[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #33413 [Internal Services/Tor Sysadmin Team]: ida.org can't mail torproject.org ("Connection reset by peer")

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #33413 [Internal Services/Tor Sysadmin Team]: ida.org can't mail torproject.org ("Connection reset by peer")
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Wed, 11 Mar 2020 20:33:42 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Wed, 11 Mar 2020 16:33:51 -0400
In-reply-to: <044.2fe402a9f31aecf2345987c20e04510b@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <044.2fe402a9f31aecf2345987c20e04510b@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, blackhole@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#33413: ida.org can't mail torproject.org ("Connection reset by peer")
-------------------------------------------------+-------------------------
 Reporter:  arma                                 |          Owner:  tpa
     Type:  defect                               |         Status:
                                                 |  needs_information
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by anarcat):

 they tried to reply to my email and (obviously) failed because they
 replied to my @torproject.org email (silly me).

 arma nevertheless pursued the thread and we have more information from
 their end. it looks like they might have some firewall issues because they
 can't telnet into port 25 on our end. but it's also possible the cipher
 suites don't match, so i provided them with a detailed review of our
 configuration, as follows:

 > > That's why one of the theories is "your side doesn't like our ssl".
 >
 > It's a good theory. Here is our mailserver (Postfix) configuration that
 > should affect this (or not):
 >
 > smtpd_tls_ciphers = medium
 > smtpd_tls_mandatory_ciphers = medium
 > tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
 >
 > Those parameters are documented in the postconf(5) manpage, available
 > (e.g.) here:
 >
 > http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers
 > http://www.postfix.org/postconf.5.html#tls_medium_cipherlist
 >
 > I also stumbled upon this setting (set to the default):
 >
 > tls_preempt_cipherlist = no
 >
 > ... which means the client (you, in this context) picks the cipher from
 > the list provided by the server:
 >
 > http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist
 >
 > In other words, if TLS is the issue, it could be that your server does
 > not support *any* of the OpenSSL 1.1.0l "MEDIUM" cipher suite.
 >
 > Which mail server software are you running, with which TLS library and
 > configuration?
 >
 > And for what it's worth, the above "cipherlist" configuration expands to
 > the following blob on our mailserver:
 >
 > root@eugeni:~# openssl ciphers  aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
 | sed 's/:/\n/g' | sort -n
 > ADH-AES128-GCM-SHA256
 > ADH-AES128-SHA
 > ADH-AES128-SHA256
 > ADH-AES256-GCM-SHA384
 > ADH-AES256-SHA
 > ADH-AES256-SHA256
 > ADH-CAMELLIA128-SHA
 > ADH-CAMELLIA128-SHA256
 > ADH-CAMELLIA256-SHA
 > ADH-CAMELLIA256-SHA256
 > ADH-SEED-SHA
 > AECDH-AES128-SHA
 > AECDH-AES256-SHA
 > AES128-CCM
 > AES128-CCM8
 > AES128-GCM-SHA256
 > AES128-SHA
 > AES128-SHA256
 > AES256-CCM
 > AES256-CCM8
 > AES256-GCM-SHA384
 > AES256-SHA
 > AES256-SHA256
 > CAMELLIA128-SHA
 > CAMELLIA128-SHA256
