On Fri, Dec 09, 2022 at 07:55:42PM +0100, Cyborg via Exim-users wrote: > Guys, it was just a FYI without the FYI mark. I will add it next time :)
Yeah, that could have been helpful. > There is nothing exim can do or should do. It's 100% caused by > outdated legacy servers, ignoring the year 2009 CVE. > > The issue is reproduceable with openssl s_client directly: > > openssl s_client -connect 82.218.176.66:25 -starttls smtp Indeed, and also with Postfix (built against OpenSSL 3.0): $ posttls-finger -c -Lsummary -lmay "[82.218.176.66]" posttls-finger: SSL_connect error to 82.218.176.66[82.218.176.66]:25: -1 posttls-finger: warning: TLS library problem: error:0A000152:SSL routines::unsafe legacy renegotiation disabled:ssl/statem/extensions.c:879: With OpenSSL 1.1.1: $ posttls-finger -c -Lsummary -lmay "[82.218.176.66]" posttls-finger: Anonymous TLS connection established to 82.218.176.66[82.218.176.66]:25: TLSv1 with cipher ADH-AES256-SHA (256/256 bits) posttls-finger: Server is anonymous Interestingly, that server support anon-DH ciphers, which is not that common. Postfix is one of the few MTAs that enables ADH/AECDHE opportunistic TLS, and indeed the server in question appears to be a very old Postfix build: 220 circuit.inbus.at ESMTP Postfix -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/