 5b 8c c6 4d ea af 8b-a4 79 80 6b 7e 6b dc 60   .[..M....y.k~k.`
        0030 - 49 f6 e6 13 19 ce 41 ff-a3 15 36 2c 0a 2a bb b6   I.....A...6,.*..
        0040 - 96 43 b5 fa 9e 2a b7 5a-04 4f 17 d2 c3 36 8e c7   .C...*.Z.O...6..
        0050 - 4d e7 81 d0 8d 52 ae e5-43 3b 08 39 70 2d 90 3a   M....R..C;.9p-.:
        0060 - 5b 58 80 9e 7a 07 7c 95-8c fb 9d fd 8b c7 de e1   [X..z.|.........
        0070 - 2a de 43 2a 9a bf d4 fd-01 1c 3e 85 f8 60 0c 54   *.C*......>..`.T
        0080 - e6 35 85 0b 69 86 52 f6-3e 2c 9a 44 09 b7 7d 1d   .5..i.R.>,.D..}.
        0090 - 55 df dd 70 81 7e 5a 41-b6 29 5f 14 04 b8 4a fe   U..p.~ZA.)_...J.
    
        Start Time: 1540036742
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)
    ---
    250 ENHANCEDSTATUSCODES
    DONE


    I have another server running 1.2.3-eva2000.08
    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/cacert.pem -connect smtp.yandex.com:587
    CONNECTED(00000003)
    depth=3 C = PL, O = Unizeto Sp. z o.o., CN = Certum CA
    verify return:1
    depth=2 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
    verify return:1
    depth=1 C = RU, O = Yandex LLC, OU = Yandex Certification Authority, CN = Yandex CA
    verify return:1
    depth=0 C = RU, O = Yandex LLC, OU = ITO, L = Moscow, ST = Russian Federation, CN = smtp.yandex.ru
    verify return:1
    ---
    Certificate chain
     0 s:/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
       i:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
     1 s:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
       i:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
     2 s:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
       i:/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGazCCBVOgAwIBAgIQcUU9mJXW4OUs5Gf0JfLtsjANBgkqhkiG9w0BAQsFADBf
    MQswCQYDVQQGEwJSVTETMBEGA1UEChMKWWFuZGV4IExMQzEnMCUGA1UECxMeWWFu
    ZGV4IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQDEwlZYW5kZXggQ0Ew
    HhcNMTcxMDExMTMyNzI2WhcNMTkxMDExMTMyNzI2WjB3MQswCQYDVQQGEwJSVTET
    MBEGA1UECgwKWWFuZGV4IExMQzEMMAoGA1UECwwDSVRPMQ8wDQYDVQQHDAZNb3Nj
    b3cxGzAZBgNVBAgMElJ1c3NpYW4gRmVkZXJhdGlvbjEXMBUGA1UEAwwOc210cC55
    YW5kZXgucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTI5WsplxQ
    g7gZDCEmnbxHI0a0/cXtx0+Zwz7Y9TSFy0NI/SzYC+bgukWvsnvuIheM3yKpJ+cU
    Ss2G+K3nKOYDNJUezzziirhu3UVC/tZLD39orKKGAa6qmx5Dv2Z7/ynkOfKZjmXB
    t9HemoCItyM62YTD8AQQmkMCB4Kue+j2wm8fHxPtgIYuQzEtD9xCU9vANj6imgaM
    IlrM0cegknd6sWBDR074pDsBEUjg2GsNSqAo2nD0tvOGCFZ2qkIMLIjZgsCmtain
    nM7Xt+THw8ApMu9BVsgTyXMTfVC0CzfB1HbId1UzqIbILprB3iLrxCHn3K1F68ok
    WfBXBDY4gphTAgMBAAGjggMJMIIDBTAMBgNVHRMBAf8EAjAAMGkGA1UdHwRiMGAw
    L6AtoCuGKWh0dHA6Ly9jcmxzLnlhbmRleC5uZXQvY2VydHVtL3ljYXNoYTIuY3Js
