Re: [exim] POODLE advisory from exim-announce

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Todd Lyons
Date:  
À: elrippo
CC: exim-users
Sujet: Re: [exim] POODLE advisory from exim-announce
On Wed, Oct 29, 2014 at 9:32 PM, elrippo <elrippo@???> wrote:
>
> When i use the same desktop with a client software like kmail or thunderbird, i get a x=TLSv1.0 connection to exim4
> On the other hand some other mail servers fall back to esmtp due to a lacking cipher suite, almost only googles mail server connects with TLSv1.2
> I went through almost all possible priority_strings from gnutls, and NORMAL isn't working at all, only SECURE128:!VERS-SSL3.0 and SECURE256:!VERS-SSL3.0 are producing succesfull connections.
> This is all rather confusing to me.....
>
> I filed a report on K9-mail's site, i am not the only one :)
>
> Thank you for your assistance guys!!!
>
> Kind regards,
> elrippo.


Tangent: I have not disabled SSLv3 on my mail systems, all of which
are based on OpenSSL (which is why it's only a tangent of your GnuTLS
issue). Recall that in general, the prevailing theory is that when
you disable SSLv3, you prevent a certain number of hosts who are old
and unupdated (think wireless carriers who don't release firmware
upgrades for their Android phones) from being able to use encryption
at all.

When I looked at SMTP Auth submissions for my systems, these are the counts:

2 weeks ago:
TLSv1 => 10409
SSLv3 => 1

Last week:
TLSv1 => 13114
SSLv3 => 0

So far this week:
TLSv1 => 6628
SSLv3 => 1

I'm fortunate to have a customer base that generally seems to have new
enough phones and not using Windows XP. Not everybody may be so
lucky.

As far as outbound mail, I'm seeing:

Last week:
Top 10 TLSv1 traffic domains:
   1. google.com                     74838
   2. yahoodns.net                   41362
   3. hotmail.com                    25461
   4. aol.com                        13948
   5. outlook.com                    8787
   6. comcast.net                    7544
   7. att.net                        3423
   8. verizon.net                    3059
   9. icloud.com                     2376
  10. psmtp.com                      2064
Top 10 SSLv3 traffic domains:
   1. websitesource.net              7
   2. spamsentinel.org               6
   3. oandc.com                      2
   4. crescentprocessing.com         2
   5. zte.com.cn                     2
   6. landrumstaffing.com            1
   7. bradfordhealth.net             1
   8. twofalls.com                   1


So far this week:
Top 10 TLSv1 traffic domains:
   1. google.com                     43635
   2. yahoodns.net                   21061
   3. hotmail.com                    12218
   4. aol.com                        6574
   5. outlook.com                    5043
   6. comcast.net                    3716
   7. verizon.net                    2913
   8. att.net                        1271
   9. icloud.com                     1256
  10. psmtp.com                      1203
Top 10 SSLv3 traffic domains:
   1. spamsentinel.org               2
   2. areasmail.com                  1
   3. bradfordhealth.net             1


For what it's worth, you can also infer that there are some
organizations who are unable to enable encryption on their systems:

Top 10 none traffic domains:
   1. secureserver.net               2595
   2. rr.com                         2394
   3. verizon.net                    2102
   4. hinet.net                      1648
   5. earthlink.net                  1580
   6. cox.net                        1218
   7. optonline.net                  579
   8. untd.com                       559
   9. charter.net                    472
  10. synacor.com                    426


...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine