Re: [exim] POODLE advisory from exim-announce

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: elrippo
Dátum:  
Címzett: Todd Lyons, exim-users
Tárgy: Re: [exim] POODLE advisory from exim-announce
Am Donnerstag, 30. Oktober 2014, 06:58:19 schrieben Sie:
> On Wed, Oct 29, 2014 at 9:32 PM, elrippo <elrippo@???> wrote:
> >
> > When i use the same desktop with a client software like kmail or thunderbird, i get a x=TLSv1.0 connection to exim4
> > On the other hand some other mail servers fall back to esmtp due to a lacking cipher suite, almost only googles mail server connects with TLSv1.2
> > I went through almost all possible priority_strings from gnutls, and NORMAL isn't working at all, only SECURE128:!VERS-SSL3.0 and SECURE256:!VERS-SSL3.0 are producing succesfull connections.
> > This is all rather confusing to me.....
> >
> > I filed a report on K9-mail's site, i am not the only one :)
> >
> > Thank you for your assistance guys!!!
> >
> > Kind regards,
> > elrippo.
>
> Tangent: I have not disabled SSLv3 on my mail systems, all of which
> are based on OpenSSL (which is why it's only a tangent of your GnuTLS
> issue). Recall that in general, the prevailing theory is that when
> you disable SSLv3, you prevent a certain number of hosts who are old
> and unupdated (think wireless carriers who don't release firmware
> upgrades for their Android phones) from being able to use encryption
> at all.
>
> When I looked at SMTP Auth submissions for my systems, these are the counts:
>
> 2 weeks ago:
> TLSv1 => 10409
> SSLv3 => 1
>
> Last week:
> TLSv1 => 13114
> SSLv3 => 0
>
> So far this week:
> TLSv1 => 6628
> SSLv3 => 1
>
> I'm fortunate to have a customer base that generally seems to have new
> enough phones and not using Windows XP. Not everybody may be so
> lucky.
>
> As far as outbound mail, I'm seeing:
>
> Last week:
> Top 10 TLSv1 traffic domains:
>    1. google.com                     74838
>    2. yahoodns.net                   41362
>    3. hotmail.com                    25461
>    4. aol.com                        13948
>    5. outlook.com                    8787
>    6. comcast.net                    7544
>    7. att.net                        3423
>    8. verizon.net                    3059
>    9. icloud.com                     2376
>   10. psmtp.com                      2064
> Top 10 SSLv3 traffic domains:
>    1. websitesource.net              7
>    2. spamsentinel.org               6
>    3. oandc.com                      2
>    4. crescentprocessing.com         2
>    5. zte.com.cn                     2
>    6. landrumstaffing.com            1
>    7. bradfordhealth.net             1
>    8. twofalls.com                   1

>
> So far this week:
> Top 10 TLSv1 traffic domains:
>    1. google.com                     43635
>    2. yahoodns.net                   21061
>    3. hotmail.com                    12218
>    4. aol.com                        6574
>    5. outlook.com                    5043
>    6. comcast.net                    3716
>    7. verizon.net                    2913
>    8. att.net                        1271
>    9. icloud.com                     1256
>   10. psmtp.com                      1203
> Top 10 SSLv3 traffic domains:
>    1. spamsentinel.org               2
>    2. areasmail.com                  1
>    3. bradfordhealth.net             1

>
> For what it's worth, you can also infer that there are some
> organizations who are unable to enable encryption on their systems:
>
> Top 10 none traffic domains:
>    1. secureserver.net               2595
>    2. rr.com                         2394
>    3. verizon.net                    2102
>    4. hinet.net                      1648
>    5. earthlink.net                  1580
>    6. cox.net                        1218
>    7. optonline.net                  579
>    8. untd.com                       559
>    9. charter.net                    472
>   10. synacor.com                    426

>
> ...Todd
>


Hy Todd,
i am tweaking and rocking at the moment :-)

No it's getting interesting.
I advised exim4 to use these ciphers, because nothing else is working, either writing mails nore recieving mails from other mail servers.

tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0



I sent a mail using my desktop client and my domain to google. Incomming exim4 used SSL outgoing TLS?!?!

2014-11-01 10:07:45 1XkUee-0001XI-6c <= user@??? H=([10.0.0.7]) [95.85.37.181] P=esmtpsa X=SSL3.0:DHE_RSA_AES_256_CBC_SHA1:256 A=plain_saslauthd_server:user S=9737 id=F404320C-274F-4491-8ED2-6133D5A62759@???
2014-11-01 10:07:46 1XkUee-0001XI-6c gmail-smtp-in.l.google.com [2a00:1450:4013:c01::1b] Network is unreachable
2014-11-01 10:07:47 1XkUee-0001XI-6c => user@??? R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.65.26] X=TLS1.2:RSA_ARCFOUR_SHA1:128 DN="C=US,ST=California,L=Mountain View,O=Google Inc,CN=mx.google.com" C="250 2.0.0 OK 1414832866 fd5si1297096wib.95 - gsmtp"
2014-11-01 10:07:47 1XkUee-0001XI-6c Completed


So the gnutls errors have to come in some configuration for incomming mails.....
I am searching and i will report further!

Kind regards,
elrippo.