This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL TLS on SMTP

Our MAIL Relay worked fine until the NEW SSL Bug fix was applied, any suggestions ??

We have upgraded to 9.210-20, we now are getting serious EMAIL rejection problems EXIM Log:

SMTP command timeout on connection from (iPhone) [85.255.233.181]:23650
2014:12:04-18:54:38 fw1 exim-in[15966]: 2014-12-04 18:54:38 SMTP command timeout on connection from ([10.4.96.113]) [212.183.132.60]:53489
2014:12:04-18:55:00 fw1 exim-out[16233]: 2014-12-04 18:55:00 Start queue run: pid=16233
2014:12:04-18:55:00 fw1 exim-out[16233]: 2014-12-04 18:55:00 End queue run: pid=16233
2014:12:04-18:55:33 fw1 exim-in[16038]: 2014-12-04 18:55:33 SMTP command timeout on connection from (iPhone) [85.255.233.181]:19775
2014:12:04-18:55:40 fw1 exim-in[16043]: 2014-12-04 18:55:40 TLS error on connection from [85.255.233.181]:43614 (SSL_accept): timed out
2014:12:04-18:55:40 fw1 exim-in[16043]: 2014-12-04 18:55:40 TLS client disconnected cleanly (rejected our certificate?)


This thread was automatically locked due to age.
Parents
  • i'll chime in:
    9.210-20 version, had the gmail problem.

    my line 247 WAS:
     tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2:!SSLv3


    i REMOVED the ":!SSLv3"

    hen in line 297 added:
     openssl_options = +no_sslv3


    as per Balfsson pot https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/29725  (which needs some edit as Bob forgot to fix the grep output comparson and still lists TLS which leads to confusion).

    now mails are going in, but i have no idea if SSL v3 is indeed fixed or not, the connect line from gmail es:
    " H=mail-lb0-f178.google.com [209.85.217.178]:34846 P=esmtps X=TLSv1:AES128-SHA:128 S=1813"
  • While Google is not using SSLv3 for the transport, they are using SSLv3 ciphers for TLS.  Long story short, the way they disabled SSLv3 transport in 9.210, they also disabled the ciphers -- which disabled TLS, and thus the issues.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • While Google is not using SSLv3 for the transport, they are using SSLv3 ciphers for TLS.  Long story short, the way they disabled SSLv3 transport in 9.210, they also disabled the ciphers -- which disabled TLS, and thus the issues.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data