    MC2gK6AphidodHRwOi8veWFuZGV4LmNybC5jZXJ0dW0ucGwveWNhc2hhMi5jcmww
    cQYIKwYBBQUHAQEEZTBjMCwGCCsGAQUFBzABhiBodHRwOi8veWFuZGV4Lm9jc3At
    cmVzcG9uZGVyLmNvbTAzBggrBgEFBQcwAoYnaHR0cDovL3JlcG9zaXRvcnkuY2Vy
    dHVtLnBsL3ljYXNoYTIuY2VyMB8GA1UdIwQYMBaAFDdc4xngso6hqE7Sz6vQ3OML
    XDVNMB0GA1UdDgQWBBTC1Kbatmr8y04cui/VCaPVq1mgKzAOBgNVHQ8BAf8EBAMC
    BaAwggEXBgNVHSAEggEOMIIBCjCCAQYGDCqEaAGG9ncCBQEKAjCB9TCB8gYIKwYB
    BQUHAgIwgeUwIBYZVW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjADAgECGoHAVXNh
    Z2Ugb2YgdGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdHJpY3RseSBzdWJqZWN0ZWQgdG8g
    dGhlIENFUlRVTSBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BT
    KSBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhlcmVpbiBhbmQgaW4gdGhlIHJl
    cG9zaXRvcnkgYXQgaHR0cHM6Ly93d3cuY2VydHVtLnBsL3JlcG9zaXRvcnkuMB0G
    A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMCBsAw
    egYDVR0RBHMwcYIOc210cC55YW5kZXgucnWCDnNtdHAueWFuZGV4LmJ5gg5zbXRw
    LnlhbmRleC5reoIPc210cC55YW5kZXguY29tgg5zbXRwLnlhbmRleC51YYISc210
    cC55YW5kZXguY29tLnRyggpzbXRwLnlhLnJ1MA0GCSqGSIb3DQEBCwUAA4IBAQA1
    GjyKSYMgaRVLGd4EWtB3oTkybDu5QrUXt/eoZiquzUqZwk7x9FRsEEirawKsrSS6
    FXcliRD7xcXneROVDZK1a4ur6974vn742B/lOx9T/7+6a8XQo4jz191zZWS3J47G
    dSvkMZPSdsZPxn7cDbAymFP4yw3b/aJJBFarpYTUixvRXZardO93VAFx157pCt/8
    3dN7jLWyYVWBvZh93JioukAu9uDt7Nzuq9XhTBLUzLnFFi4vXVsssKk7h3X2sMNU
    kZ3EPMAOSsvl9XY5RHZJs7BZubvGgnDxxGFfziP1XnTbL4MRCAXbdhwx3nmnQ3yZ
    nRG0DfdqYIuPGApFORYe
    -----END CERTIFICATE-----
    subject=/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
    issuer=/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 4989 bytes and written 408 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 09E360ADE6220A34084F99599620662EC6C9434959A3458573A59282DDB85D6C
        Session-ID-ctx:
        Master-Key: D0D74623B1BC2762923DF228884D83A5C18C2FC2B18D0F59BB40A0420AC4DD9AC26EACF3B96F95FC14C2F65B2FD7AD05
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 3b 14 f0 20 ad fa 66 61-63 d8 3e 1e b2 b5 7d 4b   ;.. ..fac.>...}K
        0010 - 25 47 cb 80 88 d3 46 c8-ef 5d a6 56 bc 94 1c de   %G....F..].V....
        0020 - c5 69 b0 c9 18 60 71 76-5f b0 bf 4b 1c c0 86 5e   .i...`qv_..K...^
        0030 - a3 7b 84 04 2b 4e 5e 95-c5 65 b3 e9 96 06 ed 72   .{..+N^..e.....r
        0040 - ce ea 0c 26 22 d5 23 5a-1a c9 39 8d 6b 6a ff c4   ...&".#Z..9.kj..
        0050 - 89 32 fb 1e e5 6b b0 f2-d3 c0 af f6 d4 30 43 a3   .2...k.......0C.
        0060 - b8 64 d4 ab 63 cc d6 33-5d 21 d0 21 76 04 98 a7   .d..c..3]!.!v...
        0070 - b9 ad 93 83 45 67 f2 e5-11 87 41 13 09 73 f6 b4   ....Eg....A..s..
        0080 - 71 0e ac f3 47 d7 54 1c-f6 75 c1 d4 76 c3 c6 4f   q...G.T..u..v..O
        0090 - ac 10 e1 03 56 bb 99 82-ed 3f 0d b3 63 83 ab f4   ....V....?..c...
    
