BlueOnyx updates: base-email (round 2)

Posted by: mstauber Category: General

Updated base-email RPMs have been released for all BlueOnyx versions. That should solve connectivity issues with older mail servers.

A couple of days ago we published updated base-email RPMs for all BlueOnyx versions. This was done in response to the Logjam attacks and other ill side effects of the "Crypto-Calypse". That update disabled SSLv3 in Sendmail (keeping only TLS active) and disabled weak ciphers.

But it appears we painted with an awefully wide brush when disabling the ciphers.

While our changes were sensible and produced a nicely secured mailserver it also raised problems for some users. Who were now unable to send or receive emails when the communication partner was on an old, outdated or badly configured email server.

Take two typical examples: A really old Microsoft Exchange server or an original Cobalt RaQ (yeah, surprised me as well!). Emails originating there or terminating at these derelikt boxes would fail as soon as they hit a BlueOnyx. Because the crypto ciphers that our Sendmail now offered were all unsupported by these ancient boxes.

After some digging (which is outlined in full detail on the BlueOnyx mailing list) I came to the sad conclusion that we (at the minimum) must offer the ciphers TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5.

So we do now offer these two (pretty bad) ciphers as well as totaly last resort for outdated mail servers that we might still need to talk to.

The exact code changes (and their implications) are outlined in SVN as well.

If you are still experiencing email delivery problems, then please do a "yum update" and be sure to either restart CCEd (/sbin/service cced.init restart) or run the script /usr/sausalito/constructor/base/email/ instead of restarting CCEd once the base-email update is installed.


Jun 16, 2015 Category: General Posted by: mstauber
Previous page: Development Next page: Mailing List