[tor-bugs] #33413 [Internal Services/Tor Sysadmin Team]: ida.org can't mail torproject.org ("Connection reset by peer")
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Mar 11 20:33:42 UTC 2020
#33413: ida.org can't mail torproject.org ("Connection reset by peer")
-------------------------------------------------+-------------------------
Reporter: arma | Owner: tpa
Type: defect | Status:
| needs_information
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by anarcat):
they tried to reply to my email and (obviously) failed because they
replied to my @torproject.org email (silly me).
arma nevertheless pursued the thread and we have more information from
their end. it looks like they might have some firewall issues because they
can't telnet into port 25 on our end. but it's also possible the cipher
suites don't match, so i provided them with a detailed review of our
configuration, as follows:
> > That's why one of the theories is "your side doesn't like our ssl".
>
> It's a good theory. Here is our mailserver (Postfix) configuration that
> should affect this (or not):
>
> smtpd_tls_ciphers = medium
> smtpd_tls_mandatory_ciphers = medium
> tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
>
> Those parameters are documented in the postconf(5) manpage, available
> (e.g.) here:
>
> http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers
> http://www.postfix.org/postconf.5.html#tls_medium_cipherlist
>
> I also stumbled upon this setting (set to the default):
>
> tls_preempt_cipherlist = no
>
> ... which means the client (you, in this context) picks the cipher from
> the list provided by the server:
>
> http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist
>
> In other words, if TLS is the issue, it could be that your server does
> not support *any* of the OpenSSL 1.1.0l "MEDIUM" cipher suite.
>
> Which mail server software are you running, with which TLS library and
> configuration?
>
> And for what it's worth, the above "cipherlist" configuration expands to
> the following blob on our mailserver:
>
> root at eugeni:~# openssl ciphers aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH
| sed 's/:/\n/g' | sort -n
> ADH-AES128-GCM-SHA256
> ADH-AES128-SHA
> ADH-AES128-SHA256
> ADH-AES256-GCM-SHA384
> ADH-AES256-SHA
> ADH-AES256-SHA256
> ADH-CAMELLIA128-SHA
> ADH-CAMELLIA128-SHA256
> ADH-CAMELLIA256-SHA
> ADH-CAMELLIA256-SHA256
> ADH-SEED-SHA
> AECDH-AES128-SHA
> AECDH-AES256-SHA
> AES128-CCM
> AES128-CCM8
> AES128-GCM-SHA256
> AES128-SHA
> AES128-SHA256
> AES256-CCM
> AES256-CCM8
> AES256-GCM-SHA384
> AES256-SHA
> AES256-SHA256
> CAMELLIA128-SHA
> CAMELLIA128-SHA256
> CAMELLIA256-SHA
> CAMELLIA256-SHA256
> DHE-DSS-AES128-GCM-SHA256
