[BlueOnyx:18068] Re: Sendmail TLS problem

Michael Stauber mstauber at blueonyx.it
Wed Jul 22 13:46:50 -05 2015 

Hi Michael,

> I thought the Sendmail TLS problems were solved a while back

Yeah, the BlueOnyx side of things is fine. But there are still plenty of
other fucked mailservers around where the admins either don't know about
it or don't care.

> I get these entries in the logs:
> 
> Jul 21 12:18:04 tc sendmail[22201]: STARTTLS=server, error: accept failed=0,
> SSL_error=1, errno=0, retry=-1, relay= 199.175.188.52

The error message in the log indicates that your server has problems
sending emails to 199.175.188.52. The next error message in the maillog
would have shed a light on the actual reason for the failure.

I suspect the probable cause being this one:

STARTTLS=client, error: connect failed=-1, reason=dh key too small,
SSL_error=1, errno=0, retry=-1

The reason being that this server operates with Diffie-Hellman
parameters that are way shorter than allowed nowadays.

> I even tried setting
>
> Try_TLS: 199.175.188.52     No
>
> in /etc/mail/access and it did not help.

There is a chance that the IP doesn't suffice and you might have to set
the fqdn as well.

But in reality: I'd do *nothing* of that sorts. If those people continue
to run fucked up mailservers and don't care? Then they don't deserve to
get email. For me it's as simple as that.

The sad part? The *really* sad part? That IP address belongs to
spacex.com. These are bloody *rocket* *scientists*.

Lets see what they did: Port 465/TCP? Is closed or filtered. Only port
25/TCP is open. That is already a pretty big fail.

Lets try to connect to that with OpenSSL to port 25:

#> openssl s_client -CApath /etc/ssl/certs/ -starttls smtp -connect
199.175.188.52:25

----------------------------------------
[...]

SSL handshake has read 3242 bytes and written 528 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
DAA0D498F2D107DCDE4E64178DCCD985CE5710DEA105E94DA69DB0DC48DF81A5
    Session-ID-ctx:
    Master-Key:
6BA37E632C8958CC703DEDC77482619E8FCE77098FDF7BB9ED500FABCC405546F02E2AE663D7721CB40C79263B5737D0
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - a9 88 f6 91 0e 1d 4b bf-7a f2 21 46 e7 82 a2 96
    [....]
    Start Time: 1437589142
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

----------------------------------------

Well. TLSv1. Which is baaaaad. The ITEF suggests not to use anything
below TLSv1.2. There goes the PCI compliance test.

Lets see what MXTOOLBOX says at this URL:

https://mxtoolbox.com/SuperTool.aspx?action=smtp%3a199.175.188.52&run=toolpage

It says: "Does not support TLS" - because port 465/TCP is closed. :p

But we don't give up that easily. Lets see what
https://starttls.info/check/mta2.spacex.com says:

-----------------------------------------------------
Results for: mta2.spacex.com
Mail server	Result	
mta2.spacex.com
	
Grade: D (42.8%) <--- !!!!!!!!
	
Certificate

    The certificate is not valid for the server's hostname.
    The certificate has expired.
    There are one or more fatal problems which causes the certificate
not to be trusted.

There are validity issues for the certificate. Certificates are seldom
verified for SMTP servers, so this doesn't mean that STARTTLS won't be used.

Generally speaking it's a bad practice not to have a valid certificate,
and an even worse practice not to verify them. Any attempted encrypted
communication is left all but wide open to Man-in-the-Middle attacks.
Protocol

    Supports SSLV3.
    Supports TLSV1.

Key exchange

    Anonymous Diffie-Hellman is accepted. This is suspectible to
Man-in-the-Middle attacks.
    Key size is 2048 bits; that's good.

Cipher

    Weakest accepted cipher: 0.
    Strongest accepted cipher: 256.
-----------------------------------------------------

So what do we have here:

1.) And old server that only supports SSLv3 and at best TLSv1.0
2.) Port 465/TCP closed - FAIL for TLS!
3.) SSL certificate is expired AND not valid for the given hostname. \o/
    They're on a tight budget, too, and used Rapidssl. \o/
4.) Diffie-Hellman: Present, but fucked up.
5.) Ciphers? Pretty weak selection. Strongest only has 256 bit.

Let me put it this way: Email does not seem to carry any importance for
them. So I wouldn't worry if you can't send to them. And if you by
chance get invited to a watch a rocket launch of theirs? Might not be a
bad idea to stay at least 50 miles upwind. :p

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list