[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #33413 [Internal Services/Tor Sysadmin Team]: ida.org can't mail torproject.org ("Connection reset by peer")



#33413: ida.org can't mail torproject.org ("Connection reset by peer")
-------------------------------------------------+-------------------------
 Reporter:  arma                                 |          Owner:  tpa
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by anarcat):

 they tried to reply to my email and (obviously) failed because they
 replied to my @torproject.org email (silly me).

 arma nevertheless pursued the thread and we have more information from
 their end. it looks like they might have some firewall issues because they
 can't telnet into port 25 on our end. but it's also possible the cipher
 suites don't match, so i provided them with a detailed review of our
 configuration, as follows:

 > > That's why one of the theories is "your side doesn't like our ssl".
 >
 > It's a good theory. Here is our mailserver (Postfix) configuration that
 > should affect this (or not):
 >
 > smtpd_tls_ciphers = medium
 > smtpd_tls_mandatory_ciphers = medium
 > tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
 >
 > Those parameters are documented in the postconf(5) manpage, available
 > (e.g.) here:
 >
 > http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers
 > http://www.postfix.org/postconf.5.html#tls_medium_cipherlist
 >
 > I also stumbled upon this setting (set to the default):
 >
 > tls_preempt_cipherlist = no
 >
 > ... which means the client (you, in this context) picks the cipher from
 > the list provided by the server:
 >
 > http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist
 >
 > In other words, if TLS is the issue, it could be that your server does
 > not support *any* of the OpenSSL 1.1.0l "MEDIUM" cipher suite.
 >
 > Which mail server software are you running, with which TLS library and
 > configuration?
 >
 > And for what it's worth, the above "cipherlist" configuration expands to
 > the following blob on our mailserver:
 >
 > root@eugeni:~# openssl ciphers  aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
 | sed 's/:/\n/g' | sort -n
 > ADH-AES128-GCM-SHA256
 > ADH-AES128-SHA
 > ADH-AES128-SHA256
 > ADH-AES256-GCM-SHA384
 > ADH-AES256-SHA
 > ADH-AES256-SHA256
 > ADH-CAMELLIA128-SHA
 > ADH-CAMELLIA128-SHA256
 > ADH-CAMELLIA256-SHA
 > ADH-CAMELLIA256-SHA256
 > ADH-SEED-SHA
 > AECDH-AES128-SHA
 > AECDH-AES256-SHA
 > AES128-CCM
 > AES128-CCM8
 > AES128-GCM-SHA256
 > AES128-SHA
 > AES128-SHA256
 > AES256-CCM
 > AES256-CCM8
 > AES256-GCM-SHA384
 > AES256-SHA
 > AES256-SHA256
 > CAMELLIA128-SHA
 > CAMELLIA128-SHA256
 > CAMELLIA256-SHA
 > CAMELLIA256-SHA256
 > DHE-DSS-AES128-GCM-SHA256
 > DHE-DSS-AES128-SHA