        Start Time: 1540037069
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    250 ENHANCEDSTATUSCODES
    DONE

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -connect smtp.yandex.com:587
    CONNECTED(00000003)
    depth=2 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
    verify error:num=20:unable to get local issuer certificate
    verify return:0
    ---
    Certificate chain
     0 s:/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
       i:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
     1 s:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
       i:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
     2 s:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
       i:/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGazCCBVOgAwIBAgIQcUU9mJXW4OUs5Gf0JfLtsjANBgkqhkiG9w0BAQsFADBf
    MQswCQYDVQQGEwJSVTETMBEGA1UEChMKWWFuZGV4IExMQzEnMCUGA1UECxMeWWFu
    ZGV4IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQDEwlZYW5kZXggQ0Ew
    HhcNMTcxMDExMTMyNzI2WhcNMTkxMDExMTMyNzI2WjB3MQswCQYDVQQGEwJSVTET
    MBEGA1UECgwKWWFuZGV4IExMQzEMMAoGA1UECwwDSVRPMQ8wDQYDVQQHDAZNb3Nj
    b3cxGzAZBgNVBAgMElJ1c3NpYW4gRmVkZXJhdGlvbjEXMBUGA1UEAwwOc210cC55
    YW5kZXgucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTI5WsplxQ
    g7gZDCEmnbxHI0a0/cXtx0+Zwz7Y9TSFy0NI/SzYC+bgukWvsnvuIheM3yKpJ+cU
    Ss2G+K3nKOYDNJUezzziirhu3UVC/tZLD39orKKGAa6qmx5Dv2Z7/ynkOfKZjmXB
    t9HemoCItyM62YTD8AQQmkMCB4Kue+j2wm8fHxPtgIYuQzEtD9xCU9vANj6imgaM
    IlrM0cegknd6sWBDR074pDsBEUjg2GsNSqAo2nD0tvOGCFZ2qkIMLIjZgsCmtain
    nM7Xt+THw8ApMu9BVsgTyXMTfVC0CzfB1HbId1UzqIbILprB3iLrxCHn3K1F68ok
    WfBXBDY4gphTAgMBAAGjggMJMIIDBTAMBgNVHRMBAf8EAjAAMGkGA1UdHwRiMGAw
    L6AtoCuGKWh0dHA6Ly9jcmxzLnlhbmRleC5uZXQvY2VydHVtL3ljYXNoYTIuY3Js
    MC2gK6AphidodHRwOi8veWFuZGV4LmNybC5jZXJ0dW0ucGwveWNhc2hhMi5jcmww
    cQYIKwYBBQUHAQEEZTBjMCwGCCsGAQUFBzABhiBodHRwOi8veWFuZGV4Lm9jc3At
    cmVzcG9uZGVyLmNvbTAzBggrBgEFBQcwAoYnaHR0cDovL3JlcG9zaXRvcnkuY2Vy
    dHVtLnBsL3ljYXNoYTIuY2VyMB8GA1UdIwQYMBaAFDdc4xngso6hqE7Sz6vQ3OML
    XDVNMB0GA1UdDgQWBBTC1Kbatmr8y04cui/VCaPVq1mgKzAOBgNVHQ8BAf8EBAMC
    BaAwggEXBgNVHSAEggEOMIIBCjCCAQYGDCqEaAGG9ncCBQEKAjCB9TCB8gYIKwYB
    BQUHAgIwgeUwIBYZVW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjADAgECGoHAVXNh
    Z2Ugb2YgdGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdHJpY3RseSBzdWJqZWN0ZWQgdG8g
    dGhlIENFUlRVTSBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BT
    KSBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhlcmVpbiBhbmQgaW4gdGhlIHJl
    cG9zaXRvcnkgYXQgaHR0cHM6Ly93d3cuY2VydHVtLnBsL3JlcG9zaXRvcnkuMB0G
    A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMCBsAw
    egYDVR0RBHMwcYIOc210cC55YW5kZXgucnWCDnNtdHAueWFuZGV4LmJ5gg5zbXRw
    LnlhbmRleC5reoIPc210cC55YW5kZXguY29tgg5zbXRwLnlhbmRleC51YYISc210
    cC55YW5kZXguY29tLnRyggpzbXRwLnlhLnJ1MA0GCSqGSIb3DQEBCwUAA4IBAQA1
    GjyKSYMgaRVLGd4EWtB3oTkybDu5QrUXt/eoZiquzUqZwk7x9FRsEEirawKsrSS6
    FXcliRD7xcXneROVDZK1a4ur6974vn742B/lOx9T/7+6a8XQo4jz191zZWS3J47G
    dSvkMZPSdsZPxn7cDbAymFP4yw3b/aJJBFarpYTUixvRXZardO93VAFx157pCt/8
    3dN7jLWyYVWBvZh93JioukAu9uDt7Nzuq9XhTBLUzLnFFi4vXVsssKk7h3X2sMNU
    kZ3EPMAOSsvl9XY5RHZJs7BZubvGgnDxxGFfziP1XnTbL4MRCAXbdhwx3nmnQ3yZ
    nRG0DfdqYIuPGApFORYe
    -----END CERTIFICATE-----
    subject=/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
    issuer=/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 4989 bytes and written 408 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 0ACBB815BCA752C49E6E4FFC9BAE5C36468945DD132797F1851FB6E3EE6B1A3E
        Session-ID-ctx:
        Master-Key: 6BA785D5EFB8B5E7BE941DD8CE01148B876202BABDB89FC0F09A6A81DB8C36F23B59872D25B2E7E51E08914EB6AEE1AE
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 3b 14 f0 20 ad fa 66 61-63 d8 3e 1e b2 b5 7d 4b   ;.. ..fac.>...}K
        0010 - 76 b1 49 13 fd a3 ae e8-4d 92 8d b1 2b d3 6e 53   v.I.....M...+.nS
        0020 - 99 74 9d da 0e ca 27 55-ad e5 09 2c 64 0b c6 28   .t....'U...,d..(
        0030 - 57 fe 98 b7 94 8b aa d1-2c 88 20 39 20 de ea 72   W.......,. 9 ..r
        0040 - 5b 90 c0 9a cd eb 0f 70-24 0f 02 ee 83 e5 58 1d   [......p$.....X.
        0050 - 6a ea 20 84 66 f4 b7 96-2a 6d 44 81 61 80 e0 54   j. .f...*mD.a..T
        0060 - 63 28 53 4a 19 18 e2 b6-de 9b b3 43 97 29 37 3c   c(SJ.......C.)7<
        0070 - f7 d6 1e dc fc 3d 79 0c-36 e0 35 46 25 e6 d0 e2   .....=y.6.5F%...
        0080 - ca 74 e5 56 24 78 2a 8c-78 5d 95 0d 71 98 f7 c1   .t.V$x*.x]..q...
        0090 - 29 e8 04 04 da e2 b9 67-22 44 e1 87 35 f3 6c 84   )......g"D..5.l.
    
        Start Time: 1540037123
        Timeout   : 300 (sec)
        Verify return code: 20 (unable to get local issuer certificate)
    ---
    250 ENHANCEDSTATUSCODES
    DONE
     
  5. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    9:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    seems you're using CentOS 6 and I checked my CentOS 6 and get same results as you Yandex doesn't check out but Gmail does.

