Re: [exim] Cipher suites identifier

[Luciano Rinetti]

Thank'You Phil.
There is a tool, like eximstats, that can help me to get the percentage 
of SMTP connections that are encrypted,

between my Exim4 server and others mail servers ?


Il 06/08/2017 01:31, Phil Pennock ha scritto:

On 2017-08-01 at 19:10 +0200, Luciano Rinetti wrote:

#exim -bV

[...]

GnuTLS compile-time version: 2.8.6
GnuTLS runtime version: 2.8.6

On 2017-08-05 at 11:09 +0200, Luciano Rinetti wrote:

#exim -bV
Exim version 4.74 #1 built 24-May-2011 20:35:05

[...]

GnuTLS compile-time version: 2.8.6
GnuTLS runtime version: 2.8.6

Since you've reposted the exact same information four days later, I'm
confused.  The request for information was:

} What it means ? Are GNUTLS encrypted sessions or OpenSSL encrypted
} sessions ?

I think that your reposting means that you didn't notice these lines in
the output?  So: they're GnuTLS connections.

Exim supports _either_ OpenSSL _or_ GnuTLS.  If you see one in the
version output, then that is the TLS library provider in use.

That's an old version of Exim, which pre-dates a bug-fix where for
GnuTLS support we were reporting the size in bytes, not bits.  So the
":32" at the end of "X=TLS1.0:RSA_AES_256_CBC_SHA1:32" is 32 8-bit
bytes, or ":256" if expressed in bits.

Exim's GnuTLS support was overhauled in 4.80 and has been improved
since; the code in 4.74 only supports some old ciphersuites which will
be increasingly limiting on today's Internet.  I would not recommend
those suites today.

(History: when GnuTLS support was added to Exim, GnuTLS was missing some
API features which would let it handle a lot of the feature tuning, so
the Exim glue code did a lot of low-level tinkering itself.  Over time,
GnuTLS became more full-featured and so several years back we rewrote
Exim's bindings to use the GnuTLS features.  With newer Exim, you get
TLS1.2 support and much more modern ciphers.)

Be very _very_ careful with online documentation around TLS for such an
old version of Exim.  Make sure that you're looking at the documentation
for _that_ version, not the current documentation.

With newer Exim, run >> exim -d-all+dns -bV << to see the library
versions of everything (the TLS library stuff is no longer shown by
default).

-Phil



--
Cordiali Saluti / Best Regards

Luciano Rinetti
l.rine...@movimatica.com
Mob. 335.7878.602
 
Movimatica S.r.l.

www.movimatica.com - i...@movimatica.com
__
sede Operativa:
Centro Pier della Francesca
Fabbricato 4, Scala P, 2° Piano
C.so Svizzera, 185 - 10149 Torino - Italy
Tel. +39 011 7767694 - Fax +39 011 746179
__

--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Cipher suites identifier

[Phil Pennock]

On 2017-08-01 at 19:10 +0200, Luciano Rinetti wrote:
> #exim -bV
[...]
> GnuTLS compile-time version: 2.8.6
> GnuTLS runtime version: 2.8.6

On 2017-08-05 at 11:09 +0200, Luciano Rinetti wrote:
> #exim -bV
> Exim version 4.74 #1 built 24-May-2011 20:35:05
[...]
> GnuTLS compile-time version: 2.8.6
> GnuTLS runtime version: 2.8.6

Since you've reposted the exact same information four days later, I'm
confused.  The request for information was:

} What it means ? Are GNUTLS encrypted sessions or OpenSSL encrypted
} sessions ?

I think that your reposting means that you didn't notice these lines in
the output?  So: they're GnuTLS connections.

Exim supports _either_ OpenSSL _or_ GnuTLS.  If you see one in the
version output, then that is the TLS library provider in use.

That's an old version of Exim, which pre-dates a bug-fix where for
GnuTLS support we were reporting the size in bytes, not bits.  So the
":32" at the end of "X=TLS1.0:RSA_AES_256_CBC_SHA1:32" is 32 8-bit
bytes, or ":256" if expressed in bits.

Exim's GnuTLS support was overhauled in 4.80 and has been improved
since; the code in 4.74 only supports some old ciphersuites which will
be increasingly limiting on today's Internet.  I would not recommend
those suites today.

(History: when GnuTLS support was added to Exim, GnuTLS was missing some
API features which would let it handle a lot of the feature tuning, so
the Exim glue code did a lot of low-level tinkering itself.  Over time,
GnuTLS became more full-featured and so several years back we rewrote
Exim's bindings to use the GnuTLS features.  With newer Exim, you get
TLS1.2 support and much more modern ciphers.)

Be very _very_ careful with online documentation around TLS for such an
old version of Exim.  Make sure that you're looking at the documentation
for _that_ version, not the current documentation.

With newer Exim, run >> exim -d-all+dns -bV << to see the library
versions of everything (the TLS library stuff is no longer shown by
default).

