corecode / dma

The DragonFly Mail Agent, a small Mail Transport Agent (MTA), designed for home and office use.
Other
231 stars 50 forks source link

Possible TLS version issue? #66

Open eikenb opened 5 years ago

eikenb commented 5 years ago

First let me say thanks for DMA, it's a great lightweight MTA. I use it everywhere I don't want a full MTA and it does the job perfectly.

I'm trying to dma with runbox.com and am getting the error in my logs. First the basics...

OS: Debian Buster DMA package version: 0.11-1+b1

Error snipped from mail.info...

dma[1be00ac.5574372207e0]: trying remote delivery to mail.runbox.com [91.220.196.250] pref 0
dma[1be00ac.5574372207e0]: remote delivery deferred: SSL handshake failed fatally: error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version

My /etc/dma.conf..

SMARTHOST mail.runbox.com
PORT 465
SECURETRANSFER
AUTHPATH /etc/dma/auth.conf
MAILNAME /etc/mailname

This might be related to a change runbox.com made recently about supported TLS versions...

We will be retiring support for TLS 1.0 and 1.1 and will only support TLS 1.2 or later.

Is the TLS version at issue here? If so, is there anything I can do to set it to use newer version? If not any suggestions?

Thanks.

phillipsjk commented 5 years ago

I was able to reproduce this problem on FreeBSD 11.2 (now upgraded to 11.3), with citeglobe.ca acting as a "smarthost".

I documented the problem on the FreeBSD Forum

I am wondering if adding TLS v1.2 support through a library is easier than configuring exim4 as an alternative.

When asked, the support person at my webhost did think plain-text (insecure) auhtentication would work. But, obviously I don't want to do that long-term.

The person who responded to my post on the FreeBSD forum suggested checking what version of OpenSSL it is linked against.

corecode commented 5 years ago

Ah, the code is present, we just didn't tag a new release.

corecode commented 5 years ago

release 0.12 tagged, this should allow any tls version. Could you please test?

bigon commented 5 years ago

That's probably because 0.11-1 in debian is not supporting TLS1.1 or TLS1.2

I just uploaded to buster yesterday 0.11-1+deb10u1 which contains the patch to enable these versions of TLS.

corecode commented 5 years ago

could you please upload 0.12 instead of picking patches?

bigon commented 5 years ago

@corecode not in stable releases

0.12 will arrive soon in unstable

airflow2010 commented 4 years ago

Has anyone successfully tested the current TLS versions (1.2) with version 0.12 of dma? I just did and I did not succeed, I still get the same handshake-error as in earlier versions.

Nov 12 18:30:55 testus dma[4ca53.8018280a0]: remote delivery deferred: xxxx [yyyy] failed after EHLO: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure

SMARTHOST (fqdn)
PORT 587
AUTHPATH /etc/dma/auth.conf
SECURETRANSFER
STARTTLS
CERTFILE /etc/dma/cert+key.pem (tried with or without, shouldn't be needed)
MAILNAME (fqdn)
phillipsjk commented 4 years ago

Version 12 worked it's way into FreeBSD 11 around October 10th (or, that was when I got around to installing it). It appears to work.

I suspect it was not marked for release because this commit is vulnerable to downgrading attacks:

https://github.com/corecode/dma/commit/497a2b2ff04c638d61b92dc097d1a12f352dd1df

That should be not allowed unless the "Insecure" flag is set. What you should do is enforce TLS 1.2 like everybody else.

corecode commented 4 years ago

please file a separate bug if there is a TLS security issue with the current code.

natarajsn1 commented 2 years ago

Having the same issue on a Debian based GNU Linux distro by name MX-Linux.

"Linux mx-mini 5.10.0-12-amd64 #1 SMP Debian 5.10.103-1 (2022-03-07) x86_64 GNU/Linux" May 7 13:35:13 mx-mini dma[93d3c.5556a475d180]: trying remote delivery to smtp.gmail.com [142.251.10.109] pref 0 May 7 13:35:15 mx-mini dma[93d3c.5556a475d180]: remote delivery deferred: SSL handshake failed fatally: error:1408F10B:SSL routines:ssl3_get_record:wrong version number "

dma version is "0.13-1"

corecode commented 2 years ago

I have no idea. We're not pinning any TLS version, so that must be related to your openssl.

bmarwell commented 2 years ago

Hi, ran into this issue today. I would LOVE to see this fix so I do not need to use exim or postfix. Thanks! :)

corecode commented 2 years ago

please provide more details. which dma version, what is the exact error.

On October 24, 2022 12:02:07 PM CDT, Benjamin Marwell @.***> wrote:

Hi, ran into this issue today. I would LOVE to see this fix so I do not need to use exim or postfix. Thanks! :)

-- Reply to this email directly or view it on GitHub: https://github.com/corecode/dma/issues/66#issuecomment-1289331271 You are receiving this because you were mentioned.

Message ID: @.***> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

bmarwell commented 2 years ago

Really? It is the same error as before. No change. Version: https://aur.archlinux.org/packages/dma

corecode commented 2 years ago

please post the mail server error message.

On October 24, 2022 1:42:46 PM CDT, Benjamin Marwell @.***> wrote:

Really? It is the same error as before. No change. Version: https://aur.archlinux.org/packages/dma

-- Reply to this email directly or view it on GitHub: https://github.com/corecode/dma/issues/66#issuecomment-1289445234 You are receiving this because you were mentioned.

Message ID: @.***> -- Sent from my Android device with K-9 Mail. Please excuse my brevity.

bmarwell commented 2 years ago

I re-tried from my other PC where it is working. The error is gone:

May 7 13:35:15 mx-mini dma[93d3c.5556a475d180]: remote delivery deferred: SSL handshake failed fatally: error:1408F10B:SSL routines:ssl3_get_record:wrong version number "

Settings taken from https://www.dragonflybsd.org/docs/howtos/HowTo_dma_gmail/ (except .muttrc settings, as I do not use mutt).