TLS Issue on OpportunisticInsecure

quintessential-camel · August 20, 2024, 2:45pm

Hello,

I’m running latest kumomta version on a prod. system and getting the following error:

version: 2024.06.10.070026.84e84b89 amd64 A high performance, modern MTA

shaping.toml is enable_tls=OpportunisticInsecure

openssl output: openssl s_client --bind 185.98.184.31 -starttls smtp -crlf -connect mx2.jimdo.com:25 CONNECTED(00000003) depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = mx2.emailsrvr.com
=> output seams correct
message.txt (21.3 KB)
message.txt (21.3 KB)
message.txt (21.3 KB)
message.txt (21.3 KB)
message.txt (21.3 KB)
message.txt (21.3 KB)

wez · August 20, 2024, 3:03pm

HandshakeFailure indicates that the client and server could not agree on a common set of ciphers.

When using the default rustls TLS implementation, the cause of this is typically that the remote system is using legacy cipher suites that are not recommended for modern use.

OpportunisticInsecure TLS mode will not fall back to plain text after a failure to negotiate a connection because it is not always possible to do without opening a new connection, which can harm reputation.

In -dev builds, the error that you will see looks like this, with directive advice:

KumoMTA internal: failed to connect to any candidate hosts: All failures are related to OpportunisticInsecure STARTTLS. Consider setting enable_tls=Disabled for this site

You have a couple of options in this sort of situation:

Explicitly disable TLS for the destination, as recommended by the log entry. It’s no great loss because the possible ciphers are not sufficient for the modern internet.
Consider employing a shaping automation rule that will automatically set up option 1 for you, ready for the next attempt. Something like this will do that job; note that you need to be running a -dev build for this to work:

[["default".automation]]
regex="KumoMTA internal: failed to connect to any candidate hosts: All failures are related to OpportunisticInsecure STARTTLS. Consider setting enable_tls=Disabled for this site"
action = {SetConfig={name="enable_tls", value="Disabled"}}
duration = "30 days"

Also available to -dev builds, is the new tls_prefer_openssl option that can switch to the openssl backend. That may help you to handshake with these problematic sites, but you’re trading in some other compatibility and potential security pitfalls. If you opt to use this, you must ensure that you have configured an appropriate set of ciphers via the other new openssl related options.

wez · August 20, 2024, 3:24pm

FWIW, I just pushed a commit to make that automation rule part of the default shaping configuration in -dev builds

quintessential-camel · August 20, 2024, 3:29pm

Wow, ty for your support, i will give it a try and report if it will work

quintessential-camel · August 20, 2024, 7:02pm

just fyi: I changed for the latest stable version the following regex: "KumoMTA internal: failed to connect to any candidate hosts: .* after OpportunisticInsecure STARTTLS handshake",

quintessential-camel · August 20, 2024, 7:03pm

seams to work pretty well thank you for your hint, it that what i needed