    For
    Code (Text):
    echo QUIT | openssl s_client -connect smtp.yandex.com:465
    

    CentOS 6 gives me at ending line
    Code (Text):
    Verify return code: 20 (unable to get local issuer certificate)
    

    CentOS 7 gives me at ending line
    Code (Text):
    Verify return code: 0 (ok)
    


    So i inspected CentOS 6 system /etc/ssl/certs/ca-bundle.crt and Centmin Mod downloaded /etc/ssl/certs/cacert.pem listing of trusted CA Certificate Authorities by outputting the CA names listed in CA bundles for cacert.pem and ca-bundle.crt and ca-bundle.trust.crt

    3 commands to save output to cacerts.txt and ca-bundle.txt and ca-bundle.trust.txt text files
    Code (Text):
    cat /etc/ssl/certs/cacert.pem | awk -v cmd="openssl x509 -subject -noout" '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }' > cacerts.txt
    
    cat /etc/ssl/certs/ca-bundle.crt | awk -v cmd="openssl x509 -subject -noout" '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }' > ca-bundle.txt
    
    cat /etc/ssl/certs/ca-bundle.trust.crt | awk -v cmd="openssl x509 -subject -noout" '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }' > ca-bundle.trust.txt
    

    Search for Yandex and Certum CA in those text files
    Code (Text):
    egrep -i 'certum|yandex' cacerts.txt ca-bundle.txt ca-bundle.trust.txt
    

    They do exist for certum on both my CentOS 6 and 7 tests
    Code (Text):
    egrep -i 'certum|yandex' cacerts.txt ca-bundle.txt ca-bundle.trust.txt
    cacerts.txt:subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
    cacerts.txt:subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
    ca-bundle.txt:subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
    ca-bundle.txt:subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
    ca-bundle.trust.txt:subject= /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
    ca-bundle.trust.txt:subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
    

    But only Certum CA is in CA bundles, Yandex CA is not.

    So strange. Googling some folks reported for new Yandex accounts they need to login to the web interface to accept the EULA before smtp worked so that could be it too ???

    edit: interesting doing strace on openssl s_client command to see what files are opened/inspected to see where centos 6 and centos 7 are reading the ssl cert/ca from and they do differ

    ran command on both centos 6 and 7
    Code (Text):
    strace -o strace.txt openssl s_client -connect smtp.yandex.com:465 -showcerts
    

    centos 6 reads
    Code (Text):
    cat strace.txt | grep open | grep cert
    execve("/usr/bin/openssl", ["openssl", "s_client", "-connect", "smtp.yandex.com:465", "-showcerts"], [/* 31 vars */]) = 0
    open("/etc/pki/tls/cert.pem", O_RDONLY) = 3
    

    centos 6 symlinks /etc/pki/tls/cert.pem to
    Code (Text):
    ls -lah /etc/pki/tls/cert.pem
    lrwxrwxrwx 1 root root 19 Jul  4 03:40 /etc/pki/tls/cert.pem -> certs/ca-bundle.crt
    

    centos 7 reads
    Code (Text):
    cat strace.txt | grep open | grep cert
    execve("/usr/bin/openssl", ["openssl", "s_client", "-connect", "smtp.yandex.com:465", "-showcerts"], [/* 32 vars */]) = 0
    open("/etc/pki/tls/cert.pem", O_RDONLY) = 3
    

    centos 7 symlinks /etc/pki/tls/cert.pem to
    Code (Text):
    ls -lah /etc/pki/tls/cert.pem
    lrwxrwxrwx 1 root root 49 May 22 09:42 /etc/pki/tls/cert.pem -> /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    

    so inspect centos 6 /etc/pki/tls/cert.pem
    Code (Text):
    cat /etc/pki/tls/cert.pem | awk -v cmd="openssl x509 -subject -noout" '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }' > cert.pem.txt
    

    Certum CA exists but not Yandex
    Code (Text):
    egrep -i 'certum|yandex' cert.pem.txt
    subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
    subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
    

    so inspect centos 7 /etc/pki/tls/cert.pem
    Code (Text):
    cat /etc/pki/tls/cert.pem | awk -v cmd="openssl x509 -subject -noout" '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }' > cert.pem.txt
    

    same Certum CA exists but not Yandex
    Code (Text):
    egrep -i 'certum|yandex' cert.pem.txt
    subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
    subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
    


    Try updating manually to latest CA bundle from Mozilla
    Code (Text):
    wget -O /etc/ssl/certs/cacert.pem https://curl.haxx.se/ca/cacert-2018-10-17.pem
    

    only contains Certum no Yandex CA
    Code (Text):
    egrep -i 'certum|yandex' /etc/ssl/certs/cacert.pem
    Certum Trusted Network CA
    Certum Trusted Network CA 2
    


    Problem seems to be Certum CA cert on CentOS 6 as I tried downloading Certum CA from their web site and on CentOS 7 can download, but on CentOS 6 get ssl CA cert verification error

    centos 7
    Code (Text):
    wget -O certum-ca.pem https://www.certum.pl/CA.pem
    --2018-10-20 18:32:57--  https://www.certum.pl/CA.pem
    Resolving www.certum.pl... 213.222.201.147
    Connecting to www.certum.pl|213.222.201.147|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1119 (1.1K) [text/plain]
    Saving to: ‘certum-ca.pem’
    
    certum-ca.pem                                                  100%[==================================================================================================================================================>]   1.09K  --.-KB/s    in 0s
    
    2018-10-20 18:32:58 (62.0 MB/s) - ‘certum-ca.pem’ saved [1119/1119]
    
