Open eikenb opened 5 years ago
I was able to reproduce this problem on FreeBSD 11.2 (now upgraded to 11.3), with citeglobe.ca acting as a "smarthost".
I documented the problem on the FreeBSD Forum
I am wondering if adding TLS v1.2 support through a library is easier than configuring exim4 as an alternative.
When asked, the support person at my webhost did think plain-text (insecure) auhtentication would work. But, obviously I don't want to do that long-term.
The person who responded to my post on the FreeBSD forum suggested checking what version of OpenSSL it is linked against.
Ah, the code is present, we just didn't tag a new release.
release 0.12 tagged, this should allow any tls version. Could you please test?
That's probably because 0.11-1 in debian is not supporting TLS1.1 or TLS1.2
I just uploaded to buster yesterday 0.11-1+deb10u1 which contains the patch to enable these versions of TLS.
could you please upload 0.12 instead of picking patches?
@corecode not in stable releases
0.12 will arrive soon in unstable
Has anyone successfully tested the current TLS versions (1.2) with version 0.12 of dma? I just did and I did not succeed, I still get the same handshake-error as in earlier versions.
Nov 12 18:30:55 testus dma[4ca53.8018280a0]: remote delivery deferred: xxxx [yyyy] failed after EHLO: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure
SMARTHOST (fqdn)
PORT 587
AUTHPATH /etc/dma/auth.conf
SECURETRANSFER
STARTTLS
CERTFILE /etc/dma/cert+key.pem (tried with or without, shouldn't be needed)
MAILNAME (fqdn)
Version 12 worked it's way into FreeBSD 11 around October 10th (or, that was when I got around to installing it). It appears to work.
I suspect it was not marked for release because this commit is vulnerable to downgrading attacks:
https://github.com/corecode/dma/commit/497a2b2ff04c638d61b92dc097d1a12f352dd1df
That should be not allowed unless the "Insecure" flag is set. What you should do is enforce TLS 1.2 like everybody else.
please file a separate bug if there is a TLS security issue with the current code.
Having the same issue on a Debian based GNU Linux distro by name MX-Linux.
"Linux mx-mini 5.10.0-12-amd64 #1 SMP Debian 5.10.103-1 (2022-03-07) x86_64 GNU/Linux" May 7 13:35:13 mx-mini dma[93d3c.5556a475d180]: trying remote delivery to smtp.gmail.com [142.251.10.109] pref 0 May 7 13:35:15 mx-mini dma[93d3c.5556a475d180]: remote delivery deferred: SSL handshake failed fatally: error:1408F10B:SSL routines:ssl3_get_record:wrong version number "
dma version is "0.13-1"
I have no idea. We're not pinning any TLS version, so that must be related to your openssl.
Hi, ran into this issue today. I would LOVE to see this fix so I do not need to use exim or postfix. Thanks! :)
please provide more details. which dma version, what is the exact error.
On October 24, 2022 12:02:07 PM CDT, Benjamin Marwell @.***> wrote:
Hi, ran into this issue today. I would LOVE to see this fix so I do not need to use exim or postfix. Thanks! :)
-- Reply to this email directly or view it on GitHub: https://github.com/corecode/dma/issues/66#issuecomment-1289331271 You are receiving this because you were mentioned.
Message ID: @.***> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Really? It is the same error as before. No change. Version: https://aur.archlinux.org/packages/dma
please post the mail server error message.
On October 24, 2022 1:42:46 PM CDT, Benjamin Marwell @.***> wrote:
Really? It is the same error as before. No change. Version: https://aur.archlinux.org/packages/dma
-- Reply to this email directly or view it on GitHub: https://github.com/corecode/dma/issues/66#issuecomment-1289445234 You are receiving this because you were mentioned.
Message ID: @.***> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
I re-tried from my other PC where it is working. The error is gone:
May 7 13:35:15 mx-mini dma[93d3c.5556a475d180]: remote delivery deferred: SSL handshake failed fatally: error:1408F10B:SSL routines:ssl3_get_record:wrong version number "
Settings taken from https://www.dragonflybsd.org/docs/howtos/HowTo_dma_gmail/ (except .muttrc settings, as I do not use mutt).
First let me say thanks for DMA, it's a great lightweight MTA. I use it everywhere I don't want a full MTA and it does the job perfectly.
I'm trying to dma with runbox.com and am getting the error in my logs. First the basics...
OS: Debian Buster DMA package version: 0.11-1+b1
Error snipped from mail.info...
My /etc/dma.conf..
This might be related to a change runbox.com made recently about supported TLS versions...
Is the TLS version at issue here? If so, is there anything I can do to set it to use newer version? If not any suggestions?
Thanks.