TLS in outbound: make it configurable

haraka / Haraka

A fast, highly extensible, and event driven SMTP server

https://haraka.github.io

MIT License

5.02k stars 662 forks source link

TLS in outbound: make it configurable #1054

Closed celesteking closed 8 years ago

celesteking commented 9 years ago

outbound    Looking up A records for: j.mx.utoronto.ca
outbound    Ongoing connection failed to 128.100.132.12:25 : Error: 140665633523680:error:14082174:SSL routines:SSL3_CHECK_CERT_AND_ALGORITHM:dh key too small:s3_clnt.c:3331:

We need to:

Have configurable list of TLS disabled hosts/subnets (like in tls.ini?)
Maybe don't screw the session if host didn't negotiate TLS, but fallback to plain text (should be configurable)
add DH and cipher params, possibly with per-host/subnet option

celesteking commented 9 years ago

Actually, this now seems like a serious issue. Our clients are losing mail because recent openssl doesn't want to negotiate DH with keys <= 512 bits. Thus, with TLS in outbound enabled, clients getting bounce notices with "Failure Reason: Error: Too many failures (Tried all MXs)".

smfreegard commented 9 years ago

Have configurable list of TLS disabled hosts/subnets (like in tls.ini?)

You mean like this? https://github.com/baudehlo/Haraka/blob/master/docs/plugins/tls.md#no_tls_hosts

Maybe don't screw the session if host didn't negotiate TLS, but fallback to plain text (should be configurable)

This isn't possible; if negotiation fails; both ends are in an unknown state.

add DH and cipher params, possibly with per-host/subnet option

You mean like this? https://github.com/baudehlo/Haraka/blob/master/docs/plugins/tls.md#ciphers

celesteking commented 9 years ago

That would be the first step. I'd like to see per-host/subnet options available.

celesteking commented 9 years ago

Come on, guys, don't you use TLS in outbound? If so, you've got hell lot of mail staying in queue and ultimately failing.

@smfreegard

plugins/tls.md#ciphers

in outbound.

baudehlo commented 9 years ago

The options Steve pointed out are for inbound. We need to read that config for outbound too.

On Tue, Aug 11, 2015 at 7:36 AM, celesteking notifications@github.com wrote:

Come on, guys, don't you use TLS in outbound? If so, you've got hell lot of mail staying in queue and ultimately failing.

— Reply to this email directly or view it on GitHub https://github.com/baudehlo/Haraka/issues/1054#issuecomment-129846679.

celesteking commented 8 years ago

A clear testcase would be sending mail to any@null.fused.sh . Try it.

celesteking commented 8 years ago

And yet again... How does that commit prevent outbound from making repeated STARTTLS to remote MTA? redis.disable_for_failed_hosts won't be consulted.

baudehlo commented 8 years ago

It won't. Who said I was fixing that?

On Mon, Feb 22, 2016 at 3:56 PM, celesteking notifications@github.com wrote:

And yet again... How does that commit prevent outbound from making repeated STARTTLS to remote MTA? redis.disable_for_failed_hosts won't be consulted.

— Reply to this email directly or view it on GitHub https://github.com/haraka/Haraka/issues/1054#issuecomment-187379119.

celesteking commented 8 years ago

Implemented in https://github.com/celesteking/Haraka/pull/2 0 production testing so far.