On Wed, Apr 25, 2012 at 06:25:06AM -0500, Noel Jones wrote:
> On 4/25/2012 4:07 AM, Mark Alan wrote:
>
> > While the postfix updates do not get into into each distribution
> > repositories, should we use the following?
> >
> > postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2'
> > postconf -e
On 4/25/2012 4:07 AM, Mark Alan wrote:
> While the postfix updates do not get into into each distribution
> repositories, should we use the following?
>
> postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2'
> postconf -e 'smtp_tls_protocols = !SSLv2, !TLSv1.2'
It seems this is a reasonable sett
Mark Alan:
> On Tue, 24 Apr 2012 19:42:20 -0400 (EDT), Wietse Venema
> wrote:
>
> > So, TLSv1.2 is giving trouble.
> > ...
> > Works with OpenSSL 1.0.1a with "smtp_tls_protocols = !TLSv1.2":
> > ...
> > So it is a good thing that I put out those updates today.
> > ...
> > Which leaves me wonderin
On Wed, 25 Apr 2012 10:07:19 +0100, Mark Alan
wrote:
> While the postfix updates do not get into into each distribution
> repositories, should we use the following?
>
> postconf -e 'smtpd_tls_protocols = !SSLv2, !TLSv1.2'
> postconf -e 'smtp_tls_protocols = !SSLv2, !TLSv1.2'
Never mind. I have
On Tue, 24 Apr 2012 19:42:20 -0400 (EDT), Wietse Venema
wrote:
> So, TLSv1.2 is giving trouble.
> ...
> Works with OpenSSL 1.0.1a with "smtp_tls_protocols = !TLSv1.2":
> ...
> So it is a good thing that I put out those updates today.
> ...
> Which leaves me wondering how other MTAs deal with this
Ralf Hildebrandt:
> @charite were suddenly encountering several domains that don't seem to
> implement STARTTLS properly.
>
> mailq exhibits the following behaviour:
>
> 3VRgn515L4zKg2v 443924 Tue Apr 10 10:01:13 sen...@charite.de
> (lost connection with mail2.trioncology.org[81.252.237.162]
Viktor Dukhovni:
> Which is not a hang after EHLO. These systems may not support consecutive
> EHLO commands, or may treat them as evidence of unwanted client behaviour.
> You may need to proceed to "MAIL" after EHLO to see whether they are really
> stuck.
It also hangs with MAIL and QUIT.
On Thu, Apr 12, 2012 at 10:13:16AM -0400, Wietse Venema wrote:
> > My results are different, perhaps they've already fixed something ...
> >
> > $ /usr/sbin/sendmail -f post...@dukhovni.org -bv postmaster@[82.135.27.153]
> ...
> > Note that the cipher is RC4-MD5 (more typical of Windows), not 3DE
Viktor Dukhovni:
> On Thu, Apr 12, 2012 at 02:59:05PM +0200, Ralf Hildebrandt wrote:
>
> > * Wietse Venema :
> > > "openssl s_client" sessions fail identically with 77.43.17.211
> > > and 81.252.237.162.
> > >
> > > % openssl s_client -starttls smtp -connect 77.43.17.211:25
> > > ...
> >
On Thu, Apr 12, 2012 at 09:04:01AM -0500, Noel Jones wrote:
> My main.cf has a note-to-self about this same cipher being broken on
> some old Windows versions in the distant past. Maybe an old bug has
> resurfaced.
>
> Possible workaround:
> smtpd_tls_exclude_ciphers = DES-CBC3-SHA
> smtp_tls_ex
On 4/12/2012 7:59 AM, Ralf Hildebrandt wrote:
> * Wietse Venema :
>> "openssl s_client" sessions fail identically with 77.43.17.211
>> and 81.252.237.162.
>>
>> % openssl s_client -starttls smtp -connect 77.43.17.211:25
>> ...
>> 250 OK
>> ehlo spike.porcupine.org
>>
>> Nothing happ
On Thu, Apr 12, 2012 at 02:59:05PM +0200, Ralf Hildebrandt wrote:
> * Wietse Venema :
> > "openssl s_client" sessions fail identically with 77.43.17.211
> > and 81.252.237.162.
> >
> > % openssl s_client -starttls smtp -connect 77.43.17.211:25
> > ...
> > 250 OK
> > ehlo spike.por
* Wietse Venema :
> "openssl s_client" sessions fail identically with 77.43.17.211
> and 81.252.237.162.
>
> % openssl s_client -starttls smtp -connect 77.43.17.211:25
> ...
> 250 OK
> ehlo spike.porcupine.org
>
> Nothing happens.
>
> % openssl s_client -starttls smtp -connec
"openssl s_client" sessions fail identically with 77.43.17.211
and 81.252.237.162.
% openssl s_client -starttls smtp -connect 77.43.17.211:25
...
250 OK
ehlo spike.porcupine.org
Nothing happens.
% openssl s_client -starttls smtp -connect 77.43.17.211:25
...
250 OK
> Some bits from the log:
I was able to isolate the failure inducing change:
The change from libssl1.0.0 1.0.0h-1 to libssl1.0.0 1.0.1-4
(Debian version numbers) broke things.
http://packages.debian.org/changelogs/pool/main/o/openssl/openssl_1.0.1-4/changelog
that's quite a bit of changes.
--
* Ralf Hildebrandt :
> @charite were suddenly encountering several domains that don't seem to
> implement STARTTLS properly.
Some bits from the log:
Apr 12 12:51:08 mail2 postfix/smtp[9289]: Untrusted TLS connection established
to mail-tls.bavarian-nordic.de[82.135.27.153]:25: TLSv1 with cipher
@charite were suddenly encountering several domains that don't seem to
implement STARTTLS properly.
mailq exhibits the following behaviour:
3VRgn515L4zKg2v 443924 Tue Apr 10 10:01:13 sen...@charite.de
(lost connection with mail2.trioncology.org[81.252.237.162] while sending RCPT
TO)
17 matches
Mail list logo
