Le 01/06/2016 à 16:00, Marcin Mirosław a écrit :
W dniu 01.06.2016 o 15:05, Renaud Allard pisze:
On 06/01/2016 12:32 PM, Samuel wrote:
Le 01/06/2016 à 11:24, Jeremy Harris a écrit :
On 31/05/16 18:44, Samuel wrote:
2016-05-31 05:55:44 TLS error on connection from
researchscan258.eecs.XXXX.edu (eecs.XXXX.edu) [1XX.212.XXX.3]
(gnutls_handshake): Could not negotiate a supported cipher suite.
2016-05-31 05:55:44 H=researchscan258.eecs.XXXX.edu (eecs.XXXX.edu)
[1XX.212.XXX.3] Warning: erreur : tls-failed
OK, cipher-suite mismatch...
/var/log/syslog :
May 31 05:55:44 anemone-mailin-01 kernel: [4547900.677897] traps:
exim4[23055] general protection ip:6664ddc0bad6 sp:7483826d3710 error:0
in libc-2.19.so[6664ddba2000+1a2000]
Oops!
So if I understand well, A special craft ssl request can cause DOS on
Exim on Grsecurity kernel ?
Not all that crafted; just a choice of ciphers.
Is this a problem from my side ? Do I have to do someting ?
Given the name of the host researchscanXXX, may I assume you have used a
server to test the crypto? So if it has indeed attempted some kind of
brute force, maybe grsec was right.
Some grsec features should be used with great precautions. This is not a
magical recipe.
Hi!
I don't know if it help. I also have conenction from researchscan but
without any segfault.:
# bzgrep 13810 /var/log/exim/exim_main.log-20160531*
2016-05-30 12:51:28 [13810] TLS error on connection from
researchscan258.eecs.umich.edu (eecs.umich.edu) [141.212.122.3]
I=[81.4.122.249]:25 (SSL_accept): error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol
2016-05-30 12:51:28 [13810] TLS client disconnected cleanly (rejected
our certificate?)
# exim -d --version
Exim version 4.87 #1 built 08-Apr-2016 14:04:45
Copyright (c) University of Cambridge, 1995 - 2016
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2016
Berkeley DB: Berkeley DB 4.8.30: (2014-12-18)
Support for: crypteq iconv() IPv6 Expand_dlfunc OpenSSL Content_Scanning
Old_Demime DKIM DNSSEC Event OCSP PRDR Experimental_SRS
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmjz dbmnz dnsdb dsearch passwd pgsql
Authenticators: cram_md5 plaintext spa
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Compiler: GCC [4.9.3]
Library version: OpenSSL: Compile: OpenSSL 1.0.2g 1 Mar 2016
Runtime: OpenSSL 1.0.2h 3 May 2016
: built on: reproducible build, date
unspecified
Library version: PCRE: Compile: 8.38
Runtime: 8.38 2015-11-23
WHITELIST_D_MACROS unset
TRUSTED_CONFIG_LIST unset
Exim version 4.87 uid=0 gid=0 pid=5705 D=fbb95cfd
changed uid/gid: forcing real = effective
uid=0 gid=0 pid=5705
auxiliary group list: <none>
changed uid/gid: calling tls_validate_require_cipher
uid=8 gid=12 pid=5706
auxiliary group list: <none>
tls_require_ciphers expands to "HIGH:!aNULL:!MD5!DES:!3DES"
tls_validate_require_cipher child 5706 ended: status=0x0
openssl option, adding from 1100000: 1000000 (no_sslv2 +no_sslv3)
openssl option, adding from 1100000: 2000000 (no_sslv3)
configuration file is /etc/exim/exim.conf
log selectors = 000084fe 16333321
cwd=/root 3 args: exim -d --version
trusted user
admin user
changed uid/gid: privilege not needed
uid=8 gid=12 pid=5705
auxiliary group list: 12
DSN: dnslookup_batv propagating DSN
DSN: batv_redirect propagating DSN
DSN: spam_fakereject_kopia propagating DSN
DSN: uservacation propagating DSN
DSN: virtual_user propagating DSN
DSN: aliasy propagating DSN
DSN: catchall propagating DSN
DSN: dnslookup propagating DSN
seeking password data for user "mail": cache not available
getpwnam() succeeded uid=8 gid=12
originator: uid=0 gid=0 login=root name=root
sender address = SNIP@CIACH
Configuration file is /etc/exim/exim.conf
# uname -a
Linux jowisz 4.5.4-hardened-r2 #1 SMP Tue May 17 16:54:00 CEST 2016
x86_64 Intel(R) Xeon(R) CPU E5-2630 v2 @ 2.60GHz GenuineIntel GNU/Linux
And I'm sure that grsec option in kernel I've got different than Samuel.
Thanks a lot for your advise.
But as I told to Renaud, the 465 port was closed on my test server.
And now that it is open, I've seen the researchscan coming again on the
465 port with no alert from grsecurity.
What could has happen on the 25 port with starttls ... I don't know.
Thanks.
Samuel.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
