Hi Sam,
the right way to test is:
openssl s_client -connect MXIP:25 -starttls smtp
and with my ciphers list works fine, but only apparently, in fact
disable SSLv3 with !SSLv3 also disable TLSv1.0 and TLSv1.1, so only
TLSv1.2 is available.
With this configuiration SMTP servers that support only TLS up to v1.0
have problem to delivery email to me. This is a log from a Debian 6 (but
also Centos 5 and others distro have the same problem) server:
Aug 21 09:15:16 smtp1 postfix/smtp[6995]: SSL_connect error to
mx01.domain.com[192.168.1.2]:25: -1
Aug 21 09:15:16 smtp1 postfix/smtp[6995]: warning: TLS library problem:
6995:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure:s23_clnt.c:607:
Aug 21 09:15:16 smtp1 postfix/smtp[6995]: dJ0c42zXPl: Cannot start TLS:
handshake failure
Aug 21 09:15:16 smtp1 postfix/smtp[6995]: Host offered STARTTLS:
[mx01.domain.com]
Here you can find a similar problem with old Dovecot version:
http://security.stackexchange.com/questions/71872/disable-sslv3-in-dovecot-tls-handshaking-failed-no-shared-cipher
there are no ciphers specific for TLS1.0 and TLS1.1, that is they use
the same ciphers as SSL 3.0. Only TLS1.2 defined some new ciphers. This
means, that if you disable SSLv3 ciphers no SSLv3 clients can connect,
but also no TLS1.0 or TLS1.1 clients. This is probably not what you
intended to do.
The real way is not to disable the SSLv3 ciphers, but to disable the
SSLv3 protocol
where to solve the problem the only way was to made a patch that disable
SSLv3 protocol because via ciphers list is impossibile to disable SSLv3
but not TLSv1.0/1.1.
So I thinks also spamdyke to disable SSLv3 (protocol) need a patch.
Thanks
Il 20/08/2015 17:23, Sam Clippinger via spamdyke-users ha scritto:
I think you can test it by using the openssl client from the command line:
openssl s_client -ssl3 -connect SERVERNAME:PORT
If it connects and you see Protocol: SSLv3, it's not disabled. If you
see sslv3 alert handshake failure and it doesn't connect, you're done!
-- Sam Clippinger
On Aug 20, 2015, at 7:28 AM, Alessio Cecchi via spamdyke-users
spamdyke-users@spamdyke.org mailto:spamdyke-users@spamdyke.org wrote:
Hi,
I'm running spadyke 5 in front of a Qmail without TLS patch. My Qmail
acts only as MX so I'm not interesting into smtp authentication via
TLS, but I need TLS to send e receiv encrypted email from others servers.
But my MX also accept SSLv3 and I would like to disable it.
So I inset in spamdyke.conf:
tls-cipher-list=ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL
but I'm not sure if the list of cipher is correct.
Can somebody help me?
Thanks
--
Alessio Cecchi
http://www.linkedin.com/in/alessice
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
--
Alessio Cecchi
http://www.linkedin.com/in/alessice
___
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users