[BlueOnyx:17899] Logjam, Openssl and Email Deliverability

Carl Byington carl at five-ten-sg.com
Fri Jun 26 13:58:46 -05 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.circleid.com/posts/20150620_logjam_openssl_
and_email_deliverability/

The recent update to openssl to fix the logjam vulnerability has
implications for email deliverability. In particular, RHEL6+ (includes
blueonyx) currently refuses smtp connections to servers that:

1) advertise starttls in response to ehlo
2) have a DH key shorter than 768 bits (512 is common).

Such systems include bluequartz, rhel5 boxes, old Sun Solaris equipment,
etc. The real fix is to get those old servers to upgrade their DH key.
On many systems, something like:
    openssl dhparam -out /etc/pki/tls/certs/dhparam.pem 2048
    Then add
        define(`confDH_PARAMETERS',`/etc/pki/tls/certs/dhparam.pem')
    to /etc/mail/sendmail.mc, and
    (cd /etc/mail; make; service sendmail restart)
will fix the problem.

The mailop list at mailop.org has a discussion on this. What is the
correct behavior for the sender when talking to such a receiver?
Responses are mixed - some think that the sender should automatically
retry but ignore the starttls offered by the receiver. Others think we
should refuse to send mail to them.

In this, as in so many other things, the behavior of the giants (google,
microsoft, etc) will determine what is generally acceptable. For now,
google will deliver to such receivers, since they have not increased
their minimum DH key length requirements. But they said this will happen
in the near future. I have asked for clarification on this point. If
google will (soon) refuse delivery to such sites, it removes the
pressure on us to do any sort of workaround.

If the sender is sendmail (default on blueonyx), we can add
    Try_TLS:target-server-name   NO
to /etc/mail/access and (cd /etc/mail; make; service sendmail restart)

Grepping your logs for "reject=403 4.7.0 TLS handshake failed" will find
servers with short keys. That can be verified by

echo 'QUIT' | \
openssl s_client -starttls smtp -connect $target:25 2>&2 | \
grep 'Server Temp Key'



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEARECAAYFAlWNoKsACgkQL6j7milTFsGAwQCdGDkXdOoPxkODwF5bqGzAPMEC
aUgAn04adNWNBjd1/Ne8iU/eLka07Y99
=XZHO
-----END PGP SIGNATURE-----

More information about the Blueonyx mailing list