    

    centos 6
    Code (Text):
    wget -O certum-ca.pem https://www.certum.pl/CA.pem
    --2018-10-20 18:32:29--  https://www.certum.pl/CA.pem
    Resolving www.certum.pl... 213.222.201.147
    Connecting to www.certum.pl|213.222.201.147|:443... connected.
    ERROR: cannot verify www.certum.pl's certificate, issued by ‘CN=Certum Extended Validation CA SHA2,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL’:
      Unable to locally verify the issuer's authority.
    To connect to www.certum.pl insecurely, use `--no-check-certificate'.
    

    now if i do no ssl check wget download and use the downloaded Certum CA to do openssl s_client check it passes on centos 6
    Code (Text):
    wget -O certum-ca.pem https://www.certum.pl/CA.pem --no-check-certificate
    
    echo QUIT | openssl s_client -CAfile /etc/ssl/certs/certum-ca.pem -connect smtp.yandex.com:465
    
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/certum-ca.pem -connect smtp.yandex.com:587
    

    Code (Text):
    echo QUIT | openssl s_client -CAfile /etc/ssl/certs/certum-ca.pem -connect smtp.yandex.com:465
    CONNECTED(00000003)
    depth=3 C = PL, O = Unizeto Sp. z o.o., CN = Certum CA
    verify return:1
    depth=2 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
    verify return:1
    depth=1 C = RU, O = Yandex LLC, OU = Yandex Certification Authority, CN = Yandex CA
    verify return:1
    depth=0 C = RU, O = Yandex LLC, OU = ITO, L = Moscow, ST = Russian Federation, CN = smtp.yandex.ru
    verify return:1
    ---
    Certificate chain
     0 s:/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
       i:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
     1 s:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
       i:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
     2 s:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
       i:/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGazCCBVOgAwIBAgIQcUU9mJXW4OUs5Gf0JfLtsjANBgkqhkiG9w0BAQsFADBf
    MQswCQYDVQQGEwJSVTETMBEGA1UEChMKWWFuZGV4IExMQzEnMCUGA1UECxMeWWFu
    ZGV4IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQDEwlZYW5kZXggQ0Ew
    HhcNMTcxMDExMTMyNzI2WhcNMTkxMDExMTMyNzI2WjB3MQswCQYDVQQGEwJSVTET
    MBEGA1UECgwKWWFuZGV4IExMQzEMMAoGA1UECwwDSVRPMQ8wDQYDVQQHDAZNb3Nj
    b3cxGzAZBgNVBAgMElJ1c3NpYW4gRmVkZXJhdGlvbjEXMBUGA1UEAwwOc210cC55
    YW5kZXgucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTI5WsplxQ
    g7gZDCEmnbxHI0a0/cXtx0+Zwz7Y9TSFy0NI/SzYC+bgukWvsnvuIheM3yKpJ+cU
    Ss2G+K3nKOYDNJUezzziirhu3UVC/tZLD39orKKGAa6qmx5Dv2Z7/ynkOfKZjmXB
    t9HemoCItyM62YTD8AQQmkMCB4Kue+j2wm8fHxPtgIYuQzEtD9xCU9vANj6imgaM
    IlrM0cegknd6sWBDR074pDsBEUjg2GsNSqAo2nD0tvOGCFZ2qkIMLIjZgsCmtain
    nM7Xt+THw8ApMu9BVsgTyXMTfVC0CzfB1HbId1UzqIbILprB3iLrxCHn3K1F68ok
    WfBXBDY4gphTAgMBAAGjggMJMIIDBTAMBgNVHRMBAf8EAjAAMGkGA1UdHwRiMGAw
    L6AtoCuGKWh0dHA6Ly9jcmxzLnlhbmRleC5uZXQvY2VydHVtL3ljYXNoYTIuY3Js
    MC2gK6AphidodHRwOi8veWFuZGV4LmNybC5jZXJ0dW0ucGwveWNhc2hhMi5jcmww
    cQYIKwYBBQUHAQEEZTBjMCwGCCsGAQUFBzABhiBodHRwOi8veWFuZGV4Lm9jc3At
    cmVzcG9uZGVyLmNvbTAzBggrBgEFBQcwAoYnaHR0cDovL3JlcG9zaXRvcnkuY2Vy
    dHVtLnBsL3ljYXNoYTIuY2VyMB8GA1UdIwQYMBaAFDdc4xngso6hqE7Sz6vQ3OML
    XDVNMB0GA1UdDgQWBBTC1Kbatmr8y04cui/VCaPVq1mgKzAOBgNVHQ8BAf8EBAMC
    BaAwggEXBgNVHSAEggEOMIIBCjCCAQYGDCqEaAGG9ncCBQEKAjCB9TCB8gYIKwYB
    BQUHAgIwgeUwIBYZVW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjADAgECGoHAVXNh
    Z2Ugb2YgdGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdHJpY3RseSBzdWJqZWN0ZWQgdG8g
    dGhlIENFUlRVTSBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BT
    KSBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhlcmVpbiBhbmQgaW4gdGhlIHJl
    cG9zaXRvcnkgYXQgaHR0cHM6Ly93d3cuY2VydHVtLnBsL3JlcG9zaXRvcnkuMB0G
    A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMCBsAw
    egYDVR0RBHMwcYIOc210cC55YW5kZXgucnWCDnNtdHAueWFuZGV4LmJ5gg5zbXRw
    LnlhbmRleC5reoIPc210cC55YW5kZXguY29tgg5zbXRwLnlhbmRleC51YYISc210
    cC55YW5kZXguY29tLnRyggpzbXRwLnlhLnJ1MA0GCSqGSIb3DQEBCwUAA4IBAQA1
    GjyKSYMgaRVLGd4EWtB3oTkybDu5QrUXt/eoZiquzUqZwk7x9FRsEEirawKsrSS6
    FXcliRD7xcXneROVDZK1a4ur6974vn742B/lOx9T/7+6a8XQo4jz191zZWS3J47G
    dSvkMZPSdsZPxn7cDbAymFP4yw3b/aJJBFarpYTUixvRXZardO93VAFx157pCt/8
    3dN7jLWyYVWBvZh93JioukAu9uDt7Nzuq9XhTBLUzLnFFi4vXVsssKk7h3X2sMNU
    kZ3EPMAOSsvl9XY5RHZJs7BZubvGgnDxxGFfziP1XnTbL4MRCAXbdhwx3nmnQ3yZ
    nRG0DfdqYIuPGApFORYe
    -----END CERTIFICATE-----
    subject=/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
    issuer=/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 4716 bytes and written 373 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: 8EFB6B28E3A31562C93CDC6E569DFCE3D31017BAA8D0695FB4EBEC4439C98FA3
        Session-ID-ctx:
        Master-Key: FD0251E10D05FF05AD42E92C92CAED538D1F1833388D970AC463A4975C46647276FB7CB0D715B59FD82C2592854E116E
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - 0a 7c 8b ed 5d 0e 44 f7-13 b7 6b f8 aa 75 62 ab   .|..].D...k..ub.
        0010 - d2 89 c5 aa 7d c4 56 94-9b 3b 1b 07 44 34 17 11   ....}.V..;..D4..
        0020 - 44 0e 64 00 68 3f 46 ef-cb d9 ad 64 82 5f 40 68   [email protected]
        0030 - 57 bb 53 0e 90 14 f5 2a-d8 a6 0a cf 66 56 b9 65   W.S....*....fV.e
        0040 - 95 b6 a9 bd 24 68 a1 49-0a ab 8f 3e d3 77 7a 62   ....$h.I...>.wzb
        0050 - 55 b6 db c5 15 6a 7a 1d-e0 63 72 29 ab 18 41 37   U....jz..cr)..A7
        0060 - 56 15 fe 4f cb 93 11 f6-fe da f6 94 56 47 70 2d   V..O........VGp-
        0070 - d8 5b 11 55 d7 c0 ac 06-4f a6 57 5b bd d9 04 e4   .[.U....O.W[....
        0080 - 24 fc 41 0d ce ca cc 92-16 63 86 22 a9 15 07 00   $.A......c."....
        0090 - 0a 78 9c 8e 52 e6 76 4e-8c be c5 91 22 20 a4 f3   .x..R.vN...." ..
    
