[Noisebridge-discuss] Hmm, my emails are not going through

John Adams jna at retina.net
Thu Jan 27 13:25:28 PST 2011


Calling DES-CBC3-SHA "broken" is highly inaccurate.  DES might be
weaker than AES256, but if you're only accepting AES256, no one is
going to communicate with you.

Generally in SMTPTLS you want to approach things from a point of
accepting more ciphers, not less. You have no idea what the client
coming to you is going to support.

At a minimum, you should be accepting these ciphers:

    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5

-j

On Wed, Jan 26, 2011 at 9:04 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> On Wed, Jan 26, 2011 at 07:53:56PM -0800, Andy Isaacson wrote:
>> On Wed, Jan 26, 2011 at 08:36:11PM -0700, Erik Nelson wrote:
>> > Pinging..
>>
>> Interesting, thanks for the example.  I've gotten the message from gmail
>> to hexapodia directly (with a total delay of 3 seconds if everybody's
>> NTPed correctly), but it hasn't been delivered to noisebridge yet.
>>
>> Received: from mail-qw0-f41.google.com (mail-qw0-f41.google.com
>>         [209.85.216.41]) by straum.hexapodia.org (Postfix) with ESMTPS id
>>         93B49411B for <adi at hexapodia.org>; Wed, 26 Jan 2011 19:36:13 -0800 (PST)
>>
>> GMail:  can you look into this?  Full headers (of the directly delivered
>> message) attached.
>>
>> -andy
>
>
> GMail: your STARTTLS implementation refuses to use any unbroken TLS
> ciphers such as AES256-SHA256.  I had to re-enable DES-CBC3-SHA and/or
> RC4-SHA to satisfy your STARTTLS clients, and using broken ciphers and
> hashes makes the panda sad.
>
> Before:
>
> Jan 26 20:50:53 m1 postfix/smtpd[27175]: connect from mail-ey0-f175.google.com[209.85.215.175]
> Jan 26 20:50:54 m1 postfix/smtpd[27175]: setting up TLS connection from mail-ey0-f175.google.com[209.85.215.175]
> Jan 26 20:50:54 m1 postfix/smtpd[27175]: mail-ey0-f175.google.com[209.85.215.175]: TLS cipher list "ALL:+RC4:@STRENGTH:!aNULL:!MD5:!DES:!3DES:!RC4-SHA:!AES256-SHA:!AES128-SHA"
> Jan 26 20:50:54 m1 postfix/smtpd[27175]: SSL_accept:before/accept initialization
> Jan 26 20:50:54 m1 postfix/smtpd[27175]: SSL3 alert write:fatal:handshake failure
> Jan 26 20:50:54 m1 postfix/smtpd[27175]: SSL_accept:error in SSLv3 read client hello B
> Jan 26 20:50:54 m1 postfix/smtpd[27175]: SSL_accept:error in SSLv3 read client hello B
> Jan 26 20:50:54 m1 postfix/smtpd[27175]: SSL_accept error from mail-ey0-f175.google.com[209.85.215.175]: -1
> Jan 26 20:50:54 m1 postfix/smtpd[27175]: warning: TLS library problem: 27175:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1023:
> Jan 26 20:50:54 m1 postfix/smtpd[27175]: lost connection after STARTTLS from mail-ey0-f175.google.com[209.85.215.175]
> Jan 26 20:50:54 m1 postfix/smtpd[27175]: disconnect from mail-ey0-f175.google.com[209.85.215.175]
>
> After:
>
> Jan 26 20:51:25 m1 postfix/smtpd[27251]: connect from mail-ew0-f47.google.com[209.85.215.47]
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: setting up TLS connection from mail-ew0-f47.google.com[209.85.215.47]
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: mail-ew0-f47.google.com[209.85.215.47]: TLS cipher list "ALL:+RC4:@STRENGTH:!aNULL:!MD5:!DES:!RC4-SHA:!AES256-SHA:!AES128-SHA"
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:before/accept initialization
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 read client hello A
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 write server hello A
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 write certificate A
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 write server done A
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 flush data
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 read client key exchange A
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 read finished A
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 write change cipher spec A
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 write finished A
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 flush data
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: mail-ew0-f47.google.com[209.85.215.47]: save session 1FAE837C0B26B0302D676088BAF8B05BE6E78409B0937132359E844A62314583&s=smtp to smtpd cache
> Jan 26 20:51:26 m1 postfix/smtpd[27251]: Anonymous TLS connection established from mail-ew0-f47.google.com[209.85.215.47]: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
> Jan 26 20:51:27 m1 postfix/smtpd[27251]: 55F64DA8C9: client=mail-ew0-f47.google.com[209.85.215.47]
>
> Think of the panda, please upgrade your outbound SMTP STARTTLS clients
> to support modern ciper suites.
>
> Thanks,
> -andy
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
>


More information about the Noisebridge-discuss mailing list