search

drwetter / testssl.sh

Testing TLS/SSL encryption anywhere on any port
https://testssl.sh
GNU General Public License v2.0
7.88k stars 1.01k forks source link

[Feature] Better detection of randomly missing STARTTLS upgrades from SMTP server #2090

Open Antict opened 2 years ago

Antict commented 2 years ago

For the EHLO request, the email server 188.125.72.74 sometimes returns a response including S: 250 STARTTLS and sometimes it does not. Thus the test run fails, when S: 250 STARTTLS is not included in the response.

sending client hello... === starting smtp STARTTLS dialog ===
=== reading banner ... ===
S: 220 mtaproxy201.free.mail.ir2.yahoo.com ESMTP ready
  > found:  220 mtaproxy201.free.mail.ir2.yahoo.com ESMTP ready
  >> received server greeting
C: EHLO testssl.sh\r\n
  > succeeded: sent EHLO testssl.sh
=== reading banner ... ===
=== we'll have to search for "^250[ -]STARTTLS" pattern ===
S: 250-mtaproxy201.free.mail.ir2.yahoo.com
S: 250-PIPELINING
S: 250-SIZE 41943040
S: 250-8BITMIME
S: 250 STARTTLS
  > found:  250 STARTTLS
  > found:  250 STARTTLS
  >> received server capabilities and checked STARTTLS availability

[...]

 Testing protocols via sockets

 SSLv2      === starting smtp STARTTLS dialog ===
=== reading banner ... ===
S: 220 mtaproxy204.free.mail.ir2.yahoo.com ESMTP ready
  > found:  220 mtaproxy204.free.mail.ir2.yahoo.com ESMTP ready
  >> received server greeting
C: EHLO testssl.sh\r\n
  > succeeded: sent EHLO testssl.sh
=== reading banner ... ===
=== we'll have to search for "^250[ -]STARTTLS" pattern ===
S: 250-mtaproxy204.free.mail.ir2.yahoo.com
S: 250-PIPELINING
S: 250-SIZE 41943040
S: 250-8BITMIME
S: 250 OK
  > found:  250 OK
=== finished smtp STARTTLS dialog with 3 ===

Fatal error: No STARTTLS found in handshake

Command line / docker command to reproduce Try it about 5 times because it is flaky

./testssl.sh --debug 2 -p -t smtp --ids-friendly 188.125.72.74:25

Expected behavior When S: 250 STARTTLS is not found in the response, some retries are made. Testing the domain (yahoo.de) with https://ssl-tools.net/mailservers/yahoo.de returns a valid result.

Your system (please complete the following information):

drwetter commented 2 years ago

Interesting. Don't know what the heck yahoo is doing there.

I don't see that we should work around this in testssl.sh. Thus I consider this not to be a bug request but a feature request. And the feature is basically already implemented, which is: stop testing. What we could do is emphasise such a buggy server behaviour. Thus I'll leave this open and put it into the long feature list.

image
drwetter commented 2 years ago

BTW: If you really want to follow your route MAX_STARTTLS_FAIL=<somehighnumber> ./testssl.sh <cmdline> should help

drwetter commented 2 years ago

Testing the domain (yahoo.de) with https://ssl-tools.net/mailservers/yahoo.de returns a valid result.

This doesn't serve as a good example. Maybe the opposite is the case, i.e. if they also detected not stable STARTTLS offerings and it's labeled as "all is fine".