        Start Time: 1540061441
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    DONE
    

    Code (Text):
    echo QUIT | openssl s_client -crlf -starttls smtp -CAfile /etc/ssl/certs/certum-ca.pem -connect smtp.yandex.com:587   
    CONNECTED(00000003)
    depth=3 C = PL, O = Unizeto Sp. z o.o., CN = Certum CA
    verify return:1
    depth=2 C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA
    verify return:1
    depth=1 C = RU, O = Yandex LLC, OU = Yandex Certification Authority, CN = Yandex CA
    verify return:1
    depth=0 C = RU, O = Yandex LLC, OU = ITO, L = Moscow, ST = Russian Federation, CN = smtp.yandex.ru
    verify return:1
    ---
    Certificate chain
     0 s:/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
       i:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
     1 s:/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
       i:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
     2 s:/C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
       i:/C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIGazCCBVOgAwIBAgIQcUU9mJXW4OUs5Gf0JfLtsjANBgkqhkiG9w0BAQsFADBf
    MQswCQYDVQQGEwJSVTETMBEGA1UEChMKWWFuZGV4IExMQzEnMCUGA1UECxMeWWFu
    ZGV4IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRIwEAYDVQQDEwlZYW5kZXggQ0Ew
    HhcNMTcxMDExMTMyNzI2WhcNMTkxMDExMTMyNzI2WjB3MQswCQYDVQQGEwJSVTET
    MBEGA1UECgwKWWFuZGV4IExMQzEMMAoGA1UECwwDSVRPMQ8wDQYDVQQHDAZNb3Nj
    b3cxGzAZBgNVBAgMElJ1c3NpYW4gRmVkZXJhdGlvbjEXMBUGA1UEAwwOc210cC55
    YW5kZXgucnUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTI5WsplxQ
    g7gZDCEmnbxHI0a0/cXtx0+Zwz7Y9TSFy0NI/SzYC+bgukWvsnvuIheM3yKpJ+cU
    Ss2G+K3nKOYDNJUezzziirhu3UVC/tZLD39orKKGAa6qmx5Dv2Z7/ynkOfKZjmXB
    t9HemoCItyM62YTD8AQQmkMCB4Kue+j2wm8fHxPtgIYuQzEtD9xCU9vANj6imgaM
    IlrM0cegknd6sWBDR074pDsBEUjg2GsNSqAo2nD0tvOGCFZ2qkIMLIjZgsCmtain
    nM7Xt+THw8ApMu9BVsgTyXMTfVC0CzfB1HbId1UzqIbILprB3iLrxCHn3K1F68ok
    WfBXBDY4gphTAgMBAAGjggMJMIIDBTAMBgNVHRMBAf8EAjAAMGkGA1UdHwRiMGAw
    L6AtoCuGKWh0dHA6Ly9jcmxzLnlhbmRleC5uZXQvY2VydHVtL3ljYXNoYTIuY3Js
    MC2gK6AphidodHRwOi8veWFuZGV4LmNybC5jZXJ0dW0ucGwveWNhc2hhMi5jcmww
    cQYIKwYBBQUHAQEEZTBjMCwGCCsGAQUFBzABhiBodHRwOi8veWFuZGV4Lm9jc3At
    cmVzcG9uZGVyLmNvbTAzBggrBgEFBQcwAoYnaHR0cDovL3JlcG9zaXRvcnkuY2Vy
    dHVtLnBsL3ljYXNoYTIuY2VyMB8GA1UdIwQYMBaAFDdc4xngso6hqE7Sz6vQ3OML
    XDVNMB0GA1UdDgQWBBTC1Kbatmr8y04cui/VCaPVq1mgKzAOBgNVHQ8BAf8EBAMC
    BaAwggEXBgNVHSAEggEOMIIBCjCCAQYGDCqEaAGG9ncCBQEKAjCB9TCB8gYIKwYB
    BQUHAgIwgeUwIBYZVW5pemV0byBUZWNobm9sb2dpZXMgUy5BLjADAgECGoHAVXNh
    Z2Ugb2YgdGhpcyBjZXJ0aWZpY2F0ZSBpcyBzdHJpY3RseSBzdWJqZWN0ZWQgdG8g
