Loading ...
Sorry, an error occurred while loading the content.
 

tls problem

Expand Messages
  • Maxim Bunin
    Hi, Recently I noticed that some smtp server lose tls with my postfix 2.3.3. after starttls. Aug 31 16:15:00 ares postfix/smtpd[14025]: TLS connection
    Message 1 of 16 , Aug 31, 2006
      Hi,
      Recently I noticed that some smtp server lose tls with my postfix
      2.3.3. after starttls.

      Aug 31 16:15:00 ares postfix/smtpd[14025]: TLS connection established
      from ausc60ps301.us.dell.co
      m[143.166.148.206]: TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
      Aug 31 16:15:00 ares postfix/smtpd[14025]: lost connection after
      STARTTLS from ausc60ps301.us.del
      l.com[143.166.148.206]
      Aug 31 16:15:00 ares postfix/smtpd[14025]: disconnect from
      ausc60ps301.us.dell.com[143.166.148.20
      6]

      At the same time this problem doesn't accur with other servers

      Aug 31 16:06:19 ares postfix/smtp[13820]: setting up TLS connection to
      tcmail22.telekom.de
      Aug 31 16:06:19 ares postfix/smtp[13820]: Unverified:
      subject_CN=tcmail22.telekom.de, issuer=Deut
      sche Telekom CA 5
      Aug 31 16:06:19 ares postfix/smtp[13820]: TLS connection established to
      tcmail22.telekom.de: TLSv
      1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

      Is it a cipher problem?

      postconf -a
      cyrus
      dovecot

      postconf -n

      [skip]
      smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
      smtpd_tls_ask_ccert = no
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/postfix/postfix.pem
      smtpd_tls_key_file = /etc/postfix/postfix.key
      smtpd_tls_loglevel = 1
      smtpd_tls_received_header = yes
      smtpd_tls_req_ccert = no
      smtpd_tls_security_level = may
      smtpd_tls_session_cache_database =
      btree:/etc/postfix/smtpd_tls_session_cache
      smtpd_tls_session_cache_timeout = 3600s
      [skip]
    • Noel Jones
      ... I have trouble with that exact same client. I don t know the cause of the problem, but the solution is:
      Message 2 of 16 , Aug 31, 2006
        At 09:33 AM 8/31/2006, Maxim Bunin wrote:
        >Hi,
        >Recently I noticed that some smtp server lose tls with my
        >postfix
        >2.3.3. after starttls.
        >
        >Aug 31 16:15:00 ares postfix/smtpd[14025]: TLS connection
        >established
        >from ausc60ps301.us.dell.co
        >m[143.166.148.206]: TLSv1 with cipher ADH-AES256-SHA
        >(256/256 bits)
        >Aug 31 16:15:00 ares postfix/smtpd[14025]: lost connection
        >after
        >STARTTLS from ausc60ps301.us.del
        >l.com[143.166.148.206]
        >Aug 31 16:15:00 ares postfix/smtpd[14025]: disconnect from
        >ausc60ps301.us.dell.com[143.166.148.20
        >6]
        >
        >At the same time this problem doesn't accur with other servers

        I have trouble with that exact same client.

        I don't know the cause of the problem, but the solution is:
        http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
        # main.cf
        smtpd_discard_ehlo_keyword_address_maps =
        hash:/etc/postfix/smtpd_keyword_map

        # /etc/postfix/smtpd_keyword_map
        143.166.148.206 starttls silent-discard

        --
        Noel Jones
      • Victor Duchovni
        ... This client negotiated an anonymous cipher (ADH-AES256-SHA). It is misconfigured because its cipher list allows anonymous ciphers, but it aborts the
        Message 3 of 16 , Aug 31, 2006
          On Thu, Aug 31, 2006 at 10:10:43AM -0500, Noel Jones wrote:

