This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL TLS on SMTP

Our MAIL Relay worked fine until the NEW SSL Bug fix was applied, any suggestions ??

We have upgraded to 9.210-20, we now are getting serious EMAIL rejection problems EXIM Log:

SMTP command timeout on connection from (iPhone) [85.255.233.181]:23650
2014:12:04-18:54:38 fw1 exim-in[15966]: 2014-12-04 18:54:38 SMTP command timeout on connection from ([10.4.96.113]) [212.183.132.60]:53489
2014:12:04-18:55:00 fw1 exim-out[16233]: 2014-12-04 18:55:00 Start queue run: pid=16233
2014:12:04-18:55:00 fw1 exim-out[16233]: 2014-12-04 18:55:00 End queue run: pid=16233
2014:12:04-18:55:33 fw1 exim-in[16038]: 2014-12-04 18:55:33 SMTP command timeout on connection from (iPhone) [85.255.233.181]:19775
2014:12:04-18:55:40 fw1 exim-in[16043]: 2014-12-04 18:55:40 TLS error on connection from [85.255.233.181]:43614 (SSL_accept): timed out
2014:12:04-18:55:40 fw1 exim-in[16043]: 2014-12-04 18:55:40 TLS client disconnected cleanly (rejected our certificate?)

This thread was automatically locked due to age.

Parents

0 tabination over 9 years ago

So I figured it out on my own. This article had the solutions.

https://community.sophos.com/products/unified-threat-management/astaroorg/f/51/t/22448

In addition to adding,

openssl_options = +no_tlsv1_2

I also had to modify line 257 and change.

tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3

to

tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

bingo
Cancel
Vote Up 0 Vote Down

Cancel
0 ApathyInTheUK over 9 years ago in reply to tabination

So I figured it out on my own. This article had the solutions.

https://www.astaro.org/gateway-products/general-discussion/54160-some-alternative-poodle-workarounds-utm.html

In addition to adding,

openssl_options = +no_tlsv1_2

I also had to modify line 257 and change.

tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3

to

tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

bingo

Thank you for this. I have been waiting all day for my escalated case to be answered by support with no reply.
Just editing line 257 has done the trick for me and should stop my UTM customers shouting at me tomorrow morning.[:)]
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ApathyInTheUK over 9 years ago in reply to tabination

So I figured it out on my own. This article had the solutions.

https://www.astaro.org/gateway-products/general-discussion/54160-some-alternative-poodle-workarounds-utm.html

In addition to adding,

openssl_options = +no_tlsv1_2

I also had to modify line 257 and change.

tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3

to

tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

bingo

Thank you for this. I have been waiting all day for my escalated case to be answered by support with no reply.
Just editing line 257 has done the trick for me and should stop my UTM customers shouting at me tomorrow morning.[:)]
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 alexander@impuls over 9 years ago in reply to ApathyInTheUK

Just editing line 257 has done the trick for me and should stop my UTM customers shouting at me tomorrow morning.[:)]

I just did some tests with various settings and https://ssl-tools.net/mailservers

It seems that this setting (default on 9.210-20)

tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2:!SSLv3

disables SSLv3, but also TLS1.0 and TLS 1.1 - it's an obvious bug!

So we can enable all protocols (SSLv3, TLS1.0 and TLS1.1) again with:

tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

But we do not want SSLv3, so we need to disable it by adding:

openssl_options = +no_sslv3

Et voilà, we have Tls 1.0, 1.1, 1.2 in 9.210-20, we are getting eMails from googlemail, but we are secured from Poodle :-)

Seems that Sophos QA had missed something here :-\
Cancel
Vote Up 0 Vote Down

Cancel