This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL TLS on SMTP

Our MAIL Relay worked fine until the NEW SSL Bug fix was applied, any suggestions ??

We have upgraded to 9.210-20, we now are getting serious EMAIL rejection problems EXIM Log:

SMTP command timeout on connection from (iPhone) [85.255.233.181]:23650
2014:12:04-18:54:38 fw1 exim-in[15966]: 2014-12-04 18:54:38 SMTP command timeout on connection from ([10.4.96.113]) [212.183.132.60]:53489
2014:12:04-18:55:00 fw1 exim-out[16233]: 2014-12-04 18:55:00 Start queue run: pid=16233
2014:12:04-18:55:00 fw1 exim-out[16233]: 2014-12-04 18:55:00 End queue run: pid=16233
2014:12:04-18:55:33 fw1 exim-in[16038]: 2014-12-04 18:55:33 SMTP command timeout on connection from (iPhone) [85.255.233.181]:19775
2014:12:04-18:55:40 fw1 exim-in[16043]: 2014-12-04 18:55:40 TLS error on connection from [85.255.233.181]:43614 (SSL_accept): timed out
2014:12:04-18:55:40 fw1 exim-in[16043]: 2014-12-04 18:55:40 TLS client disconnected cleanly (rejected our certificate?)

This thread was automatically locked due to age.

0 elisehamel over 9 years ago in reply to Jayson

Same for me. The grep command is openssl_options = +no_sslv3.

Thanks

Thank Bob, your answer worked for me.

However I get a different result when I do the [grep openssl /var/chroot-smtp/etc/exim.conf] - I get "openssl_options = +no_sslv3" as the result. Again, it is working now.

-Jayson
Cancel
Vote Up 0 Vote Down

Cancel
0 elisehamel over 9 years ago

After adding the fix I still get this :
Too many failed logins from 82.XX.XX.XX for facility smtp.
Further logins will be blocked for 700 seconds.

I did not get this before.
Cancel
Vote Up 0 Vote Down

Cancel
0 Mast_01 over 9 years ago
i'll chime in:
9.210-20 version, had the gmail problem.

my line 247 WAS:
tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2:!SSLv3

i REMOVED the ":!SSLv3"

hen in line 297 added:
openssl_options = +no_sslv3

as per Balfsson pot https://community.sophos.com/products/unified-threat-management/astaroorg/f/52/t/29725 (which needs some edit as Bob forgot to fix the grep output comparson and still lists TLS which leads to confusion).

now mails are going in, but i have no idea if SSL v3 is indeed fixed or not, the connect line from gmail es:
" H=mail-lb0-f178.google.com [209.85.217.178]:34846 P=esmtps X=TLSv1:AES128-SHA:128 S=1813"
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 9 years ago in reply to Mast_01

While Google is not using SSLv3 for the transport, they are using SSLv3 ciphers for TLS. Long story short, the way they disabled SSLv3 transport in 9.210, they also disabled the ciphers -- which disabled TLS, and thus the issues.

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Sophos Platinum Partner

--------------------------------------

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 tomtomtom over 9 years ago

Update from 9.210-20 to 9.304-9 is available and fixes this bug.
Cancel
Vote Up 0 Vote Down

Cancel
0 DavidSchomaker over 9 years ago

My Home UTM is running 9.210-20 and emails from Google and Yahoo and perhaps others are not getting through. It appears that the issue has been resolved in 9.304-9. Up-2-Date is not offering a new version. Can I get it some other way? It appears that the down loads area isn't available without a special login. How soon will the update be available via the Up-2-Date feature?
Cancel
Vote Up 0 Vote Down

Cancel
0 luckman212 over 9 years ago

It might be too early to declare a victory for me but preliminary results look pretty good. I think I fixed my problem by manually editing the exim.conf file on my cluster's slave unit (used ha_utils ssh command to connect to the slave unit from the master, and then applied the same fixes using vi to manually edit the config files). After doing this I re-enabled TLS and so far I am not seeing the protocol errors or missing cipher errors. Still standing by for an official patch but I am hopeful.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 9 years ago
David, it is available: Index of /pub/UTM/v9/up2date/

Also, you could download it as root at the command line:
cd /var/up2date/sys
wget ftp.astaro.com/.../u2d-sys-9.210020-304009.tgz.gpg
/sbin/auisys.plx --showdesc

and, then install in WebAdmin.

Cheers - Bob
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 DavidSchomaker over 9 years ago

Thanks Bob! Your command line code was worked fine for me. ~David
Cancel
Vote Up 0 Vote Down

Cancel
0 MrOlrich over 9 years ago

And now the million-dollar question is: After applying Bob's excellent workaround in post #4, and today updating to v9.304-9 as per his post #49, do we have to reverse the instructions in post #4, or does the update "fix everything" and set everything back to normal?

Regards,
Mr Olrich
Cancel
Vote Up 0 Vote Down

Cancel