next message in archive
next message in thread
previous message in archive
previous message in thread
Index of Subjects
Index of Subjects
--Apple-Mail=_CF974B4D-F405-4590-A7CE-A02872A3D749
Content-Type: multipart/alternative;
boundary="Apple-Mail=_89DB5A2D-7082-4BC8-A482-C351C1819411"
--Apple-Mail=_89DB5A2D-7082-4BC8-A482-C351C1819411
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Well that is disappointing. I fielded two reports within hours of each =
other of mail not arriving related to waiting
for an email about employment. I found the explanation for one of them =
and wondered whether I had for both.
It would seem not.
In answer to the question, maybe sort of: Remember how CRA had an =
issue with https and the Heartbleed attack
last year? This prompted a bunch of tightening up of SSL services at =
CCN rejecting older versions of SSL and
older ciphers within SSL. This might be what is happening from what =
the logs are reporting.
The logs report that when the DFO server connects it is unable to come =
to an agreement with us on
a common set of supported ciphers. I remember having difficulty =
finding the handles to adjust to
control of ciphers and SSL versions in Zmailer and so I can not find =
them in the configuration file
now either to pull back on the paranoia. There was a great deal of =
pressure on the Tech Team to
be able to pass the external validations that we were no longer =
vulnerable at the time so I can not
rule out that things have been hard-coded into the binaries and that it =
would be greatly challenging to
roll this back now that people are no longer paying such close =
attention. I had hoped to recruit
someone on the tech team to take on finding a temporary work around =
until I get back from my
enforced limitation on time I can put into this, but no one stepped =
forward.
If my diagnosis is correct this can be solved by
* Upgrading us to a newer and better mail transport software which is =
what the tech team is working on instead of
finding temporary work-arounds (this may or may not help, since all =
it might do is provide the levers to lower the
security on our SSL, something which is opposed by some members of =
the tech team.) If I could re-find the levers
to pull easily I would.
* Having the administrators of vsnsbiodmzedg01.dfo-mpo.gc.ca upgrade =
their SSL library and parameters
to support a newer TLS/SSL and cipher suite, or continue the =
conversation when the STARTTLS
fails and just send the message via plaintext.
I know our STARTTLS is not simply broken since office365 is able to =
deliver messages via it.
If you are opting for option 2, here is the log entry for their =
reference to see if they can find a workaround.
0LKyDWB0001# 000-connection from vsnsbiodmzedg01.dfo-mpo.gc.ca =
[205.194.26.55]:25661 on port 25 ipcnt 1 childs 13 pid 13697 ident: =
IDENT-NONSENSE
0LKyDWB0001# 000-Didn't find DNS A object: =
55.26.194.205.zen.spamhaus.org.
0LKyDWB0001# 000-Didn't find DNS A object: =
55.26.194.205.bl.spamcop.net.
0LKyDWB0001w 220 sec.smtp.chebucto.ns.Ca ZMailer Server 2.99.57 #1 =
ESMTP+IDENT ready at Tue, 27 Mar 2018 08:10:55 -0300
0LKyDWB0001r EHLO VSNSBIODMZEDG01.DFO-MPO.GC.CA
0LKyDWB0001w 250-sec.smtp.chebucto.ns.Ca Hello =
VSNSBIODMZEDG01.DFO-MPO.GC.CA
0LKyDWB0001w 250-SIZE 200000000
0LKyDWB0001w 250-8BITMIME
0LKyDWB0001w 250-PIPELINING
0LKyDWB0001w 250-CHUNKING
0LKyDWB0001w 250-ENHANCEDSTATUSCODES
0LKyDWB0001w 250-DSN
0LKyDWB0001w 250-X-RCPTLIMIT 150
0LKyDWB0001w 250-STARTTLS
0LKyDWB0001w 250-ETRN
0LKyDWB0001w 250 HELP
0LKyDWB0001r STARTTLS
0LKyDWB0001w 220 Ready to start TLS
0LKyDWB0001# 000-SSL_accept:error in SSLv2/v3 read client hello A
0LKyDWB0001# 000-SSL3 alert write:fatal:handshake failure
0LKyDWB0001# 000-SSL_accept:error in SSLv3 read client hello C
0LKyDWB0001# 000-SSL_accept:error in SSLv3 read client hello C
0LKyDWB0001# 000-SSL_accept error -1/1
0LKyDWB0001# 000-13697:error:1408A0C1:SSL =
routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1087:
0LKyDWB0001# 000-SSL session removed
0LKyDWB0001# 000-TLS stopping; mode was: OFF
Now, given my interactions with mx.ssan.seg-egs.GC.CA, I can not rule =
out that I never did find
the appropriate lever and the problem is that we offer to talk SSL3 =
instead of rejecting
unless they start with TLSv1 and rather than not make the request it is =
failing because it is allowed.
--------
Chris Maxwell
Chair, Technical Committee, Chebucto Community Net Society
cmaxwell@dal.ca, 902-494-1369
> On Mar 27, 2018, at 11:41 AM, Richard Bonner <ak621@chebucto.ns.ca> =
wrote:
>=20
>=20
> On Tue, 27 Mar 2018, Philip R. Greyson wrote:
>=20
>> Hi Richard and userhelp:
>>=20
>> Was there ever any resolution to this?
>=20
> *** Tech was working on it last week, but I don't have an update. I =
am CCing this to them.
>=20
>=20
>> I still don't receive any e-mail from my dfo-mpo.gc.ca account. I =
don't know whether all e-mails from Government servers are getting =
blocked.
>=20
> *** I will leave the above paragraph in so that CCN Tech will know =
to look specifically into government domains.
>=20
> Sorry for the issue.
>=20
> Richard Bonner
> Chebucto User Help
>=20
--Apple-Mail=_89DB5A2D-7082-4BC8-A482-C351C1819411
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Well that is disappointing. I fielded two reports =
within hours of each other of mail not arriving related to =
waiting <div class=3D"">for an email about employment. I =
found the explanation for one of them and wondered whether I had for =
both.</div><div class=3D"">It would seem not.</div><div class=3D""><br =
class=3D""></div><div class=3D""> In answer to the question, maybe =
sort of: Remember how CRA had an issue with https and the Heartbleed =
attack </div><div class=3D"">last year? This prompted a =
bunch of tightening up of SSL services at CCN rejecting older versions =
of SSL and </div><div class=3D"">older ciphers within SSL. =
This might be what is happe