Re: [swinog] Bluewin SMTP server reachable from outside bluewin/swisscom?

2021-03-11 Diskussionsfäden Jeroen Massar
Follow-up: do not test with new tools.

So, as a few folks pointed me off-list rightly to it.. but my brain did not 
click to this old issue... it is all because of the short key.

I think it was discussed on swinog before, but I'll add it again, as I found 
the ticket where I reminded myself about it but that was from July 2019...

Due to the logjam attack OpenSSL (especially on Debian) disabled DH keys <= 
1024 bytes.
https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/
https://lists.debian.org/debian-lts-announce/2015/06/msg00013.html

8<
Additionally OpenSSL will now reject handshakes using DH parameters
shorter than 768 bits as a countermeasure against the Logjam attack
(CVE-2015-4000).
-->8

(Yes, it is 2021 today, that is from 2015)


Thus if you want to test if that server works, disabling DH avoids it:

openssl s_client -cipher 'DEFAULT:!DH' -connect smtpauths.bluewin.ch:587 
-starttls smtp


So reminder, if you properly run new tools, you might have to work around 
servers that are still in planning of upgrading.

And in the end the origin of the issue was a DNS issue caused by a route 
reflection issue causing a variety of routes not to be available and yes, then 
things do not work as excepted... it is always DNS, except when it is IP :)


PS: This seems unrelated to the IPv6 issue with the F5, even though it appears 
both systems run behind an F5.

Greets,
 Jeroen


--

Sidenote, without directly doing the starttls, your connection will be dropped 
too:

$ openssl s_client -cipher 'DEFAULT:!DH' -connect smtpauths.bluewin.ch:587
CONNECTED(0003)
140142292489536:error:1408F10B:SSL routines:ssl3_get_record:wrong version 
number:../ssl/record/ssl3_record.c:331:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 298 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

With starttls it will work. timing is key too...

$ openssl s_client -cipher 'DEFAULT:!DH' -connect smtpauths.bluewin.ch:587 
-starttls smtp
CONNECTED(0003)
depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
verify return:1
depth=1 C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22
verify return:1
depth=0 C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = IT, 
CN = smtpauths.bluewin.ch
verify return:1
---
Certificate chain
 0 s:C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = IT, CN 
= smtpauths.bluewin.ch
   i:C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22
 1 s:C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22
   i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
---
Server certificate
-BEGIN CERTIFICATE-
MIIH2jCCBsKgAwIBAgIUGEfAQSLKDtSxeCCekVh0nFmkCOEwDQYJKoZIhvcNAQEL
BQAwUjELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEsMCoGA1UE
AxMjU3dpc3NTaWduIFNlcnZlciBHb2xkIENBIDIwMTQgLSBHMjIwHhcNMTkwODA4
MDg0NDAxWhcNMjEwODA4MDg0NDAxWjB9MQswCQYDVQQGEwJDSDENMAsGA1UECBME
QmVybjETMBEGA1UEBxMKV29yYmxhdWZlbjEeMBwGA1UEChMVU3dpc3Njb20gKFNj
aHdlaXopIEFHMQswCQYDVQQLEwJJVDEdMBsGA1UEAxMUc210cGF1dGhzLmJsdWV3
aW4uY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJuFh6Yc/73bmW
Lyedte6kZQ56Q5XGsaKFtZmXWZXqYFmlPrlZ/vKYpTT712DCwOklcpd7/CrjPFwN
OhVL1aAsfr5UwfrBfFtE0pRsiUl/o3I/6NyfU1FobEVO8xnBhDKaOQOJlwZwndyR
GQLz6I1wsddJeh/puh4KvIl3vHq0ge8igZFTG2MuXIsayPUOWpdrbLuvebiaDfMw
FuJCtgkiSfhi9wRDLVkmXJF+q9+n/6FdJcr8+SgF+oiz2koXhSt/dVjrfrz+rL9/
5dZz9h8JT6X/sLG56SyVpOV4Mmzgq72afizutwtGHobygMqYyusW5GfwZJPqX+cb
BhiBmvNFAgMBAAGjggR7MIIEdzA4BgNVHREEMTAvghRzbXRwYXV0aHMuYmx1ZXdp
bi5jaIIXc210cGF1dGhzLmxiLmJsdWV3aW4uY2gwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQURQnYL5/oRqKp
p2+CnXirj1TyDCMwHwYDVR0jBBgwFoAU5/Hn/S5TrRHlgRpXpHOPEn2YyK4wgf8G
A1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lzc3NpZ24ubmV0L0U3RjFF
N0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4RjEyN0Q5OEM4QUUwgaiggaWggaKGgZ9s
ZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049RTdGMUU3RkQyRTUzQUQx
MUU1ODExQTU3QTQ3MzhGMTI3RDk4QzhBRSUyQ089U3dpc3NTaWduJTJDQz1DSD9j
ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz
dHJpYnV0aW9uUG9pbnQwcwYDVR0gBGwwajBUBglghXQBWQECAQswRzBFBggrBgEF
BQcCARY5aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS9Td2lzc1NpZ24t
R29sZC1DUC1DUFMucGRmMAgGBgQAj3oBBzAIBgZngQwBAgIwgdUGCCsGAQUFBwEB
BIHIMIHFMGQGCCsGAQUFBzAChlhodHRwOi8vc3dpc3NzaWduLm5ldC9jZ2ktYmlu
L2F1dGhvcml0eS9kb3dubG9hZC9FN0YxRTdGRDJFNTNBRDExRTU4MTFBNTdBNDcz
OEYxMjdEOThDOEFFMF0GCCsGAQUFBzABhlFodHRwOi8vZ29sZC1zZXJ2ZXItZzIu
b2NzcC5zd2lzc3NpZ24ubmV0L0U3RjFFN0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4
RjEyN0Q5OEM4QUUwggF7BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AESUZS6w7s6v
xEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABbHBmPNYAAAQDAEYwRAIgCvjTT2sR
PgoaHtOiCqmh1oERGFsdlSEy01a/da2WgxQCIAXM1dSNyXhiWTLGGKlg7fYjsVEx
Ed/WM6NYSh0AJPK+AHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMA
AAFscGY9CQAABAMARz

