Am Donnerstag, 30. Oktober 2014, 06:58:19 schrieben Sie:
> On Wed, Oct 29, 2014 at 9:32 PM, elrippo <elrippo@???> wrote:
> >
> > When i use the same desktop with a client software like kmail or thunderbird, i get a x=TLSv1.0 connection to exim4
> > On the other hand some other mail servers fall back to esmtp due to a lacking cipher suite, almost only googles mail server connects with TLSv1.2
> > I went through almost all possible priority_strings from gnutls, and NORMAL isn't working at all, only SECURE128:!VERS-SSL3.0 and SECURE256:!VERS-SSL3.0 are producing succesfull connections.
> > This is all rather confusing to me.....
> >
> > I filed a report on K9-mail's site, i am not the only one :)
> >
> > Thank you for your assistance guys!!!
> >
> > Kind regards,
> > elrippo.
>
> Tangent: I have not disabled SSLv3 on my mail systems, all of which
> are based on OpenSSL (which is why it's only a tangent of your GnuTLS
> issue). Recall that in general, the prevailing theory is that when
> you disable SSLv3, you prevent a certain number of hosts who are old
> and unupdated (think wireless carriers who don't release firmware
> upgrades for their Android phones) from being able to use encryption
> at all.
>
> When I looked at SMTP Auth submissions for my systems, these are the counts:
>
> 2 weeks ago:
> TLSv1 => 10409
> SSLv3 => 1
>
> Last week:
> TLSv1 => 13114
> SSLv3 => 0
>
> So far this week:
> TLSv1 => 6628
> SSLv3 => 1
>
> I'm fortunate to have a customer base that generally seems to have new
> enough phones and not using Windows XP. Not everybody may be so
> lucky.
>
> As far as outbound mail, I'm seeing:
>
> Last week:
> Top 10 TLSv1 traffic domains:
> 1. google.com 74838
> 2. yahoodns.net 41362
> 3. hotmail.com 25461
> 4. aol.com 13948
> 5. outlook.com 8787
> 6. comcast.net 7544
> 7. att.net 3423
> 8. verizon.net 3059
> 9. icloud.com 2376
> 10. psmtp.com 2064
> Top 10 SSLv3 traffic domains:
> 1. websitesource.net 7
> 2. spamsentinel.org 6
> 3. oandc.com 2
> 4. crescentprocessing.com 2
> 5. zte.com.cn 2
> 6. landrumstaffing.com 1
> 7. bradfordhealth.net 1
> 8. twofalls.com 1
>
> So far this week:
> Top 10 TLSv1 traffic domains:
> 1. google.com 43635
> 2. yahoodns.net 21061
> 3. hotmail.com 12218
> 4. aol.com 6574
> 5. outlook.com 5043
> 6. comcast.net 3716
> 7. verizon.net 2913
> 8. att.net 1271
> 9. icloud.com 1256
> 10. psmtp.com 1203
> Top 10 SSLv3 traffic domains:
> 1. spamsentinel.org 2
> 2. areasmail.com 1
> 3. bradfordhealth.net 1
>
> For what it's worth, you can also infer that there are some
> organizations who are unable to enable encryption on their systems:
>
> Top 10 none traffic domains:
> 1. secureserver.net 2595
> 2. rr.com 2394
> 3. verizon.net 2102
> 4. hinet.net 1648
> 5. earthlink.net 1580
> 6. cox.net 1218
> 7. optonline.net 579
> 8. untd.com 559
> 9. charter.net 472
> 10. synacor.com 426
>
> ...Todd
>
Hy Todd,
i am tweaking and rocking at the moment :-)
No it's getting interesting.
I advised exim4 to use these ciphers, because nothing else is working, either writing mails nore recieving mails from other mail servers.
tls_require_ciphers = NORMAL:-VERS-TLS-ALL:+VERS-SSL3.0
I sent a mail using my desktop client and my domain to google. Incomming exim4 used SSL outgoing TLS?!?!
2014-11-01 10:07:45 1XkUee-0001XI-6c <= user@??? H=([10.0.0.7]) [95.85.37.181] P=esmtpsa X=SSL3.0:DHE_RSA_AES_256_CBC_SHA1:256 A=plain_saslauthd_server:user S=9737 id=F404320C-274F-4491-8ED2-6133D5A62759@???
2014-11-01 10:07:46 1XkUee-0001XI-6c gmail-smtp-in.l.google.com [2a00:1450:4013:c01::1b] Network is unreachable
2014-11-01 10:07:47 1XkUee-0001XI-6c => user@??? R=dnslookup T=remote_smtp H=gmail-smtp-in.l.google.com [173.194.65.26] X=TLS1.2:RSA_ARCFOUR_SHA1:128 DN="C=US,ST=California,L=Mountain View,O=Google Inc,CN=mx.google.com" C="250 2.0.0 OK 1414832866 fd5si1297096wib.95 - gsmtp"
2014-11-01 10:07:47 1XkUee-0001XI-6c Completed
So the gnutls errors have to come in some configuration for incomming mails.....
I am searching and i will report further!
Kind regards,
elrippo.
