send to ESP with broken STARTTLS

Thu, 31 Mar 2016 07:48:07 -0700 


Hello,

I hit an MX-Server with weak DH:

# SLES-Host
# posttls-finger iutax.de
posttls-finger: Connected to iutax.de.pri-mx.eu0105.smtproutes.com[94.186.192.102]:25 
posttls-finger: < 220 gmy2-mh901.smtproutes.com kath-5.0.3 ESMTP Ready
posttls-finger: > EHLO idvmailout03.datev.de
posttls-finger: < 250-gmy2-mh901.smtproutes.com says Hello [193.27.49.129]
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250 OK
posttls-finger: > STARTTLS
posttls-finger: < 220 Ready to start TLS
posttls-finger: SSL_connect error to iutax.de.pri-mx.eu0105.smtproutes.com[94.186.192.102]:25: -1 posttls-finger: warning: TLS library problem: error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3338: 

messages to that destination are delivered without STARTTLS later.
But: the destination host multiple domains.
So a significant portion of out outbound volume goes unencrypted over the wire.
The TLS connect don't fail on all of my systems. Some hosts (other OS) do succeed: 

# Debian Jessie Host
# posttls-finger -c iutax.de
posttls-finger: iutax.de.pri-mx.eu0105.smtproutes.com[94.186.192.102]:25: Matched subjectAltName: *.smtproutes.com posttls-finger: iutax.de.pri-mx.eu0105.smtproutes.com[94.186.192.102]:25: subjectAltName: smtproutes.com posttls-finger: iutax.de.pri-mx.eu0105.smtproutes.com[94.186.192.102]:25 CommonName *.smtproutes.com posttls-finger: certificate verification failed for iutax.de.pri-mx.eu0105.smtproutes.com[94.186.192.102]:25: untrusted issuer /C=US/O=Equifax/OU=Equifax Secure Certificate Authority posttls-finger: iutax.de.pri-mx.eu0105.smtproutes.com[94.186.192.102]:25: subject_CN=*.smtproutes.com, issuer_CN=RapidSSL CA, fingerprint=C5:0D:BC:A1:89:83:5D:95:CE:65:BA:F2:31:3C:7F:52:CA:1A:C3:DB, pkey_fingerprint=E9:BF:E7:6F:79:E0:42:59:59:BB:A0:DC:69:F9:AC:73:96:D0:29:5F posttls-finger: Untrusted TLS connection established to iutax.de.pri-mx.eu0105.smtproutes.com[94.186.192.102]:25: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)
I guess first I should know why same postfix version behave different on SLES and Debian OS 
-> which settings should I check to find potential different configurations?

Andreas

Reply via email to