On Sat, Jun 20, 2015 at 11:33:00AM -0500, Frank Bulk wrote: > http://www.circleid.com/posts/20150620_logjam_openssl_and_email_deliverabili > ty/ > > FYI, just a heads up.
OpenSSL now rejects handshakes using DH parameters shorter than 768 bits as a countermeasure against the Logjam attack (CVE-2015-4000). At least Debian and Ubuntu is enforcing stricter DH handling with their current Openssl version. Consequently, depending on their configuration, some mail servers are unable to talk to MX servers which do not offer a key of sufficient length. On some MTAs, like Sendmail, such mails are starving in the mail queue because there is no fall-back to some unencrypted mode ... We have a lot outgoing mail traffic hitting weak MX servers. With exception entries like "Try_TLS:<MAILSERVERNAME> NO" for access-db we circumvent the problem on occasion. Serveral sites has been informed about this issue ... however, it takes some time to fix all these server. ;) Already referenced in the post above, but again: see https://weakdh.org/ and https://lists.debian.org/debian-security-announce/2015/msg00182.html R's, Johann K. _______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
