Re: Problem with ciphers and OpenSMTP

Mon, 31 Mar 2014 05:38:09 -0700 

Just wanted to thank Daniel and Philip for their help, yes changing
the certificate for one with RSA solved.

On Mon, Feb 24, 2014 at 01:58:49PM -0800, Philip Guenther wrote:

On Mon, Feb 24, 2014 at 12:40 PM, Vladimir Támara Patiño
<vtam...@pasosdejesus.org> wrote:
> I have an OpenSTMP server on OpenBSD 5.4 working fine, the configuration
> (/etc/mail/smtpd.conf) includes:
>
>  listen on all port 465 smtps certificate example.com auth-optional
>
> Sending email from thunderbird, roundcubemail and an android MUA works fine,
> however I'm having problems to send email from an iPhone with its default
> MUA.
> The failed connections from the iPhone reported in /var/log/maillog show:
...
> Feb 24 15:31:36 www smtpd[20008]: smtp-in: Disconnecting session
>  00000047fd78e967: IO error: error:1408A0C1:SSL
>  routines:SSL3_GET_CLIENT_HELLO:no shared cipher
...
> | ssl-enum-ciphers: |   SSLv3: |     ciphers: |
> TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA - strong
> |       TLS_DHE_DSS_WITH_AES_256_CBC_SHA - strong
> |     compressors: |       NULL
> |   TLSv1.0: |     ciphers: |       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA -
> strong
> |       TLS_DHE_DSS_WITH_AES_128_CBC_SHA - strong
> |       TLS_DHE_DSS_WITH_AES_256_CBC_SHA - strong
> |     compressors: |       NULL
> |   TLSv1.1: |     ciphers: |       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA -
> strong
> |       TLS_DHE_DSS_WITH_AES_128_CBC_SHA - strong
> |       TLS_DHE_DSS_WITH_AES_256_CBC_SHA - strong
> |     compressors: |       NULL
> |   TLSv1.2: |     ciphers: |       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA -
> strong
> |       TLS_DHE_DSS_WITH_AES_128_CBC_SHA - strong
> |       TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 - strong
> |       TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 - strong
> |       TLS_DHE_DSS_WITH_AES_256_CBC_SHA - strong
> |       TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 - strong
> |       TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 - strong
> |     compressors: |       NULL
> |_  least strength: strong

Your certificate is apparently a DHE/DSS cert, so smtpd can only offer
the DHE-DSS suites and not the RSA suites that almost all sites use.
How confident are you that iOS supports DHE-DSS cipher suites by
default?


Philip Guenther



--
Dios, gracias por tu amor infinito.
-- Vladimir Támara Patiño. http://vtamara.pasosdeJesus.org/ 
 http://www.pasosdejesus.org/dominio_publico_colombia.html

Reply via email to