This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL TLS on SMTP

Our MAIL Relay worked fine until the NEW SSL Bug fix was applied, any suggestions ??

We have upgraded to 9.210-20, we now are getting serious EMAIL rejection problems EXIM Log:

SMTP command timeout on connection from (iPhone) [85.255.233.181]:23650
2014:12:04-18:54:38 fw1 exim-in[15966]: 2014-12-04 18:54:38 SMTP command timeout on connection from ([10.4.96.113]) [212.183.132.60]:53489
2014:12:04-18:55:00 fw1 exim-out[16233]: 2014-12-04 18:55:00 Start queue run: pid=16233
2014:12:04-18:55:00 fw1 exim-out[16233]: 2014-12-04 18:55:00 End queue run: pid=16233
2014:12:04-18:55:33 fw1 exim-in[16038]: 2014-12-04 18:55:33 SMTP command timeout on connection from (iPhone) [85.255.233.181]:19775
2014:12:04-18:55:40 fw1 exim-in[16043]: 2014-12-04 18:55:40 TLS error on connection from [85.255.233.181]:43614 (SSL_accept): timed out
2014:12:04-18:55:40 fw1 exim-in[16043]: 2014-12-04 18:55:40 TLS client disconnected cleanly (rejected our certificate?)

This thread was automatically locked due to age.

0 luckman212 over 9 years ago
Here's what I wound up doing (worked for me on ASG220)
SSH to the UTM as root first.
vi /var/chroot-smtp/etc/exim.conf

commented out the following line
#tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2:!SSLv3

add these just above it
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2
openssl_options = +no_sslv3

restarted SMTP proxy with
/var/mdw/scripts/smtp restart

Edit: apparently this did NOT really fix the issue. I am still getting a lot of mail rejeted from both Gmail + MS Office365. I have been over the steps a few time to be sure but nothing has fixed it. I am really frustrated. Not sure what to do now.
Cancel
Vote Up 0 Vote Down

Cancel
0 tom11011 over 9 years ago

Is restarting the proxy service required?? That wasn't mentioned anywhere.
Cancel
Vote Up 0 Vote Down

Cancel
0 luckman212 over 9 years ago in reply to tom11011

Is restarting the proxy service required?? That wasn't mentioned anywhere.

It's mentioned in the Sophos KB: The SSL v3.0 CBC (Poodle) vulnerability: affected versions, recommended steps and workarounds

TL;DR Yes until you don't restart the SMTP proxy the daemon will not see the config change.
Cancel
Vote Up 0 Vote Down

Cancel
0 systeembeheerder over 9 years ago

Is there any forecast on a patch for this annoying bug? 9.211? and what would then happen to the changed config file?
Cancel
Vote Up 0 Vote Down

Cancel
0 lieven boon over 9 years ago in reply to systeembeheerder

I have the same problem.
I have put a simple workaround.
Maybe not the best and most beautifful but it works.

In the webinterface:

Email protection -> smtp -> advanced.
TLS settings:
Put any in the "skip TLS negotiation hosts/nets"

This will solve the problem. (if you don't use TLS)

Regards,
Lieven
Cancel
Vote Up 0 Vote Down

Cancel
0 djac over 9 years ago

sophos official solution here:
Article ID: 121509
Title: The SSL v3.0 CBC (Poodle) vulnerability: affected versions, recommended steps and workarounds
URL: https://sophos.com/kb/121509

I had to use 'sudo' before each instruction to get it work.
Cancel
Vote Up 0 Vote Down

Cancel
0 offn over 9 years ago in reply to Revan

Line 257 looks a bit different here:
tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLV2
instead of
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

So there are 2 different versions and the only difference is in the RC4-part.

Is "RC4+RSA" needed for the solution or may it be disabled with "!RC4"?
Cancel
Vote Up 0 Vote Down

Cancel
0 offn over 9 years ago in reply to luckman212
...
add these just above it
openssl_options = +no_sslv3
...
Edit: apparently this did NOT really fix the issue. I am still getting a lot of mail rejeted from both Gmail + MS Office365. I have been over the steps a few time to be sure but nothing has fixed it. I am really frustrated. Not sure what to do now.

Maybe the position is important? Look at post 4.
Cancel
Vote Up 0 Vote Down

Cancel
0 offn over 9 years ago

In an HA-environment you should take care, that the workaround is deployed to all devices!
Cancel
Vote Up 0 Vote Down

Cancel
0 Jayson over 9 years ago in reply to BAlfson

Thank Bob, your answer worked for me.

However I get a different result when I do the [grep openssl /var/chroot-smtp/etc/exim.conf] - I get "openssl_options = +no_sslv3" as the result. Again, it is working now.

-Jayson

If you have paid support, please ask Sophos Support to do the following:
# edit /var/chroot-smtp/etc/exim.conf

Press to add line 297 (Ouch! I made a mistake when I posted this the first time. It's correct now.)
openssl_options = +no_sslv3

although that change should be sufficient, change line 257 to
tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

Press [escape]

Type in
:wq

followed by [Enter], and that should have succeeded in adding the line they goofed on. To check your work:
# grep openssl /var/chroot-smtp/etc/exim.conf

The output of that command should be
openssl_options = +no_tlsv1_2

Cheers - Bob
If your box already has the 9.300, 9.301 and 9.302 Up2Dates available on it, just change the version at the command line and Up2Date to 9.302 instead.
Cancel
Vote Up 0 Vote Down

Cancel