Re: STARTTLS problems

Tue, 24 Apr 2012 16:43:09 -0700 

Ralf Hildebrandt:
> @charite were suddenly encountering several domains that don't seem to
> implement STARTTLS properly.
> 
> mailq exhibits the following behaviour:
> 
> 3VRgn515L4zKg2v     443924 Tue Apr 10 10:01:13 sen...@charite.de
> (lost connection with mail2.trioncology.org[81.252.237.162] while sending 
> RCPT TO)
>                                                recipi...@trioncology.org

Fails with OpenSSL 1.0.1a with default setting ("smtp_tls_protocols = !SSLv2"):

    Apr 24 19:25:33 spike postfix/smtp[28601]: 3Vcgd83t7Szk2RQ:
    to=<postmaster@[81.252.237.162]>,
    relay=81.252.237.162[81.252.237.162]:25, delay=1.4,
    delays=0.2/0.01/1.2/0, dsn=4.4.2, status=undeliverable (lost
    connection with 81.252.237.162[81.252.237.162] while sending
    MAIL FROM)

Works with OpenSSL 1.0.1a with "smtp_tls_protocols = !TLSv1.2":

    Apr 24 19:27:13 spike postfix/smtp[28813]: 3Vcgg33fZ5zk2RQ:
    to=<postmaster@[81.252.237.162]>,
    relay=81.252.237.162[81.252.237.162]:25, delay=1.9,
    delays=0.21/0.01/1.2/0.48, dsn=5.7.1, status=undeliverable (host
    81.252.237.162[81.252.237.162] said: 550 5.7.1 Unable to relay
    for postmaster@[81.252.237.162] (in reply to RCPT TO command))

So, TLSv1.2 is giving trouble.

> 3VRkVt1QCQz1tpC     713456 Tue Apr 10 12:04:06 sen...@charite.de
> (lost connection with mail.seronosymposia.org[77.43.17.211] while sending 
> MAIL FROM)
>                                                recipi...@seronosymposia.org

Same result as above.

Fails with OpenSSL 1.0.1a with default setting ("smtp_tls_protocols = !SSLv2"):

    Apr 24 19:31:25 spike postfix/smtp[29208]: 3Vcglv1jQVzk2RQ:
    to=<postmaster@[77.43.17.211]>, relay=77.43.17.211[77.43.17.211]:25,
    delay=2, delays=0.21/0.01/1.7/0, dsn=4.4.2, status=undeliverable
    (lost connection with 77.43.17.211[77.43.17.211] while sending
    MAIL FROM)

Works with OpenSSL 1.0.1a with "smtp_tls_protocols = !TLSv1.2":

    Apr 24 19:32:02 spike postfix/smtp[29314]: 3VcgmV6bhxzk2RQ:
    to=<postmaster@[77.43.17.211]>, relay=77.43.17.211[77.43.17.211]:25,
    delay=7.2, delays=0.2/0.01/1.7/5.2, dsn=5.7.1, status=undeliverable
    (host 77.43.17.211[77.43.17.211] said: 550 5.7.1 Unable to relay
    for postmaster@[77.43.17.211] (in reply to RCPT TO command))

So it is a good thing that I put out those updates today.

Which leaves me wondering how other MTAs deal with this. Given the
way OpenSSL works, there is no way for a program to specify what
TLS protocols it wants to use. Instead, a program can only specify
what TLS protocols it does not want. This means that new code needs
to be added whenever a new protocol is added to OpenSSL, otherwise
that protocol can't be turned off.

        Wietse

Reply via email to