-Phil

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Cipher suites identifier

[Luciano Rinetti]

#exim -bV
Exim version 4.74 #1 built 24-May-2011 20:35:05
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 4.8.30: (April 9, 2010)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm
dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram
redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
GnuTLS compile-time version: 2.8.6
GnuTLS runtime version: 2.8.6
Configuration file is /etc/exim4/exim4.conf


On 2017-07-30 20:42, Heiko Schlittermann wrote:
> Luciano Rinetti  (So 30 Jul 2017 11:25:01 CEST):
> …
> > But in my log file(s) I never find sessions with hyphen separator, 
only with

> > underscore, like:
> > X=TLS1.0:RSA_AES_256_CBC_SHA1:32
> >
> > What it means ? Are GNUTLS encripted sessions or OpenSSL encripted 
sessions

> > ?
>
> Without checking the source… I'd guess, the output depends on the TLS
> library, your Exim is linked with.
>
> Check the output from exim -bV around line 5.
>
> For my understanding, there isn't such thing like a GNUTLS or OpenSSL
> encrypted session.
>
>

--
Cordiali Saluti / Best Regards

Luciano Rinetti
l.rine...@movimatica.com
Mob. 335.7878.602
 
Movimatica S.r.l.

www.movimatica.com
__
sede Operativa:
Centro Pier della Francesca
Fabbricato 4, Scala P, 2° Piano
C.so Svizzera, 185 - 10149 Torino - Italy
Tel. +39 011 7767694 - Fax +39 011 746179
__


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Cipher suites identifier

[Luciano Rinetti]

#exim -bV
Exim version 4.74 #1 built 24-May-2011 20:35:05
Copyright (c) University of Cambridge, 1995 - 2007
Berkeley DB: Berkeley DB 4.8.30: (April  9, 2010)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS 
move_frozen_messages Content_Scanning DKIM Old_Demime
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm 
dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite

Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram 
redirect

Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
GnuTLS compile-time version: 2.8.6
GnuTLS runtime version: 2.8.6
Configuration file is /etc/exim4/exim4.conf

On 2017-07-30 20:42, Heiko Schlittermann wrote:
> Luciano Rinetti  (So 30 Jul 2017 11:25:01 CEST):
> …
> > But in my log file(s) I never find sessions with hyphen separator, 
only with

> > underscore, like:
> > X=TLS1.0:RSA_AES_256_CBC_SHA1:32
> >
> > What it means ? Are GNUTLS encripted sessions or OpenSSL encripted 
sessions

> > ?
>
> Without checking the source… I'd guess, the output depends on the TLS
> library, your Exim is linked with.
>
> Check the output from exim -bV around line 5.
>
> For my understanding, there isn't such thing like a GNUTLS or OpenSSL
> encrypted session.
>
>

--


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Cipher suites identifier

[Heiko Schlittermann via Exim-users]

Luciano Rinetti  (So 30 Jul 2017 11:25:01 CEST):
…
> But in my log file(s) I never find sessions with hyphen separator, only with
> underscore, like:
> X=TLS1.0:RSA_AES_256_CBC_SHA1:32
> 
> What it means ? Are GNUTLS encripted sessions or OpenSSL encripted sessions
> ?

Without checking the source… I'd guess, the output depends on the TLS
library, your Exim is linked with.

Check the output from exim -bV around line 5.

For my understanding, there isn't such thing like a GNUTLS or OpenSSL
encrypted session.

Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann
-- 
 SCHLITTERMANN.de  internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01  -


signature.asc
Description: PGP signature
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Cipher suites identifier

[Luciano Rinetti]

Thank'you for the answer.

This is the output:
# exim -bV | grep 'Support'
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS 
move_frozen_messages Content_Scanning DKIM Old_Demime


On 2017-07-30 09:52, Jeremy Harris wrote:
> On 30/07/17 10:25, Luciano Rinetti wrote:
> > What it means ? Are GNUTLS encripted sessions or OpenSSL encripted
> > sessions ?
>
>
>
> will tell you which of the two TLS libraries your exim is compiled with.
> --
> Cheers,
> Jeremy
>
>

--
Cordiali Saluti / Best Regards

Luciano Rinetti
l.rine...@movimatica.com
Mob. 335.7878.602
 
Movimatica S.r.l.

www.movimatica.com - i...@movimatica.com
__
sede Operativa:
Centro Pier della Francesca
Fabbricato 4, Scala P, 2° Piano
C.so Svizzera, 185 - 10149 Torino - Italy
Tel. +39 011 7767694 - Fax +39 011 746179
__


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Re: [exim] Cipher suites identifier

[Jeremy Harris]

On 30/07/17 10:25, Luciano Rinetti wrote:
> What it means ? Are GNUTLS encripted sessions or OpenSSL encripted
> sessions ?


This command line:
 exim -bV | grep 'Support'

will tell you which of the two TLS libraries your exim is compiled with.
-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/