          > At 09:33 AM 8/31/2006, Maxim Bunin wrote:
          > >Hi,
          > >Recently I noticed that some smtp server lose tls with my
          > >postfix
          > >2.3.3. after starttls.
          > >
          > >Aug 31 16:15:00 ares postfix/smtpd[14025]: TLS connection
          > >established
          > >from ausc60ps301.us.dell.co
          > >m[143.166.148.206]: TLSv1 with cipher ADH-AES256-SHA
          > >(256/256 bits)
          > >Aug 31 16:15:00 ares postfix/smtpd[14025]: lost connection
          > >after
          > >STARTTLS from ausc60ps301.us.del
          > >l.com[143.166.148.206]
          > >Aug 31 16:15:00 ares postfix/smtpd[14025]: disconnect from
          > >ausc60ps301.us.dell.com[143.166.148.20
          > >6]
          > >
          > >At the same time this problem doesn't accur with other servers
          >
          > I have trouble with that exact same client.
          >
          > I don't know the cause of the problem, but the solution is:
          > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
          > # main.cf
          > smtpd_discard_ehlo_keyword_address_maps =
          > hash:/etc/postfix/smtpd_keyword_map
          >
          > # /etc/postfix/smtpd_keyword_map
          > 143.166.148.206 starttls silent-discard

          This client negotiated an anonymous cipher (ADH-AES256-SHA). It is
          misconfigured because its cipher list allows anonymous ciphers, but it
          aborts the connexion presumably for lack of a server certificate. A note
          to postmaster@... (Bcc'd) is in order...

          --
          Viktor.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.
        • Wietse Venema
          ... Is perhaps a server-side workaround possible for main.cf to disable anonymous ciphers in smtpd? Wietse
          Message 4 of 16 , Aug 31, 2006
            > > >Aug 31 16:15:00 ares postfix/smtpd[14025]: TLS connection
            > > >established from ausc60ps301.us.dell.co
            > > >m[143.166.148.206]: TLSv1 with cipher ADH-AES256-SHA
            > > >(256/256 bits)
            > > >Aug 31 16:15:00 ares postfix/smtpd[14025]: lost connection
            > > >after STARTTLS from ausc60ps301.us.dell.com[143.166.148.206]
            ...
            > This client negotiated an anonymous cipher (ADH-AES256-SHA). It is
            > misconfigured because its cipher list allows anonymous ciphers, but it
            > aborts the connexion presumably for lack of a server certificate. A note
            > to postmaster@... (Bcc'd) is in order...

            Is perhaps a server-side workaround possible for main.cf to disable
            anonymous ciphers in smtpd?

            Wietse
          • Noel Jones
            ... # main.cf smtpd_tls_exclude_ciphers = aNULL seems to fix this particular client (just happened to get a mail seconds after I changed settings). -- Noel
            Message 5 of 16 , Aug 31, 2006
              At 11:33 AM 8/31/2006, Wietse Venema wrote:
              > > > >Aug 31 16:15:00 ares postfix/smtpd[14025]: TLS
              > connection
              > > > >established from ausc60ps301.us.dell.co
              > > > >m[143.166.148.206]: TLSv1 with cipher ADH-AES256-SHA
              > > > >(256/256 bits)
              > > > >Aug 31 16:15:00 ares postfix/smtpd[14025]: lost
              > connection
              > > > >after STARTTLS from
              > ausc60ps301.us.dell.com[143.166.148.206]
              >...
              > > This client negotiated an anonymous cipher
              > (ADH-AES256-SHA). It is
              > > misconfigured because its cipher list allows anonymous
              > ciphers, but it
              > > aborts the connexion presumably for lack of a server
              > certificate. A note
              > > to postmaster@... (Bcc'd) is in order...
              >
              >Is perhaps a server-side workaround possible for main.cf
              >to disable
              >anonymous ciphers in smtpd?
              >
              > Wietse


              # main.cf
              smtpd_tls_exclude_ciphers = aNULL

              seems to fix this particular client (just happened to get a
              mail seconds after I changed settings).