 > CAMELLIA256-SHA
 > CAMELLIA256-SHA256
 > DHE-DSS-AES128-GCM-SHA256
 > DHE-DSS-AES128-SHA
 > DHE-DSS-AES128-SHA256
 > DHE-DSS-AES256-GCM-SHA384
 > DHE-DSS-AES256-SHA
 > DHE-DSS-AES256-SHA256
 > DHE-DSS-CAMELLIA128-SHA
 > DHE-DSS-CAMELLIA128-SHA256
 > DHE-DSS-CAMELLIA256-SHA
 > DHE-DSS-CAMELLIA256-SHA256
 > DHE-DSS-SEED-SHA
 > DHE-PSK-AES128-CBC-SHA
 > DHE-PSK-AES128-CBC-SHA256
 > DHE-PSK-AES128-CCM
 > DHE-PSK-AES128-CCM8
 > DHE-PSK-AES128-GCM-SHA256
 > DHE-PSK-AES256-CBC-SHA
 > DHE-PSK-AES256-CBC-SHA384
 > DHE-PSK-AES256-CCM
 > DHE-PSK-AES256-CCM8
 > DHE-PSK-AES256-GCM-SHA384
 > DHE-PSK-CAMELLIA128-SHA256
 > DHE-PSK-CAMELLIA256-SHA384
 > DHE-PSK-CHACHA20-POLY1305
 > DHE-RSA-AES128-CCM
 > DHE-RSA-AES128-CCM8
 > DHE-RSA-AES128-GCM-SHA256
 > DHE-RSA-AES128-SHA
 > DHE-RSA-AES128-SHA256
 > DHE-RSA-AES256-CCM
 > DHE-RSA-AES256-CCM8
 > DHE-RSA-AES256-GCM-SHA384
 > DHE-RSA-AES256-SHA
 > DHE-RSA-AES256-SHA256
 > DHE-RSA-CAMELLIA128-SHA
 > DHE-RSA-CAMELLIA128-SHA256
 > DHE-RSA-CAMELLIA256-SHA
 > DHE-RSA-CAMELLIA256-SHA256
 > DHE-RSA-CHACHA20-POLY1305
 > DHE-RSA-SEED-SHA
 > ECDHE-ECDSA-AES128-CCM
 > ECDHE-ECDSA-AES128-CCM8
 > ECDHE-ECDSA-AES128-GCM-SHA256
 > ECDHE-ECDSA-AES128-SHA
 > ECDHE-ECDSA-AES128-SHA256
 > ECDHE-ECDSA-AES256-CCM
 > ECDHE-ECDSA-AES256-CCM8
 > ECDHE-ECDSA-AES256-GCM-SHA384
 > ECDHE-ECDSA-AES256-SHA
 > ECDHE-ECDSA-AES256-SHA384
 > ECDHE-ECDSA-CAMELLIA128-SHA256
 > ECDHE-ECDSA-CAMELLIA256-SHA384
 > ECDHE-ECDSA-CHACHA20-POLY1305
 > ECDHE-PSK-AES128-CBC-SHA
 > ECDHE-PSK-AES128-CBC-SHA256
 > ECDHE-PSK-AES256-CBC-SHA
 > ECDHE-PSK-AES256-CBC-SHA384
 > ECDHE-PSK-CAMELLIA128-SHA256
 > ECDHE-PSK-CAMELLIA256-SHA384
 > ECDHE-PSK-CHACHA20-POLY1305
 > ECDHE-RSA-AES128-GCM-SHA256
 > ECDHE-RSA-AES128-SHA
 > ECDHE-RSA-AES128-SHA256
 > ECDHE-RSA-AES256-GCM-SHA384
 > ECDHE-RSA-AES256-SHA
 > ECDHE-RSA-AES256-SHA384
 > ECDHE-RSA-CAMELLIA128-SHA256
 > ECDHE-RSA-CAMELLIA256-SHA384
 > ECDHE-RSA-CHACHA20-POLY1305
 > PSK-AES128-CBC-SHA
 > PSK-AES128-CBC-SHA256
 > PSK-AES128-CCM
 > PSK-AES128-CCM8
 > PSK-AES128-GCM-SHA256
 > PSK-AES256-CBC-SHA
 > PSK-AES256-CBC-SHA384
 > PSK-AES256-CCM
 > PSK-AES256-CCM8
 > PSK-AES256-GCM-SHA384
 > PSK-CAMELLIA128-SHA256
 > PSK-CAMELLIA256-SHA384
 > PSK-CHACHA20-POLY1305
 > RSA-PSK-AES128-CBC-SHA
 > RSA-PSK-AES128-CBC-SHA256
 > RSA-PSK-AES128-GCM-SHA256
 > RSA-PSK-AES256-CBC-SHA
 > RSA-PSK-AES256-CBC-SHA384
 > RSA-PSK-AES256-GCM-SHA384
 > RSA-PSK-CAMELLIA128-SHA256
 > RSA-PSK-CAMELLIA256-SHA384
 > RSA-PSK-CHACHA20-POLY1305
 > SEED-SHA
 > SRP-AES-128-CBC-SHA
 > SRP-AES-256-CBC-SHA
 > SRP-DSS-AES-128-CBC-SHA
 > SRP-DSS-AES-256-CBC-SHA
 > SRP-RSA-AES-128-CBC-SHA
 > SRP-RSA-AES-256-CBC-SHA
 >
 > --
 > Antoine Beaupré
 > torproject.org system administration


 see also #32351

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33413#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Prev by Author: Re: [tor-bugs] #33582 [Core Tor/Tor]: Make bridges wait until they have bootstrapped, before publishing their descriptor
Next by Author: Re: [tor-bugs] #33666 [Circumvention/Snowflake]: Investigate Snowflake proxy failures
Previous by thread: Re: [tor-bugs] #33413 [Internal Services/Tor Sysadmin Team]: ida.org can't mail torproject.org ("Connection reset by peer")
Next by thread: Re: [tor-bugs] #33413 [Internal Services/Tor Sysadmin Team]: ida.org can't mail torproject.org ("Connection reset by peer")
Index(es):
- Author
- Thread