On Sat, Sep 13, 2014 at 11:47:07AM +1000, Dmitry Smirnov wrote: > > What cipher suite is configured inside the exim configuration? > > I'm not sure where to find this information... Whatever cipher settings are > they would be default for Wheezy. As far as I'm aware there were no cipher > customisations on server side.
That may be the problem, as far as I have read the exim package has to be configured to use ciphers if it get communication via TLS. I found a arcticle on serverfault.com that gives some background informations on that and on cipher suites also. http://serverfault.com/questions/615855/exim-after-thunderbird-update-could-not-negotiate-a-supported-cipher-suite But I don't know how to exactely configure a exim setup, so I can't give better hints there. Maybe we should involve the Exim maintainers to. I add them to the CC list, hopefully they can give some hints there to look also. @Andreas Metzler and Marc Haber Dmitry gets various messages inside the exim log while trying to send mails from Icedove 31 with enabled TLS. > TLS error on connection from [...] > (gnutls_handshake): Could not negotiate a supported cipher suite. Looks for me like a missconfigured exim configuration. Can you please give some useful light for this error message? > > Please also read this article to see which cipher suite Mozilla is > > supporting > > https://wiki.mozilla.org/Security/Server_Side_TLS > > Thanks but I know little about TLS and I don't understand how it can be > helpful in my case... Well, Mozilla has removed the support for weaker cipher suites in Thunderbird >= 31 and I think this plus the exim config together ends in a not working communication between Icedove and Exim. > > What kind of CA you are using? If it is a md5 signature you have to use > > an other not md5 hashed certificate. > > cacert.org. > > Certificate: > Data: > Version: 3 (0x2) > Signature Algorithm: sha512WithRSAEncryption > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) CaCert was removed from the CA list inside Debian, but this does not belong to your report I think. Also the signature is not done by md5. > > Do you have checked your settings for security.tls.version.min and > > security.tls.version.max? The *.min should be 0 and *.max should be 3, > > if not your client will not support all version for SSL/TLS. > > http://kb.mozillazine.org/Security.tls.version.* > > Where are those settings? Anyway I've never touched them... That's explained on top of the website. ;) http://kb.mozillazine.org/Editing_configuration These settings are inside Icedove, you get the configs by Tools –> Options –> Advanced –> General and press the Config Editor... button Please play around with the security.tls.version.max option, with a setting of "1" you say Icedove to explicit use a weak cipher suite. > > I strongly believe this report is not a Icedove/Thunderbird related > > problem. > > I disagree. Otherwise how would you explain why downgrade of icedove fixed > the > problem? > If icedove from Jessie can't talk to SMTP server on Wheezy it is a serious > regression on the client side i.e. in the Icedove. I agree it's a user regression but you will have a missconfiguration on the server side I still believe. I work on various clients with Icedove/Thunderbird >=31 against T-Online (a really big ISP in Germany), Google and a own root server with a running exim 4.72 without any changes on my Icedove settings. So I disagree until now this issue a Icedove related. But yes, I could be wrong. Regards Carsten -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