              --
              Noel Jones
            • Wietse Venema
              ... If this happens more often then we may want to make it the default. The purpose of Postfix is to deliver mail, not to punish sites with less than perfect
              Message 6 of 16 , Aug 31, 2006
                Wietse:
                >Is perhaps a server-side workaround possible for main.cf
                >to disable
                >anonymous ciphers in smtpd?

                Noel Jones:
                > # main.cf
                > smtpd_tls_exclude_ciphers = aNULL
                >
                > seems to fix this particular client (just happened to get a
                > mail seconds after I changed settings).

                If this happens more often then we may want to make it the default.
                The purpose of Postfix is to deliver mail, not to punish sites with
                less than perfect implementations :-)

                Wietse
              • Victor Duchovni
                ... Yes, but not currently on a per-client basis. Disabling anonymous ciphers globally would be a shame, so perhaps this is a missing feature... I hate
                Message 7 of 16 , Aug 31, 2006
                  On Thu, Aug 31, 2006 at 12:33:28PM -0400, Wietse Venema wrote:

                  > > > >Aug 31 16:15:00 ares postfix/smtpd[14025]: TLS connection
                  > > > >established from ausc60ps301.us.dell.co
                  > > > >m[143.166.148.206]: TLSv1 with cipher ADH-AES256-SHA
                  > > > >(256/256 bits)
                  > > > >Aug 31 16:15:00 ares postfix/smtpd[14025]: lost connection
                  > > > >after STARTTLS from ausc60ps301.us.dell.com[143.166.148.206]
                  > ...
                  > > This client negotiated an anonymous cipher (ADH-AES256-SHA). It is
                  > > misconfigured because its cipher list allows anonymous ciphers, but it
                  > > aborts the connexion presumably for lack of a server certificate. A note
                  > > to postmaster@... (Bcc'd) is in order...
                  >
                  > Is perhaps a server-side workaround possible for main.cf to disable
                  > anonymous ciphers in smtpd?

                  Yes, but not currently on a per-client basis. Disabling anonymous ciphers
                  globally would be a shame, so perhaps this is a missing feature...
                  I hate removing working features in response to broken clients.

                  --
                  Viktor.

                  P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                  system/email administrator to architect and sustain the Unix email
                  environment. If you are interested, please drop me a note.

                  Disclaimer: off-list followups get on-list replies or get ignored.
                  Please do not ignore the "Reply-To" header.

                  To unsubscribe from the postfix-users list, visit
                  http://www.postfix.org/lists.html or click the link below:
                  <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                  If my response solves your problem, the best way to thank me is to not
                  send an "it worked, thanks" follow-up. If you must respond, please put
                  "It worked, thanks" in the "Subject" so I can delete these quickly.
                • Noel Jones
                  ... From my log earlier today: Aug 31 10:01:08 mgate2 postfix/smtpd[35883]: TLS connection established from ausc60ps301.us.dell.com[143.166.148.206]: TLSv1
                  Message 8 of 16 , Aug 31, 2006
                    At 12:28 PM 8/31/2006, Wietse Venema wrote:
                    >Wietse:
                    > >Is perhaps a server-side workaround possible for main.cf
                    > >to disable
                    > >anonymous ciphers in smtpd?
                    >
                    >Noel Jones:
                    > > # main.cf
                    > > smtpd_tls_exclude_ciphers = aNULL
                    > >
                    > > seems to fix this particular client (just happened to get a
                    > > mail seconds after I changed settings).
                    >
                    >If this happens more often then we may want to make it the
                    >default.
                    >The purpose of Postfix is to deliver mail, not to punish
                    >sites with
                    >less than perfect implementations :-)
                    >
                    > Wietse

                    From my log earlier today:
                    Aug 31 10:01:08 mgate2 postfix/smtpd[35883]: TLS connection
                    established from ausc60ps301.us.dell.com[143.166.148.206]:
                    TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
                    Aug 31 10:01:08 mgate2 postfix/smtpd[35883]: lost
                    connection after STARTTLS from
                    ausc60ps301.us.dell.com[143.166.148.206]

                    I notice that ADH-AES256-SHA is not listed in my "openssl
                    ciphers" list (no ADH-* ciphers at all). Could that be
                    part of the problem? I wonder if excluding ADH would work
                    in this case. I am ignorant of openssl workings...

                    After setting smtpd_tls_exclude_ciphers = aNULL:
                    Aug 31 12:01:37 mgate2 postfix/smtpd[37835]: TLS connection
                    established from ausc60ps301.us.dell.com[143.166.148.206]:
                    TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
                    Aug 31 12:01:40 mgate2 postfix/smtpd[37835]: DA05C797871:
                    client=ausc60ps301.us.dell.com[143.166.148.206]

                    we agree on a supported cipher and the transaction
                    continues normally...


                    --
                    Noel Jones
                  • Victor Duchovni
                    ... No, this is to be expected, the anonymous ciphers are not in the DEFAULT cipherlist, but they are in the ALL cipherlist. Try openssl ciphers -v ALL
                    Message 9 of 16 , Aug 31, 2006
                      On Thu, Aug 31, 2006 at 12:54:45PM -0500, Noel Jones wrote:

                      > From my log earlier today:
                      > Aug 31 10:01:08 mgate2 postfix/smtpd[35883]: TLS connection
                      > established from ausc60ps301.us.dell.com[143.166.148.206]:
                      > TLSv1 with cipher ADH-AES256-SHA (256/256 bits)
                      > Aug 31 10:01:08 mgate2 postfix/smtpd[35883]: lost
                      > connection after STARTTLS from
                      > ausc60ps301.us.dell.com[143.166.148.206]
                      >
                      > I notice that ADH-AES256-SHA is not listed in my "openssl
                      > ciphers" list (no ADH-* ciphers at all). Could that be
                      > part of the problem? I wonder if excluding ADH would work
                      > in this case. I am ignorant of openssl workings...

                      No, this is to be expected, the anonymous ciphers are not in
                      the "DEFAULT" cipherlist, but they are in the "ALL" cipherlist.
                      Try "openssl ciphers -v ALL" or "openssl ciphers -v aNULL".

                      Speculating a bit, the client most likely has a non-default
                      cipherlist that inadvertantly includes anonymous ciphers even
                      though it does not support them. The TLS handshake succeeds,
                      but when the client tries to inspect the server cert it fails,
                      because there is no server cert.

                      > After setting smtpd_tls_exclude_ciphers = aNULL:
                      > Aug 31 12:01:37 mgate2 postfix/smtpd[37835]: TLS connection
                      > established from ausc60ps301.us.dell.com[143.166.148.206]:
                      > TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
                      > Aug 31 12:01:40 mgate2 postfix/smtpd[37835]: DA05C797871:
                      > client=ausc60ps301.us.dell.com[143.166.148.206]
                      >
                      > we agree on a supported cipher and the transaction
                      > continues normally...

                      The cipher is supported on your end, and in the client's TLS
                      library, but not in the client application logic...

                      --
                      Viktor.

                      P.S. Morgan Stanley is looking for a New York City based, Senior Unix
                      system/email administrator to architect and sustain the Unix email
                      environment. If you are interested, please drop me a note.

                      Disclaimer: off-list followups get on-list replies or get ignored.
                      Please do not ignore the "Reply-To" header.

                      To unsubscribe from the postfix-users list, visit
                      http://www.postfix.org/lists.html or click the link below:
                      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                      If my response solves your problem, the best way to thank me is to not
                      send an "it worked, thanks" follow-up. If you must respond, please put
                      "It worked, thanks" in the "Subject" so I can delete these quickly.
                    • Victor Duchovni
                      ... Let s hope it is not much more than just this Dell host. Excluding null ciphers is a blunt tool. It does help to clarify the issue, but so long as the
                      Message 10 of 16 , Aug 31, 2006
                        On Thu, Aug 31, 2006 at 01:28:34PM -0400, Wietse Venema wrote:

                        > > smtpd_tls_exclude_ciphers = aNULL
                        > >
                        > > seems to fix this particular client (just happened to get a
                        > > mail seconds after I changed settings).
                        >
                        > If this happens more often then we may want to make it the default.
                        > The purpose of Postfix is to deliver mail, not to punish sites with
                        > less than perfect implementations :-)

                        Let's hope it is not much more than just this Dell host. Excluding
                        null ciphers is a blunt tool. It does help to clarify the issue, but
                        so long as the number of senders that get this wrong is very small,
                        it is IMHO preferable to disable STARTTLS as Noel suggested via
                        smtpd_discard_ehlo_keyword_address_maps, this addresses the problem
                        surgically.

                        --
                        Viktor.

                        Disclaimer: off-list followups get on-list replies or get ignored.
                        Please do not ignore the "Reply-To" header.

                        To unsubscribe from the postfix-users list, visit
                        http://www.postfix.org/lists.html or click the link below:
                        <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                        If my response solves your problem, the best way to thank me is to not
                        send an "it worked, thanks" follow-up. If you must respond, please put
                        "It worked, thanks" in the "Subject" so I can delete these quickly.
                      • Wietse Venema
                        ... This is fine as long as this is an isolated incident. However, I am concerned about making successive Postfix versions less inter-operable than their
                        Message 11 of 16 , Aug 31, 2006
                          Victor Duchovni:
                          > On Thu, Aug 31, 2006 at 01:28:34PM -0400, Wietse Venema wrote:
                          >
                          > > > smtpd_tls_exclude_ciphers = aNULL
                          > > >
                          > > > seems to fix this particular client (just happened to get a
                          > > > mail seconds after I changed settings).
                          > >
                          > > If this happens more often then we may want to make it the default.
                          > > The purpose of Postfix is to deliver mail, not to punish sites with
                          > > less than perfect implementations :-)
                          >
                          > Let's hope it is not much more than just this Dell host. Excluding
                          > null ciphers is a blunt tool. It does help to clarify the issue, but
                          > so long as the number of senders that get this wrong is very small,
                          > it is IMHO preferable to disable STARTTLS as Noel suggested via
                          > smtpd_discard_ehlo_keyword_address_maps, this addresses the problem
                          > surgically.

                          This is fine as long as this is an isolated incident.

                          However, I am concerned about making successive Postfix versions
                          less inter-operable than their predecessors. If a problem is common
                          enough, then defaults would have to change, or workarounds would
                          have to be implemented that restore inter-operability (for example,
                          the PIX bug workarounds).

                          Wietse
                        • Victor Duchovni
                          ... Yes, of course, however regrettable that may be. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the
                          Message 12 of 16 , Aug 31, 2006
                            On Thu, Aug 31, 2006 at 03:55:55PM -0400, Wietse Venema wrote:

                            > > Let's hope it is not much more than just this Dell host. Excluding
                            > > null ciphers is a blunt tool. It does help to clarify the issue, but
                            > > so long as the number of senders that get this wrong is very small,
                            > > it is IMHO preferable to disable STARTTLS as Noel suggested via
                            > > smtpd_discard_ehlo_keyword_address_maps, this addresses the problem
                            > > surgically.
                            >
                            > This is fine as long as this is an isolated incident.
                            >
                            > However, I am concerned about making successive Postfix versions
                            > less inter-operable than their predecessors. If a problem is common
                            > enough, then defaults would have to change, or workarounds would
                            > have to be implemented that restore inter-operability (for example,
                            > the PIX bug workarounds).
                            >

                            Yes, of course, however regrettable that may be.

                            --
                            Viktor.

                            Disclaimer: off-list followups get on-list replies or get ignored.
                            Please do not ignore the "Reply-To" header.

                            To unsubscribe from the postfix-users list, visit
                            http://www.postfix.org/lists.html or click the link below:
                            <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                            If my response solves your problem, the best way to thank me is to not
                            send an "it worked, thanks" follow-up. If you must respond, please put
                            "It worked, thanks" in the "Subject" so I can delete these quickly.
                          • Noel Jones
                            ... I seem to get very few connections requesting anonymous cyphers. I did openssl ciphers -v aNULL to get a list of anonymous cyphers supported by my
                            Message 13 of 16 , Aug 31, 2006
                              At 03:19 PM 8/31/2006, Victor Duchovni wrote:
                              >On Thu, Aug 31, 2006 at 03:55:55PM -0400, Wietse Venema wrote:
                              >
                              > > > Let's hope it is not much more than just this Dell
                              > host. Excluding
                              > > > null ciphers is a blunt tool. It does help to clarify
                              > the issue, but
                              > > > so long as the number of senders that get this wrong
                              > is very small,
                              > > > it is IMHO preferable to disable STARTTLS as Noel
                              > suggested via
                              > > > smtpd_discard_ehlo_keyword_address_maps, this
                              > addresses the problem
                              > > > surgically.
                              > >
                              > > This is fine as long as this is an isolated incident.
                              > >
                              > > However, I am concerned about making successive Postfix
                              > versions
                              > > less inter-operable than their predecessors. If a
                              > problem is common
                              > > enough, then defaults would have to change, or
                              > workarounds would
                              > > have to be implemented that restore inter-operability
                              > (for example,
                              > > the PIX bug workarounds).
                              > >
                              >
                              >Yes, of course, however regrettable that may be.

                              I seem to get very few connections requesting anonymous cyphers.

                              I did "openssl ciphers -v aNULL" to get a list of anonymous
                              cyphers supported by my system, then grepped the last 30
                              days of log for evidence.
                              Total TLS connections: 5884 (OK, not a high traffic site...)
                              Total aNULL TLS connections (excluding 143.166.148.206): 1
                              The single aNULL instance was a postfix-users list member
                              with an off-list reply; it was received successfully. No
                              evidence of other TLS clients with connect/disconnect syndrome.

                              Someone with a wider variety of connections might want to
                              see what they have.

                              I used:
                              egrep
                              'smtpd.*TLS.*(EXP-AECDH-RC4-40-SHA|EXP-AECDH-DES-40-CBC-SHA|AECDH-DES-CBC3-SHA|AECDH-DES-CBC-SHA|AECDH-RC4-SHA|AECDH-NULL-SHA|ADH-AES256-SHA|ADH-AES128-SHA|ADH-DES-CBC3-SHA|ADH-DES-CBC-SHA|EXP-ADH-DES-CBC-SHA|ADH-RC4-MD5|EXP-ADH-RC4-MD5)'
                              log*

                              I tend to agree with Viktor that this is a broken client
                              best handled with ehlo keyword maps.

                              --
                              Noel Jones
                            • Colin Campbell
                              Hi, ... Counts for TLS.. with cipher from Internet for last 30 days. 5461 AES256-SHA 1600 DES-CBC3-SHA 267147 DHE-RSA-AES256-SHA 147295 EDH-RSA-DES-CBC3-SHA
                              Message 14 of 16 , Aug 31, 2006
                                Hi,

                                On Fri, 2006-09-01 at 07:11, Noel Jones wrote:
                                > At 03:19 PM 8/31/2006, Victor Duchovni wrote:
                                > >On Thu, Aug 31, 2006 at 03:55:55PM -0400, Wietse Venema wrote:
                                > >
                                > > > > Let's hope it is not much more than just this Dell
                                > > host. Excluding
                                > > > > null ciphers is a blunt tool. It does help to clarify
                                > > the issue, but
                                > > > > so long as the number of senders that get this wrong
                                > > is very small,
                                > > > > it is IMHO preferable to disable STARTTLS as Noel
                                > > suggested via
                                > > > > smtpd_discard_ehlo_keyword_address_maps, this
                                > > addresses the problem
                                > > > > surgically.
                                > > >
                                > > > This is fine as long as this is an isolated incident.
                                > > >
                                > > > However, I am concerned about making successive Postfix
                                > > versions
                                > > > less inter-operable than their predecessors. If a
                                > > problem is common
                                > > > enough, then defaults would have to change, or
                                > > workarounds would
                                > > > have to be implemented that restore inter-operability
                                > > (for example,
                                > > > the PIX bug workarounds).
                                > > >
                                > >
                                > >Yes, of course, however regrettable that may be.
                                >
                                > I seem to get very few connections requesting anonymous cyphers.
                                >
                                > I did "openssl ciphers -v aNULL" to get a list of anonymous
                                > cyphers supported by my system, then grepped the last 30
                                > days of log for evidence.
                                > Total TLS connections: 5884 (OK, not a high traffic site...)
                                > Total aNULL TLS connections (excluding 143.166.148.206): 1
                                > The single aNULL instance was a postfix-users list member
                                > with an off-list reply; it was received successfully. No
                                > evidence of other TLS clients with connect/disconnect syndrome.
                                >
                                > Someone with a wider variety of connections might want to
                                > see what they have.

                                Counts for "TLS.. with cipher" from Internet for last 30 days.

                                5461 AES256-SHA
                                1600 DES-CBC3-SHA
                                267147 DHE-RSA-AES256-SHA
                                147295 EDH-RSA-DES-CBC3-SHA
                                538 EXP1024-RC4-SHA
                                1241 RC4-MD5
                                4824 RC4-SHA

                                None are in the anonymous list, which is:

                                ADH-AES128-SHA
                                ADH-AES256-SHA
                                ADH-DES-CBC3-SHA
                                ADH-DES-CBC-SHA
                                ADH-RC4-MD5
                                EXP-ADH-DES-CBC-SHA
                                EXP-ADH-RC4-MD5

                                Colin
                                --
                                Colin Campbell
                                Unix Support/Postmaster/Hostmaster
                                Citec
                                +61 7 3227 6334
                              • Erich_Stokes@Dell.com
                                A special Thanks to everyone on this thread. We mistakenly were offering anonymous ciphers which we did not support. This was a mis-configuration on our part.
                                Message 15 of 16 , Aug 31, 2006
                                  A special Thanks to everyone on this thread.

                                  We mistakenly were offering anonymous ciphers which we did not support. This was a mis-configuration on our part.

                                  This has now been resolved on our outbound servers.

                                  Again sorry for the impact this caused.

                                  Erich Stokes
                                  System Engineer/Postmaster
                                  Dell
                                • Noel Jones
                                  ... Thanks. This shows that anonymous cyphers are not widely used. Maybe postfix 2.3 is the only MTA that will use anonymous cyphers?? Anyway, at this point
                                  Message 16 of 16 , Aug 31, 2006
                                    At 06:05 PM 8/31/2006, Colin Campbell wrote:
                                    >Counts for "TLS.. with cipher" from Internet for last 30 days.
                                    >
                                    > 5461 AES256-SHA
                                    > 1600 DES-CBC3-SHA
                                    > 267147 DHE-RSA-AES256-SHA
                                    > 147295 EDH-RSA-DES-CBC3-SHA
                                    > 538 EXP1024-RC4-SHA
                                    > 1241 RC4-MD5
                                    > 4824 RC4-SHA
                                    >
                                    >None are in the anonymous list, which is:

                                    Thanks. This shows that anonymous cyphers are not widely
                                    used. Maybe postfix 2.3 is the only MTA that will use
                                    anonymous cyphers?? Anyway, at this point it seems
                                    disabling them isn't necessary.

                                    I see that Dell fixed the offending host, so I guess this
                                    discussion is closed.

                                    --
                                    Noel Jones
                                  Your message has been successfully submitted and would be delivered to recipients shortly.