[Noisebridge-discuss] Hmm, my emails are not going through

Thu Jan 27 05:04:26 UTC 2011

On Wed, Jan 26, 2011 at 07:53:56PM -0800, Andy Isaacson wrote:
> On Wed, Jan 26, 2011 at 08:36:11PM -0700, Erik Nelson wrote:
> > Pinging..
> 
> Interesting, thanks for the example.  I've gotten the message from gmail
> to hexapodia directly (with a total delay of 3 seconds if everybody's
> NTPed correctly), but it hasn't been delivered to noisebridge yet.
> 
> Received: from mail-qw0-f41.google.com (mail-qw0-f41.google.com
>         [209.85.216.41]) by straum.hexapodia.org (Postfix) with ESMTPS id
>         93B49411B for <adi at hexapodia.org>; Wed, 26 Jan 2011 19:36:13 -0800 (PST)
> 
> GMail:  can you look into this?  Full headers (of the directly delivered
> message) attached.
> 
> -andy

GMail: your STARTTLS implementation refuses to use any unbroken TLS
ciphers such as AES256-SHA256.  I had to re-enable DES-CBC3-SHA and/or
RC4-SHA to satisfy your STARTTLS clients, and using broken ciphers and
hashes makes the panda sad.

Before:

Jan 26 20:50:53 m1 postfix/smtpd[27175]: connect from mail-ey0-f175.google.com[209.85.215.175]
Jan 26 20:50:54 m1 postfix/smtpd[27175]: setting up TLS connection from mail-ey0-f175.google.com[209.85.215.175]
Jan 26 20:50:54 m1 postfix/smtpd[27175]: mail-ey0-f175.google.com[209.85.215.175]: TLS cipher list "ALL:+RC4:@STRENGTH:!aNULL:!MD5:!DES:!3DES:!RC4-SHA:!AES256-SHA:!AES128-SHA"
Jan 26 20:50:54 m1 postfix/smtpd[27175]: SSL_accept:before/accept initialization
Jan 26 20:50:54 m1 postfix/smtpd[27175]: SSL3 alert write:fatal:handshake failure
Jan 26 20:50:54 m1 postfix/smtpd[27175]: SSL_accept:error in SSLv3 read client hello B
Jan 26 20:50:54 m1 postfix/smtpd[27175]: SSL_accept:error in SSLv3 read client hello B
Jan 26 20:50:54 m1 postfix/smtpd[27175]: SSL_accept error from mail-ey0-f175.google.com[209.85.215.175]: -1
Jan 26 20:50:54 m1 postfix/smtpd[27175]: warning: TLS library problem: 27175:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1023:
Jan 26 20:50:54 m1 postfix/smtpd[27175]: lost connection after STARTTLS from mail-ey0-f175.google.com[209.85.215.175]
Jan 26 20:50:54 m1 postfix/smtpd[27175]: disconnect from mail-ey0-f175.google.com[209.85.215.175]

After:

Jan 26 20:51:25 m1 postfix/smtpd[27251]: connect from mail-ew0-f47.google.com[209.85.215.47]
Jan 26 20:51:26 m1 postfix/smtpd[27251]: setting up TLS connection from mail-ew0-f47.google.com[209.85.215.47]
Jan 26 20:51:26 m1 postfix/smtpd[27251]: mail-ew0-f47.google.com[209.85.215.47]: TLS cipher list "ALL:+RC4:@STRENGTH:!aNULL:!MD5:!DES:!RC4-SHA:!AES256-SHA:!AES128-SHA"
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:before/accept initialization
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 read client hello A
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 write server hello A
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 write certificate A
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 write server done A
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 flush data
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 read client key exchange A
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 read finished A
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 write change cipher spec A
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 write finished A
Jan 26 20:51:26 m1 postfix/smtpd[27251]: SSL_accept:SSLv3 flush data
Jan 26 20:51:26 m1 postfix/smtpd[27251]: mail-ew0-f47.google.com[209.85.215.47]: save session 1FAE837C0B26B0302D676088BAF8B05BE6E78409B0937132359E844A62314583&s=smtp to smtpd cache
Jan 26 20:51:26 m1 postfix/smtpd[27251]: Anonymous TLS connection established from mail-ew0-f47.google.com[209.85.215.47]: TLSv1 with cipher DES-CBC3-SHA (168/168 bits)
Jan 26 20:51:27 m1 postfix/smtpd[27251]: 55F64DA8C9: client=mail-ew0-f47.google.com[209.85.215.47]

Think of the panda, please upgrade your outbound SMTP STARTTLS clients
to support modern ciper suites.

Thanks,
-andy