starlight at binnacle.cx
2014-Jul-21 17:16 UTC
[Samba] bugzilla email possibly in need of TLS-related update
Hi, I noticed that an email connection from the Samba bugzilla server attempted STARTTLS and failed. Then sent the message unencrypted. My guess is that the SSL/TLS library in use is either out-of-date and/or the cipher-suite is restricted to insecure ciphers. The MTA here uses openssl 1.0.1h and is configured O CipherList=HIGH:MEDIUM:!aNULL:!eNULL O ServerSSLOptions=+SSL_OP_NO_SSLv2 +SSL_OP_CIPHER_SERVER_PREFERENCE O ClientSSLOptions=+SSL_OP_NO_SSLv2 Log entries for the failed STARTLS message are Jul 21 11:12:53 xxx mimedefang.pl[22017]: RELAY: <2001:638:603:d068::82:20> <samba-bugzilla.samba.org> Jul 21 11:12:54 xxx sendmail[26853]: STARTTLS=server, error: accept failed=-1, reason=unknown, SSL_error=5, errno=104, retry=-1, relay=samba-bugzilla.samba.org [IPv6:2001:638:603:d068::82:20] Jul 21 11:12:54 xxx sendmail[26853]: s6LFCrBB026853: samba-bugzilla.samba.org [IPv6:2001:638:603:d068::82:20] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTAv6 FYI Regards to the Samba team. Thank you for this most excellent software.