Hi Sam,

the right way to test is:

openssl s_client -connect MXIP:25 -starttls smtp

and with my ciphers list works fine, but only apparently, in fact disable SSLv3 with "!SSLv3" also disable TLSv1.0 and TLSv1.1, so only TLSv1.2 is available.

With this configuiration SMTP servers that support only TLS up to v1.0 have problem to delivery email to me. This is a log from a Debian 6 (but also Centos 5 and others distro have the same problem) server:

Aug 21 09:15:16 smtp1 postfix/smtp[6995]: SSL_connect error to mx01.domain.com[192.168.1.2]:25: -1 Aug 21 09:15:16 smtp1 postfix/smtp[6995]: warning: TLS library problem: 6995:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:607: Aug 21 09:15:16 smtp1 postfix/smtp[6995]: dJ0c42zXPl: Cannot start TLS: handshake failure Aug 21 09:15:16 smtp1 postfix/smtp[6995]: Host offered STARTTLS: [mx01.domain.com]

Here you can find a similar problem with old Dovecot version:

http://security.stackexchange.com/questions/71872/disable-sslv3-in-dovecot-tls-handshaking-failed-no-shared-cipher

"there are no ciphers specific for TLS1.0 and TLS1.1, that is they use the same ciphers as SSL 3.0. Only TLS1.2 defined some new ciphers. This means, that if you disable SSLv3 ciphers no SSLv3 clients can connect, but also no TLS1.0 or TLS1.1 clients. This is probably not what you intended to do.

The real way is not to disable the SSLv3 ciphers, but to disable the SSLv3 protocol"

where to solve the problem the only way was to made a patch that disable SSLv3 protocol because via ciphers list is impossibile to disable SSLv3 but not TLSv1.0/1.1.

So I thinks also spamdyke to disable SSLv3 (protocol) need a patch.

Thanks

Il 20/08/2015 17:23, Sam Clippinger via spamdyke-users ha scritto:
I think you can test it by using the openssl client from the command line:
openssl s_client -ssl3 -connect SERVERNAME:PORT
If it connects and you see "Protocol: SSLv3", it's not disabled.  If you
see "sslv3 alert handshake failure" and it doesn't connect, you're done!

-- Sam Clippinger




On Aug 20, 2015, at 7:28 AM, Alessio Cecchi via spamdyke-users
<spamdyke-users@spamdyke.org <mailto:spamdyke-users@spamdyke.org>> wrote:

Hi,

I'm running spadyke 5 in front of a Qmail without TLS patch. My Qmail
acts only as MX so I'm not interesting into smtp authentication via
TLS, but I need TLS to send e receiv encrypted email from others servers.

But my MX also accept SSLv3 and I would like to disable it.

So I inset in spamdyke.conf:

tls-cipher-list=ALL:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL

but I'm not sure if the list of cipher is correct.

Can somebody help me?
Thanks
--
Alessio Cecchi
http://www.linkedin.com/in/alessice
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users



_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users


--
Alessio Cecchi
http://www.linkedin.com/in/alessice
_______________________________________________
spamdyke-users mailing list
spamdyke-users@spamdyke.org
http://www.spamdyke.org/mailman/listinfo/spamdyke-users

Reply via email to