    dGhlIENFUlRVTSBDZXJ0aWZpY2F0aW9uIFByYWN0aWNlIFN0YXRlbWVudCAoQ1BT
    KSBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNlIGhlcmVpbiBhbmQgaW4gdGhlIHJl
    cG9zaXRvcnkgYXQgaHR0cHM6Ly93d3cuY2VydHVtLnBsL3JlcG9zaXRvcnkuMB0G
    A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjARBglghkgBhvhCAQEEBAMCBsAw
    egYDVR0RBHMwcYIOc210cC55YW5kZXgucnWCDnNtdHAueWFuZGV4LmJ5gg5zbXRw
    LnlhbmRleC5reoIPc210cC55YW5kZXguY29tgg5zbXRwLnlhbmRleC51YYISc210
    cC55YW5kZXguY29tLnRyggpzbXRwLnlhLnJ1MA0GCSqGSIb3DQEBCwUAA4IBAQA1
    GjyKSYMgaRVLGd4EWtB3oTkybDu5QrUXt/eoZiquzUqZwk7x9FRsEEirawKsrSS6
    FXcliRD7xcXneROVDZK1a4ur6974vn742B/lOx9T/7+6a8XQo4jz191zZWS3J47G
    dSvkMZPSdsZPxn7cDbAymFP4yw3b/aJJBFarpYTUixvRXZardO93VAFx157pCt/8
    3dN7jLWyYVWBvZh93JioukAu9uDt7Nzuq9XhTBLUzLnFFi4vXVsssKk7h3X2sMNU
    kZ3EPMAOSsvl9XY5RHZJs7BZubvGgnDxxGFfziP1XnTbL4MRCAXbdhwx3nmnQ3yZ
    nRG0DfdqYIuPGApFORYe
    -----END CERTIFICATE-----
    subject=/C=RU/O=Yandex LLC/OU=ITO/L=Moscow/ST=Russian Federation/CN=smtp.yandex.ru
    issuer=/C=RU/O=Yandex LLC/OU=Yandex Certification Authority/CN=Yandex CA
    ---
    No client certificate CA names sent
    Server Temp Key: ECDH, prime256v1, 256 bits
    ---
    SSL handshake has read 4989 bytes and written 408 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES128-GCM-SHA256
        Session-ID: F7D11573F16B6F32464E1936AA3AAF09F3459D11D7B8E484ACB6FFEA7E5C6F7B
        Session-ID-ctx:
        Master-Key: 1386C16EB805596031C75647C8A6CC0262A106E789F336972AE18DCDB3309EAFD11D7A5F2F85860FDED6D539957BD00F
        Key-Arg   : None
        Krb5 Principal: None
        PSK identity: None
        PSK identity hint: None
        TLS session ticket lifetime hint: 300 (seconds)
        TLS session ticket:
        0000 - a0 5e 7b 46 0e 19 d9 bf-27 c8 38 0c a0 1d f5 a3   .^{F....'.8.....
        0010 - 0b da b7 cc dd 57 af 13-2f 50 7c 3c 38 49 01 16   .....W../P|<8I..
        0020 - 22 f8 a3 66 26 ca c4 6b-b7 c7 20 fa 7c 3e f5 49   "..f&..k.. .|>.I
        0030 - a5 8d 54 27 67 7a 3a e4-7f f1 57 dc 43 c7 39 ff   ..T'gz:...W.C.9.
        0040 - 2f 88 90 a5 73 37 86 dc-6a d8 96 a9 0e b6 6f 15   /...s7..j.....o.
        0050 - 93 a9 d2 df 4a 90 04 f3-af 96 b8 7c 31 55 57 5a   ....J......|1UWZ
        0060 - ea 6d 16 e0 17 18 b4 4f-ea 05 b0 d7 7d 92 95 c8   .m.....O....}...
        0070 - 54 42 9d 9f b3 07 e8 e0-74 79 20 05 4d e1 d1 b6   TB......ty .M...
        0080 - a4 5b ac 2d 2c f1 3c 33-42 a0 ee c6 49 26 c5 bf   .[.-,.<3B...I&..
        0090 - 69 8d 37 c4 54 8d 44 3d-35 2f 53 e3 e2 0a 94 d4   i.7.T.D=5/S.....
    