> DHE-DSS-AES128-SHA
> DHE-DSS-AES128-SHA256
> DHE-DSS-AES256-GCM-SHA384
> DHE-DSS-AES256-SHA
> DHE-DSS-AES256-SHA256
> DHE-DSS-CAMELLIA128-SHA
> DHE-DSS-CAMELLIA128-SHA256
> DHE-DSS-CAMELLIA256-SHA
> DHE-DSS-CAMELLIA256-SHA256
> DHE-DSS-SEED-SHA
> DHE-PSK-AES128-CBC-SHA
> DHE-PSK-AES128-CBC-SHA256
> DHE-PSK-AES128-CCM
> DHE-PSK-AES128-CCM8
> DHE-PSK-AES128-GCM-SHA256
> DHE-PSK-AES256-CBC-SHA
> DHE-PSK-AES256-CBC-SHA384
> DHE-PSK-AES256-CCM
> DHE-PSK-AES256-CCM8
> DHE-PSK-AES256-GCM-SHA384
> DHE-PSK-CAMELLIA128-SHA256
> DHE-PSK-CAMELLIA256-SHA384
> DHE-PSK-CHACHA20-POLY1305
> DHE-RSA-AES128-CCM
> DHE-RSA-AES128-CCM8
> DHE-RSA-AES128-GCM-SHA256
> DHE-RSA-AES128-SHA
> DHE-RSA-AES128-SHA256
> DHE-RSA-AES256-CCM
> DHE-RSA-AES256-CCM8
> DHE-RSA-AES256-GCM-SHA384
> DHE-RSA-AES256-SHA
> DHE-RSA-AES256-SHA256
> DHE-RSA-CAMELLIA128-SHA
> DHE-RSA-CAMELLIA128-SHA256
> DHE-RSA-CAMELLIA256-SHA
> DHE-RSA-CAMELLIA256-SHA256
> DHE-RSA-CHACHA20-POLY1305
> DHE-RSA-SEED-SHA
> ECDHE-ECDSA-AES128-CCM
> ECDHE-ECDSA-AES128-CCM8
> ECDHE-ECDSA-AES128-GCM-SHA256
> ECDHE-ECDSA-AES128-SHA
> ECDHE-ECDSA-AES128-SHA256
> ECDHE-ECDSA-AES256-CCM
> ECDHE-ECDSA-AES256-CCM8
> ECDHE-ECDSA-AES256-GCM-SHA384
> ECDHE-ECDSA-AES256-SHA
> ECDHE-ECDSA-AES256-SHA384
> ECDHE-ECDSA-CAMELLIA128-SHA256
> ECDHE-ECDSA-CAMELLIA256-SHA384
> ECDHE-ECDSA-CHACHA20-POLY1305
> ECDHE-PSK-AES128-CBC-SHA
> ECDHE-PSK-AES128-CBC-SHA256
> ECDHE-PSK-AES256-CBC-SHA
> ECDHE-PSK-AES256-CBC-SHA384
> ECDHE-PSK-CAMELLIA128-SHA256
> ECDHE-PSK-CAMELLIA256-SHA384
> ECDHE-PSK-CHACHA20-POLY1305
> ECDHE-RSA-AES128-GCM-SHA256
> ECDHE-RSA-AES128-SHA
> ECDHE-RSA-AES128-SHA256
> ECDHE-RSA-AES256-GCM-SHA384
> ECDHE-RSA-AES256-SHA
> ECDHE-RSA-AES256-SHA384
> ECDHE-RSA-CAMELLIA128-SHA256
> ECDHE-RSA-CAMELLIA256-SHA384
> ECDHE-RSA-CHACHA20-POLY1305
> PSK-AES128-CBC-SHA
> PSK-AES128-CBC-SHA256
> PSK-AES128-CCM
> PSK-AES128-CCM8
> PSK-AES128-GCM-SHA256
> PSK-AES256-CBC-SHA
> PSK-AES256-CBC-SHA384
> PSK-AES256-CCM
> PSK-AES256-CCM8
> PSK-AES256-GCM-SHA384
> PSK-CAMELLIA128-SHA256
> PSK-CAMELLIA256-SHA384
> PSK-CHACHA20-POLY1305
> RSA-PSK-AES128-CBC-SHA
> RSA-PSK-AES128-CBC-SHA256
> RSA-PSK-AES128-GCM-SHA256
> RSA-PSK-AES256-CBC-SHA
> RSA-PSK-AES256-CBC-SHA384
> RSA-PSK-AES256-GCM-SHA384
> RSA-PSK-CAMELLIA128-SHA256
> RSA-PSK-CAMELLIA256-SHA384
> RSA-PSK-CHACHA20-POLY1305
> SEED-SHA
> SRP-AES-128-CBC-SHA
> SRP-AES-256-CBC-SHA
> SRP-DSS-AES-128-CBC-SHA
> SRP-DSS-AES-256-CBC-SHA
> SRP-RSA-AES-128-CBC-SHA
> SRP-RSA-AES-256-CBC-SHA
>
> --
> Antoine Beaupré
> torproject.org system administration
see also #32351
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33413#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list