Re: [PATCH]: SSL options to disable SSLv2

From: David Hill (no email)
Date: Thu Sep 08 2005 - 18:06:30 EDT

  • Next message: Patrick Beckhelm: "Re: Removed catchall, now getting errors"

    On Thu, Sep 08, 2005 at 05:27:59PM -0400, Christian von Roques wrote:
    > David Hill <> writes:
    > > My tally is:
    > > 150188 TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    > > 38037 TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
    > > 4027 SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)
    > > 691 TLSv1 with cipher RC4-SHA (128/128 bits)
    > > 483 TLSv1 with cipher AES256-SHA (256/256 bits)
    > > 372 TLSv1 with cipher RC4-MD5 (128/128 bits)
    > > 309 SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)
    > > 108 TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
    > > 89 SSLv3 with cipher DES-CBC3-SHA (168/168 bits)
    > > 10 SSLv3 with cipher RC4-MD5 (128/128 bits)
    > > 5 SSLv3 with cipher RC4-SHA (128/128 bits)
    > > 1 SSLv2 with cipher DES-CBC3-MD5 (168/168 bits)
    > ^^^^^
    >
    > Can you please try to find out what software actually negotiated a
    > SSLv2 connection? All SSLv2 connections in our maillogs were
    > caused by me running "openssl s_client -ssl2 -starttls smtp".
    >
    > Christian.
    >

    Aug 24 00:24:30 mx1 postfix/smtpd[11443]: connect from blh.k12.mn.us[64.8.149.82]
    Aug 24 00:24:31 mx1 postfix/smtpd[11443]: setting up TLS connection from blh.k12.mn.us[64.8.149.82]
    Aug 24 00:24:31 mx1 postfix/smtpd[11443]: TLS connection established from blh.k12.mn.us[64.8.149.82]: SSLv2 with cipher DES-CBC3-MD5 (168/168 bits)
    Aug 24 00:24:31 mx1 postfix/smtpd[11443]: NOQUEUE: reject: RCPT from blh.k12.mn.us[64.8.149.82]: 554 Service unavailable; Client host [64.8.149.82] blocked using relays.ordb.org; This mail was handled by an open relay - please visit <http://ORDB.org/lookup/?host=64.8.149.82>; from=<> to=<> proto=ESMTP helo=<mail.blh.k12.mn.us>
    Aug 24 00:24:32 mx1 postfix/smtpd[11443]: lost connection after RCPT from blh.k12.mn.us[64.8.149.82]
    Aug 24 00:24:32 mx1 postfix/smtpd[11443]: disconnect from blh.k12.mn.us[64.8.149.82]

    I think k12 schools usually use groupwise (which doesn't follow SMTP RFC's) or older software anyways.

            David


  • Next message: Patrick Beckhelm: "Re: Removed catchall, now getting errors"





    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs



    Powered By FreeBSD   Powered By FreeBSD