Problem with ciphers and OpenSMTP

Mon, 24 Feb 2014 12:41:32 -0800 

Hi.
I have an OpenSTMP server on OpenBSD 5.4 working fine, the configuration (/etc/mail/smtpd.conf) includes: 

 listen on all port 465 smtps certificate example.com auth-optional


Sending email from thunderbird, roundcubemail and an android MUA works fine, 
however I'm having problems to send email from an iPhone with its default MUA.

The failed connections from the iPhone reported in /var/log/maillog show:

Feb 24 15:31:32 www smtpd[20008]: smtp-in: New session 00000046b1672c2d
 from host 191.71.116.146 [191.71.116.146]
Feb 24 15:31:33 www smtpd[20008]: smtp-in: Bad input on session
 00000046b1672c2d: 500 Pipelining not supported
Feb 24 15:31:33 www smtpd[20008]: smtp-in: Closing session
 00000046b1672c2d
Feb 24 15:31:35 www smtpd[20008]: smtp-in: New session 00000047fd78e967
 from host 191.71.116.146 [191.71.116.146]
Feb 24 15:31:36 www smtpd[20008]: smtp-in: Disconnecting session
 00000047fd78e967: IO error: error:1408A0C1:SSL
 routines:SSL3_GET_CLIENT_HELLO:no shared cipher


I wonder if the problem is with the ciphers that OpenSMTPD offers.
Following the procedure of
https://www.owasp.org/index.php/Testing_for_Weak_SSL/TSL_Ciphers,_Insufficient_Transport_Layer_Protection_(OWASP-EN-002)

with 
nmap --script ssl-cert,ssl-enum-ciphers -p 465 www.example.com


I can see the following list of ciphers :

Starting Nmap 6.25 ( http://nmap.org ) at 2014-02-24 15:16 COT
Nmap scan report for example.com (ip.ip.ip.ip)
Host is up (0.15s latency).
PORT    STATE SERVICE
465/tcp open  smtps
| ssl-cert: Subject: 
commonName=www.example.com/organizationName=Example/stateOrProvinceName=Cundinamarca/countryName=co
| Issuer: 
commonName=www.example.com/organizationName=Example/stateOrProvinceName=Cundinamarca/countryName=co
| Public Key type: dsa
| Public Key bits: 1024
| Not valid before: 2010-11-08T13:43:04+00:00
| Not valid after:  2020-11-05T13:43:04+00:00
| MD5:   0b51 f652 8410 a427 8147 bc8f d917 e774
|_SHA-1: c12d fe2c bca9 c186 98cb 2392 c21b 02db af90 726f

| ssl-enum-ciphers: 
|   SSLv3: 
|     ciphers: 
|       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_DHE_DSS_WITH_AES_256_CBC_SHA - strong

|     compressors: 
|       NULL
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_DHE_DSS_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_DSS_WITH_AES_256_CBC_SHA - strong

|     compressors: 
|       NULL
|   TLSv1.1: 
|     ciphers: 
|       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_DHE_DSS_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_DSS_WITH_AES_256_CBC_SHA - strong

|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA - strong

|       TLS_DHE_DSS_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_DSS_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 - strong

|     compressors: 
|       NULL

|_  least strength: strong


Could the problem be in the OpenSSL library? Even in 
OpenBSD-current it is still in version 1.0.0c --while the most recent is 1.0.0l 


Has anyone had this problem?  The solution is to upgrade OpenSSL?

Best regards.
--
Dios, gracias por tu amor infinito.

--  
 Vladimir Támara Patiño.  http://vtamara.pasosdeJesus.org/

 http://www.pasosdejesus.org/dominio_publico_colombia.html























					Reply via email to