        Start Time: 1540061267
        Timeout   : 300 (sec)
        Verify return code: 0 (ok)
    ---
    250 ENHANCEDSTATUSCODES
    DONE
    

    Inspect /etc/ssl/certs/cacert-yandex.pem
    Code (Text):
    cat /etc/ssl/certs/cacert-yandex.pem | awk -v cmd="openssl x509 -subject -noout" '/-----BEGIN/ { c = $0; next } c { c = c "\n" $0 } /-----END/ { print c|cmd; close(cmd); c = 0 }' > cacert-yandex.txT
    

    see additional Certum CA entry which allows Yandex smtp SSL cert to verify properly
    Code (Text):
    egrep -i 'certum|yandex' cacert-yandex.txt
    subject= /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
    subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
    subject= /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA 2
    

    So problem is with CentOS 6's system CA bundle and not having the Certum latest CA cert in the trusted bundle.

    Modifying system ca bundle might not be the way to fix it on CentOS 6 as yum updates will overwrite it so we can try this

    take and copy the Centmin Mod downloaded cacert.pem and make copy at ca-cert-yandex.pem
    Code (Text):
    cp -a /etc/ssl/certs/cacert.pem /etc/ssl/certs/cacert-yandex.pem
    

    download certum ca from official site as /etc/ssl/certs/certum-ca.pem
    Code (Text):
    wget -O /etc/ssl/certs/certum-ca.pem https://www.certum.pl/CA.pem --no-check-certificate
    

    /etc/ssl/certs/certum-ca.pem would have working Certum CA cert which you need to add to /etc/ssl/certs/cacert-yandex.pem using format below using linux text editor like nano/vim
    Code (Text):
    Certum CA
    =========
    -----BEGIN CERTIFICATE-----
    MIIDDDCCAfSgAwIBAgIDAQAgMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAlBM
    MRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBD
    QTAeFw0wMjA2MTExMDQ2MzlaFw0yNzA2MTExMDQ2MzlaMD4xCzAJBgNVBAYTAlBM
    MRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBD
    QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6xwS7TT3zNJc4YPk/E
    jG+AanPIW1H4m9LcuwBcsaD8dQPugfCI7iNS6eYVM42sLQnFdvkrOYCJ5JdLkKWo
    ePhzQ3ukYbDYWMzhbGZ+nPMJXlVjhNWo7/OxLjBos8Q82KxujZlakE403Daaj4GI
    ULdtlkIJ89eVgw1BS7Bqa/j8D35in2fE7SZfECYPCE/wpFcozo+47UX2bu4lXapu
    Ob7kky/ZR6By6/qmW6/KUz/iDsaWVhFu9+lmqSbYf5VT7QqFiLpPKaVCjF62/IUg
    AKpoC6EahQGcxEZjgoi2IrHu/qpGWX7PNSzVttpd90gzFFS269lvzs2I1qsb2pY7
    HVkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEA
    uI3O7+cUus/usESSbLQ5PqKEbq24IXfS1HeCh+YgQYHu4vgRt2PRFze+GXYkHAQa
    TOs9qmdvLdTN/mUxcMUbpgIKumB7bVjCmkn+YzILa+M6wKyrO7Do0wlRjBCDxjTg
    xSvgGrZgFCdsMneMvLJymM/NzD+5yCRCFNZX/OYmQ6kd5YCQzgNUKD73P9P4Te1q
    CjqTE5s7FCMTY5w/0YcneeVMUeMBrYVdGjux1XMQpNPyvG5k9VpWkKjHDkx0Dy5x
    O/fIR/RpbxXyEV6DHpx8Uq79AtoSqFlnGNu8cN2bsWntgM6JQEhqDjXKKWYVIZQs
    6GAqm4VKQPNriiTsBhYscw==
    -----END CERTIFICATE-----
    

    Then edit /etc/centminmod/php.d/curlcainfo.ini and change the line from
    Code (Text):
    curl.cainfo = '/etc/ssl/certs/cacert.pem'
    

    to
    Code (Text):
    curl.cainfo = '/etc/ssl/certs/cacert-yandex.pem'
    openssl.cafile = '/etc/ssl/certs/cacert-yandex.pem'
    

    Then restart php-fpm
    Code (Text):
    fpmrestart
    


    Now see if it works in wordpress/smtp.

    Only issue will be /etc/ssl/certs/cacert-yandex.pem will eventually run out of sync with latest updated /etc/ssl/certs/cacert.pem that Centmin Mod auto downloads when cacert.pem on disk is older than 6 months.

    Long term fix is CentOS 6 system ca-certificates needs an update to include the Certum CA certificate that is up to date like CentOS 7.
     
    Last edited: Oct 21, 2018
  6. reallove0810

    reallove0810 New Member

    25
    10
    3
    Jan 3, 2015
    Ratings:
    +11
    Local Time:
    12:41 PM
    1.7.9
    5.5.41
    Thanks so much for your help.
    Now it works fine ^^
     
  7. eva2000

    eva2000 Administrator Staff Member

    36,915
    8,074
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +12,438
    Local Time:
    9:41 PM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    You're welcome and thanks for the confirmation that the work around fixes it :)
     
..