 > DHE-DSS-AES128-SHA256
 > DHE-DSS-AES256-GCM-SHA384
 > DHE-DSS-AES256-SHA
 > DHE-DSS-AES256-SHA256
 > DHE-DSS-CAMELLIA128-SHA
 > DHE-DSS-CAMELLIA128-SHA256
 > DHE-DSS-CAMELLIA256-SHA
 > DHE-DSS-CAMELLIA256-SHA256
 > DHE-DSS-SEED-SHA
 > DHE-PSK-AES128-CBC-SHA
 > DHE-PSK-AES128-CBC-SHA256
 > DHE-PSK-AES128-CCM
 > DHE-PSK-AES128-CCM8
 > DHE-PSK-AES128-GCM-SHA256
 > DHE-PSK-AES256-CBC-SHA
 > DHE-PSK-AES256-CBC-SHA384
 > DHE-PSK-AES256-CCM
 > DHE-PSK-AES256-CCM8
 > DHE-PSK-AES256-GCM-SHA384
 > DHE-PSK-CAMELLIA128-SHA256
 > DHE-PSK-CAMELLIA256-SHA384
 > DHE-PSK-CHACHA20-POLY1305
 > DHE-RSA-AES128-CCM
 > DHE-RSA-AES128-CCM8
 > DHE-RSA-AES128-GCM-SHA256
 > DHE-RSA-AES128-SHA
 > DHE-RSA-AES128-SHA256
 > DHE-RSA-AES256-CCM
 > DHE-RSA-AES256-CCM8
 > DHE-RSA-AES256-GCM-SHA384
 > DHE-RSA-AES256-SHA
 > DHE-RSA-AES256-SHA256
 > DHE-RSA-CAMELLIA128-SHA
 > DHE-RSA-CAMELLIA128-SHA256
 > DHE-RSA-CAMELLIA256-SHA
 > DHE-RSA-CAMELLIA256-SHA256
 > DHE-RSA-CHACHA20-POLY1305
 > DHE-RSA-SEED-SHA
 > ECDHE-ECDSA-AES128-CCM
 > ECDHE-ECDSA-AES128-CCM8
 > ECDHE-ECDSA-AES128-GCM-SHA256
 > ECDHE-ECDSA-AES128-SHA
 > ECDHE-ECDSA-AES128-SHA256
 > ECDHE-ECDSA-AES256-CCM
 > ECDHE-ECDSA-AES256-CCM8
 > ECDHE-ECDSA-AES256-GCM-SHA384
 > ECDHE-ECDSA-AES256-SHA
 > ECDHE-ECDSA-AES256-SHA384
 > ECDHE-ECDSA-CAMELLIA128-SHA256
 > ECDHE-ECDSA-CAMELLIA256-SHA384
 > ECDHE-ECDSA-CHACHA20-POLY1305
 > ECDHE-PSK-AES128-CBC-SHA
 > ECDHE-PSK-AES128-CBC-SHA256
 > ECDHE-PSK-AES256-CBC-SHA
 > ECDHE-PSK-AES256-CBC-SHA384
 > ECDHE-PSK-CAMELLIA128-SHA256
 > ECDHE-PSK-CAMELLIA256-SHA384
 > ECDHE-PSK-CHACHA20-POLY1305
 > ECDHE-RSA-AES128-GCM-SHA256
 > ECDHE-RSA-AES128-SHA
 > ECDHE-RSA-AES128-SHA256
 > ECDHE-RSA-AES256-GCM-SHA384
 > ECDHE-RSA-AES256-SHA
 > ECDHE-RSA-AES256-SHA384
 > ECDHE-RSA-CAMELLIA128-SHA256
 > ECDHE-RSA-CAMELLIA256-SHA384
 > ECDHE-RSA-CHACHA20-POLY1305
 > PSK-AES128-CBC-SHA
 > PSK-AES128-CBC-SHA256
 > PSK-AES128-CCM
 > PSK-AES128-CCM8
 > PSK-AES128-GCM-SHA256
 > PSK-AES256-CBC-SHA
 > PSK-AES256-CBC-SHA384
 > PSK-AES256-CCM
 > PSK-AES256-CCM8
 > PSK-AES256-GCM-SHA384
 > PSK-CAMELLIA128-SHA256
 > PSK-CAMELLIA256-SHA384
 > PSK-CHACHA20-POLY1305
 > RSA-PSK-AES128-CBC-SHA
 > RSA-PSK-AES128-CBC-SHA256
 > RSA-PSK-AES128-GCM-SHA256
 > RSA-PSK-AES256-CBC-SHA
 > RSA-PSK-AES256-CBC-SHA384
 > RSA-PSK-AES256-GCM-SHA384
 > RSA-PSK-CAMELLIA128-SHA256
 > RSA-PSK-CAMELLIA256-SHA384
 > RSA-PSK-CHACHA20-POLY1305
 > SEED-SHA
 > SRP-AES-128-CBC-SHA
 > SRP-AES-256-CBC-SHA
 > SRP-DSS-AES-128-CBC-SHA
 > SRP-DSS-AES-256-CBC-SHA
 > SRP-RSA-AES-128-CBC-SHA
 > SRP-RSA-AES-256-CBC-SHA
 >
 > --
 > Antoine Beaupré
 > torproject.org system administration


 see also #32351

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33413#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs