Time to validate the TLS configuration on your SMTP servers (was: Re: AS5 ipv6 hijack?)

Julien Goodwin nanog at studio442.com.au
Mon Apr 12 14:49:02 UTC 2021 

A slightly nicer tool than just using "openssl s_client" is testssl.sh,
handles STARTTLS and some other non-trivial cases.

https://testssl.sh/

Back when I first used it I did read the source, these days at ~650k of
shell script, that's a little less practical.

On 12/4/21 10:58 pm, Bjørn Mork wrote:
> OK, so that email bounced.  Or will eventually because this does not go
> away with someone doing something:
> 
>   <dmitry at interhost.net>... Deferred: 403 4.7.0 TLS handshake failed.
> 
> I am posting this in public because it unfortunately is a very common
> problem.
> 
> Debian buster was released on July 6th, 2019. It includes openssl 1.1.1
> with this configuration update among number of other improvements:
> 
> openssl (1.1.1~~pre6-1) experimental; urgency=medium
> 
>   * New upstream version
>   * Increase default security level from 1 to 2. This moves from the 80 bit
>     security level to the 112 bit securit level and will require 2048 bit RSA
>     and DHE keys.
> 
>  -- Kurt Roeckx <kurt at roeckx.be>  Tue, 01 May 2018 16:00:55 +0200
> 
> 
> I assume similar policies have been applied to all modern and maintained
> operating systems by now.
> 
> Everyone should verify their own SMTP servers to avoid losing email due
> to TLS failures.  Doing so is simple from e.g Debian:
> 
> 
> bjorn at canardo:/usr/local/src/openwrt$ cd                                                                                                                                                                                               
> bjorn at canardo:~$ host interhost.net                                                                                                                                                                                                    
> interhost.net has address 185.18.204.66
> interhost.net mail is handled by 10 pineapp.interhost.co.il.
> 
> bjorn at canardo:~$ openssl s_client -quiet -connect pineapp.interhost.co.il:25 -starttls smtp
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = RapidSSL RSA CA 2018
> verify return:1
> depth=0 CN = *.interhost.co.il
> verify return:1
> 139901908640896:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150:
> 
> 
> The fix obviously depends on the server, but is usually as simple as
> regnerating the DH parameters.  See for example
> https://forums.freebsd.org/threads/sendmail-dh-key-too-small.51985/
> 
> 
> 
> Bjørn
>

More information about the NANOG mailing list