Possible TLS version issue? #66
Comments
|
I was able to reproduce this problem on FreeBSD 11.2 (now upgraded to 11.3), with citeglobe.ca acting as a "smarthost". I documented the problem on the FreeBSD Forum I am wondering if adding TLS v1.2 support through a library is easier than configuring exim4 as an alternative. When asked, the support person at my webhost did think plain-text (insecure) auhtentication would work. But, obviously I don't want to do that long-term. The person who responded to my post on the FreeBSD forum suggested checking what version of OpenSSL it is linked against. |
|
Ah, the code is present, we just didn't tag a new release. |
|
release 0.12 tagged, this should allow any tls version. Could you please test? |
|
That's probably because 0.11-1 in debian is not supporting TLS1.1 or TLS1.2 I just uploaded to buster yesterday 0.11-1+deb10u1 which contains the patch to enable these versions of TLS. |
|
could you please upload 0.12 instead of picking patches? |
|
@corecode not in stable releases 0.12 will arrive soon in unstable |
|
Has anyone successfully tested the current TLS versions (1.2) with version 0.12 of dma? I just did and I did not succeed, I still get the same handshake-error as in earlier versions. Nov 12 18:30:55 testus dma[4ca53.8018280a0]: remote delivery deferred: xxxx [yyyy] failed after EHLO: error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure |
|
Version 12 worked it's way into FreeBSD 11 around October 10th (or, that was when I got around to installing it). It appears to work. I suspect it was not marked for release because this commit is vulnerable to downgrading attacks: That should be not allowed unless the "Insecure" flag is set. What you should do is enforce TLS 1.2 like everybody else. |
|
please file a separate bug if there is a TLS security issue with the current code. |
|
Having the same issue on a Debian based GNU Linux distro by name MX-Linux. "Linux mx-mini 5.10.0-12-amd64 #1 SMP Debian 5.10.103-1 (2022-03-07) x86_64 GNU/Linux" dma version is "0.13-1" |
|
I have no idea. We're not pinning any TLS version, so that must be related to your openssl. |
|
Hi, ran into this issue today. I would LOVE to see this fix so I do not need to use exim or postfix. Thanks! :) |
|
please provide more details. which dma version, what is the exact error.
On October 24, 2022 12:02:07 PM CDT, Benjamin Marwell ***@***.***> wrote:
Hi, ran into this issue today. I would LOVE to see this fix so I do not need to use exim or postfix. Thanks! :)
--
Reply to this email directly or view it on GitHub:
#66 (comment)
You are receiving this because you were mentioned.
Message ID: ***@***.***>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
|
Really? It is the same error as before. No change. |
|
please post the mail server error message.
On October 24, 2022 1:42:46 PM CDT, Benjamin Marwell ***@***.***> wrote:
Really? It is the same error as before. No change.
Version: https://aur.archlinux.org/packages/dma
--
Reply to this email directly or view it on GitHub:
#66 (comment)
You are receiving this because you were mentioned.
Message ID: ***@***.***>
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
|
|
I re-tried from my other PC where it is working. The error is gone: Settings taken from https://www.dragonflybsd.org/docs/howtos/HowTo_dma_gmail/ (except .muttrc settings, as I do not use mutt). |
First let me say thanks for DMA, it's a great lightweight MTA. I use it everywhere I don't want a full MTA and it does the job perfectly.
I'm trying to dma with runbox.com and am getting the error in my logs. First the basics...
OS: Debian Buster
DMA package version: 0.11-1+b1
Error snipped from mail.info...
My /etc/dma.conf..
This might be related to a change runbox.com made recently about supported TLS versions...
Is the TLS version at issue here? If so, is there anything I can do to set it to use newer version? If not any suggestions?
Thanks.
The text was updated successfully, but these errors were encountered: