Comments (3)
albertito
commented on June 13, 2024
Thanks for reporting this!
I've just received an email with no cipher overlap, so the email was rejected. The logged message was:
STARTTLS failed: 554 5.5.0 Error in TLS handshake: tls: no cipher suite supported by both client and serverAfterwards, I ran
chasquid-util domaininfo-remove <domain>which let the next email come through (I assume, as PLAIN)
This is very strange, because the security level check happens after STARTTLS (it is done when processing the MAIL FROM command). So it does not really affect STARTTLS at all, and running domaininfo-remove shouldn't have made a difference.
Are you sure it wasn't a normal client-side retry without STARTTLS that made it work?
I will try to do a test to reproduce this, just in case.
Would it be possible to:
- Log the ciphers supported by the remote side
If this doesn't introduce a lot of complexity, sure! I need to look into the tls code to check how difficult it is to get this information.
I'll keep this issue open to look into this and will reply once I have given this a try :)
- Expose a way to enable certain ciphers
While that would be an improvement in some scenarios, it also introduces complexity and risk of accidental misuse. Go's TLS defaults are generally very well managed, and I am worried about making things too easy to misconfigure in insecure ways.
Considering chasquid's goals and general approach to configuration, I think having such an option is not a good idea in this particular case.
Thank you!
from chasquid.
DavidVentura
commented on June 13, 2024
The entire log I got for the transaction was:
May 15 15:07:54 _ conn.go:251 SMTP.Conn xxx.xxx.xxx.129:58698: error: STARTTLS failed: 554 5.5.0 Error in TLS handshake: tls: no cipher suite supported by both client and server
May 15 15:07:54 _ conn.go:270 SMTP.Conn xxx.xxx.xxx.129:58698: error: exiting with error: read tcp xxxxxxxxx.60:25->xxx.xxx.xxx.129:58698: read: connection reset by peer
May 15 15:07:55 _ domaininfo.go:99 DomainInfo /var/lib/chasquid/domaininfo: error: xxxxxxx.com incoming denied: PLAIN < TLS_CLIENT
May 15 15:07:55 _ conn.go:475 SMTP.Conn xxx.xxx.xxx.129:60994: error: security level check for xxxxxxx.com failed (PLAIN)
May 15 15:07:55 _ conn.go:251 SMTP.Conn xxx.xxx.xxx.129:60994: error: MAIL failed: 550 5.7.3 Security level check failed
May 15 15:07:55 xxx.xxx.xxx.129:60994 rejected [email protected] - security level check failed
Which I read as:
- Sender tried to use STARTTLS, failed due to no cipher overlap
- Sender downgrades to PLAIN
- Sender had previously sent TLS email, so PLAIN is rejected
My understanding is that running domaininfo-remove fixed the downgrade aspect of the issue
The idea with enabling 'bad' ciphers was that "bad cipher" >> PLAIN
from chasquid.
albertito
commented on June 13, 2024
The entire log I got for the transaction was:
May 15 15:07:54 _ conn.go:251 SMTP.Conn xxx.xxx.xxx.129:58698: error: STARTTLS failed: 554 5.5.0 Error in TLS handshake: tls: no cipher suite supported by both client and server May 15 15:07:54 _ conn.go:270 SMTP.Conn xxx.xxx.xxx.129:58698: error: exiting with error: read tcp xxxxxxxxx.60:25->xxx.xxx.xxx.129:58698: read: connection reset by peer May 15 15:07:55 _ domaininfo.go:99 DomainInfo /var/lib/chasquid/domaininfo: error: xxxxxxx.com incoming denied: PLAIN < TLS_CLIENT May 15 15:07:55 _ conn.go:475 SMTP.Conn xxx.xxx.xxx.129:60994: error: security level check for xxxxxxx.com failed (PLAIN) May 15 15:07:55 _ conn.go:251 SMTP.Conn xxx.xxx.xxx.129:60994: error: MAIL failed: 550 5.7.3 Security level check failed May 15 15:07:55 xxx.xxx.xxx.129:60994 rejected [email protected] - security level check failedWhich I read as:
- Sender tried to use STARTTLS, failed due to no cipher overlap
- Sender downgrades to PLAIN
- Sender had previously sent TLS email, so PLAIN is rejected
My understanding is that running
domaininfo-removefixed the downgrade aspect of the issue
Oh! Then yes, you're absolutely correct.
And just to be super clear: that "Sender had previously sent TLS email, so PLAIN is rejected" is not due to the failed STARTTLS attempt, but a successful STARTTLS at some point in the past.
Do you know anything about the sender? What software they're using? What build/release?
Also what chasquid version are you using, and what Go version was used to build it (if you know)?
The idea with enabling 'bad' ciphers was that "bad cipher" >> PLAIN
In this case, allowing a bad cipher could let an attacker do connection downgrading.
One possibility would be to allow all insecure ciphers, and in the connection tracking have a new "TLS_CLIENT_INSECURE" for when they're used. I'll look into this, although in this case it seems like it wouldn't have prevented the rejection (assuming you saw a successful secure connection before, chasquid would still prevent the downgrade).
Thank you!
from chasquid.
Related Issues (20)
- t-11-dovecot fails due to permission errors HOT 2
- docker: setfacl step fails when using user-provided certificates HOT 4
- Send-only server without dovecot? HOT 3
- SpamAssassin integration in Ubuntu 16.04 needs adjustment HOT 5
- Send-only server: `Destination address is unknown` when sending to local domain HOT 2
- Do not `chown` files (unless the new file has a different UID/GID) HOT 1
- [smtp-check]: Some MTA do reject client connections unless the local name looks like an fqdn HOT 2
- Extend how-to guide to include how to actually send email HOT 5
- Surprising interaction of drop_characters with aliases HOT 8
- Support domain users with no valid password, for receive-only MTAs HOT 1
- Using an empty listening address in the config results in chasquid listening on a random port HOT 4
- Review DATA parsing code for SMTP smuggling attack vectors HOT 22
- Add a document for client configuration HOT 1
- Behavior of aliases pointing to non-existent local addresses HOT 2
- mail to/from IP address, or just document how HOT 5
- No Docker images for 1.11+ HOT 12
- Wording of SMTP error messages HOT 4
- FR: add pre-DATA (post-RCPT-TO) hooks HOT 1
- Send-only accounts - errors reading users file HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from chasquid.