Closed celesteking closed 8 years ago
Actually, this now seems like a serious issue. Our clients are losing mail because recent openssl doesn't want to negotiate DH with keys <= 512 bits. Thus, with TLS in outbound enabled, clients getting bounce notices with "Failure Reason: Error: Too many failures (Tried all MXs)".
Have configurable list of TLS disabled hosts/subnets (like in tls.ini?)
You mean like this? https://github.com/baudehlo/Haraka/blob/master/docs/plugins/tls.md#no_tls_hosts
Maybe don't screw the session if host didn't negotiate TLS, but fallback to plain text (should be configurable)
This isn't possible; if negotiation fails; both ends are in an unknown state.
add DH and cipher params, possibly with per-host/subnet option
You mean like this? https://github.com/baudehlo/Haraka/blob/master/docs/plugins/tls.md#ciphers
That would be the first step. I'd like to see per-host/subnet options available.
Come on, guys, don't you use TLS in outbound? If so, you've got hell lot of mail staying in queue and ultimately failing.
@smfreegard
plugins/tls.md#ciphers
in outbound.
The options Steve pointed out are for inbound. We need to read that config for outbound too.
On Tue, Aug 11, 2015 at 7:36 AM, celesteking notifications@github.com wrote:
Come on, guys, don't you use TLS in outbound? If so, you've got hell lot of mail staying in queue and ultimately failing.
— Reply to this email directly or view it on GitHub https://github.com/baudehlo/Haraka/issues/1054#issuecomment-129846679.
A clear testcase would be sending mail to any@null.fused.sh . Try it.
And yet again... How does that commit prevent outbound from making repeated STARTTLS to remote MTA? redis.disable_for_failed_hosts
won't be consulted.
It won't. Who said I was fixing that?
On Mon, Feb 22, 2016 at 3:56 PM, celesteking notifications@github.com wrote:
And yet again... How does that commit prevent outbound from making repeated STARTTLS to remote MTA? redis.disable_for_failed_hosts won't be consulted.
— Reply to this email directly or view it on GitHub https://github.com/haraka/Haraka/issues/1054#issuecomment-187379119.
Implemented in https://github.com/celesteking/Haraka/pull/2 0 production testing so far.
We need to: