On Fri, Dec 09, 2022 at 07:55:42PM +0100, Cyborg via Exim-users wrote:
> Guys, it was just a FYI without the FYI mark. I will add it next time :)
Yeah, that could have been helpful.
> There is nothing exim can do or should do. It's 100% caused by
> outdated legacy servers, ignoring the year 2009 CVE.
>
> The issue is reproduceable with openssl s_client directly:
>
> openssl s_client -connect 82.218.176.66:25 -starttls smtp
Indeed, and also with Postfix (built against OpenSSL 3.0):
$ posttls-finger -c -Lsummary -lmay "[82.218.176.66]"
posttls-finger: SSL_connect error to 82.218.176.66[82.218.176.66]:25: -1
posttls-finger: warning: TLS library problem: error:0A000152:SSL routines::unsafe legacy renegotiation disabled:ssl/statem/extensions.c:879:
With OpenSSL 1.1.1:
$ posttls-finger -c -Lsummary -lmay "[82.218.176.66]"
posttls-finger: Anonymous TLS connection established to 82.218.176.66[82.218.176.66]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
posttls-finger: Server is anonymous
Interestingly, that server support anon-DH ciphers, which is not that
common. Postfix is one of the few MTAs that enables ADH/AECDHE opportunistic
TLS, and indeed the server in question appears to be a very old Postfix
build:
220 circuit.inbus.at ESMTP Postfix
--
Viktor.
