On Sat, Oct 01, 2022 at 08:19:41PM -0600, Shawn Heisey wrote:
> These numbers suggest that most full connections are in fact using TLS.
More precisely, most attempts at STARTTLS succeed. Neither set of
numbers counts connections whether STARTTLS was not even attempted.
> Here is the log from two connections that were made using TLS where it
> was aborted without trying to transfer mail, and the disconnect log
> doesn't have starttls in it:
>
> ----------------
> Sep 25 00:05:26 bilbo postfix/smtps/smtpd[492903]: connect from
> unknown[170.205.161.87]
> Sep 25 00:05:27 bilbo postfix/smtps/smtpd[492903]: Anonymous TLS
> connection established from unknown[170.205.161.87]: TLSv1.2
> with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Not surprising, since this is the "smtps" *wrapper mode*, TLS-on-connect
service, which does not use STARTTLS, because it is SMTP inside TLS,
rather than SMTP inside STARTTLS inside SMTP.
> Sep 25 00:05:31 bilbo postfix/smtps/smtpd[492903]: warning:
> unknown[170.205.161.87]: SASL PLAIN authentication failed:
The client is probably trying to brute force passwords.
> I leave it to you to decide whether the omission of any info about TLS
> in the disconnect log for this type of connection constitutes a bug.
The use of TLS is implicit here, "smtps" always performs TLS before
any SMTP commands can happen.
> The config I was aiming for should not allow authentication on anything
> other than port 587,
Actually, it is also clearly allowed on port 465, which is the port used
for "smtps". The client tries to guess a password, and the guess fails.
> so even if somehow they have the right password, it shouldn't allow
> the connection.
Actually, they'd likely succeed.
> I do have it listening on port 465, hopefully I got the config right
> so that does not allow authentication. I think I also disabled TLS
> below 1.2 on port 587.
What would be the use of "465" if SASL authentication is not allowed?
It is should be configured essentially the same way (modulo wrapper
mode, and the service name) as port 587.
> I may be in the minority using a "real" cert (from LE).
Minority or not, these are fairly common, though of course not
universal.
> Mostly offtopic but interesting to me: Right after those logs, mail.log
> contains a message about a failed TLS connection to dovecot on one of
> the imap ports. For dovecot, I am refusing connections with TLS below 1.2:
>
> Sep 25 00:07:45 bilbo dovecot: imap-login: Disconnected: Connection
> closed: SSL_accept() failed: error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol (no
> auth attempts in 3 secs): user=<>, rip=205.210.31.140, lip=172.31.8.104,
> TLS handshaking: SSL_accept() failed: error:14209102:SSL
> routines:tls_early_post_process_client_hello:unsupported protocol,
> session=<x8XLOnrp39PN0h+M>
The connection was from:
NetRange: 205.210.31.0 - 205.210.31.255
CIDR: 205.210.31.0/24
NetName: PAN-22
Organization: Palo Alto Networks, Inc (PAN-22)
I would not expect TLS version scans from them, but perhaps they too
carry out TLS feature studies where they look for support for legacy
TLS versions.
--
Viktor.
