Time to validate the TLS configuration on your SMTP servers (was: Re: AS5 ipv6 hijack?)
bjorn at mork.no
Mon Apr 12 12:58:41 UTC 2021
OK, so that email bounced. Or will eventually because this does not go
away with someone doing something:
<dmitry at interhost.net>... Deferred: 403 4.7.0 TLS handshake failed.
I am posting this in public because it unfortunately is a very common
Debian buster was released on July 6th, 2019. It includes openssl 1.1.1
with this configuration update among number of other improvements:
openssl (1.1.1~~pre6-1) experimental; urgency=medium
* New upstream version
* Increase default security level from 1 to 2. This moves from the 80 bit
security level to the 112 bit securit level and will require 2048 bit RSA
and DHE keys.
-- Kurt Roeckx <kurt at roeckx.be> Tue, 01 May 2018 16:00:55 +0200
I assume similar policies have been applied to all modern and maintained
operating systems by now.
Everyone should verify their own SMTP servers to avoid losing email due
to TLS failures. Doing so is simple from e.g Debian:
bjorn at canardo:/usr/local/src/openwrt$ cd
bjorn at canardo:~$ host interhost.net
interhost.net has address 126.96.36.199
interhost.net mail is handled by 10 pineapp.interhost.co.il.
bjorn at canardo:~$ openssl s_client -quiet -connect pineapp.interhost.co.il:25 -starttls smtp
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
depth=0 CN = *.interhost.co.il
139901908640896:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
The fix obviously depends on the server, but is usually as simple as
regnerating the DH parameters. See for example
More information about the NANOG