Re: [swinog] Bluewin SMTP server reachable from outside bluewin/swisscom?

2021-03-11 Diskussionsfäden Jeroen Massar

On 2021-03-11 11:46, Jeroen Massar wrote:
So apparently there is a DNS entry for smtp.bluewin.ch, but that is not 
the one to use as it was apparently EOLd in 2006 or so. Thanks for 
offlist info that it is and this link[1] that describes:


smtpauths.bluewin.ch:465 so TLS only (which is good!)

But, see below, connect with openssl and it drops from Init7, Quickline 
but works from BIT.nl...


Anybody similar sightings?


PCAP attached. Connection succeeds, but TLS alert and drop

Maybe passing through the same "load balancer" as:
http://lists.swinog.ch/public/swinog/2021-March/007457.html

Greets,
 Jeroen


swisscom.pcap
Description: Binary data

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog


Re: [swinog] Bluewin SMTP server reachable from outside bluewin/swisscom?

2021-03-11 Diskussionsfäden Jeroen Massar
So apparently there is a DNS entry for smtp.bluewin.ch, but that is not 
the one to use as it was apparently EOLd in 2006 or so. Thanks for 
offlist info that it is and this link[1] that describes:


smtpauths.bluewin.ch:465 so TLS only (which is good!)

But, see below, connect with openssl and it drops from Init7, Quickline 
but works from BIT.nl...


Anybody similar sightings?

Greets,
 Jeroen


[1]
https://www.swisscom.ch/de/privatkunden/hilfe/internet/e-mail-einrichten-reparieren.html#lightbox=sel%3A%5Btarget%3D%22sdxlightbox%22%5D%5Bhref%3D%22%2Fde%2Fprivatkunden%2Fhilfe%2Finternet%2Fe-mail-einrichten-reparieren%2Fserver-einstellungen-overlay.html%22%5D


From quickline:


openssl s_client -connect smtpauths.bluewin.ch:465
CONNECTED(0003)
depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
verify return:1
depth=1 C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22
verify return:1
depth=0 C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU 
= IT, CN = smtpauths.bluewin.ch

verify return:1
140365288952960:error:141A318A:SSL routines:tls_process_ske_dhe:dh key 
too small:../ssl/statem/statem_clnt.c:2150:

---
Certificate chain
 0 s:C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = 
IT, CN = smtpauths.bluewin.ch

   i:C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22
 1 s:C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22
   i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2
---
Server certificate
-BEGIN CERTIFICATE-
MIIH2jCCBsKgAwIBAgIUGEfAQSLKDtSxeCCekVh0nFmkCOEwDQYJKoZIhvcNAQEL
BQAwUjELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEsMCoGA1UE
AxMjU3dpc3NTaWduIFNlcnZlciBHb2xkIENBIDIwMTQgLSBHMjIwHhcNMTkwODA4
MDg0NDAxWhcNMjEwODA4MDg0NDAxWjB9MQswCQYDVQQGEwJDSDENMAsGA1UECBME
QmVybjETMBEGA1UEBxMKV29yYmxhdWZlbjEeMBwGA1UEChMVU3dpc3Njb20gKFNj
aHdlaXopIEFHMQswCQYDVQQLEwJJVDEdMBsGA1UEAxMUc210cGF1dGhzLmJsdWV3
aW4uY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJuFh6Yc/73bmW
Lyedte6kZQ56Q5XGsaKFtZmXWZXqYFmlPrlZ/vKYpTT712DCwOklcpd7/CrjPFwN
OhVL1aAsfr5UwfrBfFtE0pRsiUl/o3I/6NyfU1FobEVO8xnBhDKaOQOJlwZwndyR
GQLz6I1wsddJeh/puh4KvIl3vHq0ge8igZFTG2MuXIsayPUOWpdrbLuvebiaDfMw
FuJCtgkiSfhi9wRDLVkmXJF+q9+n/6FdJcr8+SgF+oiz2koXhSt/dVjrfrz+rL9/
5dZz9h8JT6X/sLG56SyVpOV4Mmzgq72afizutwtGHobygMqYyusW5GfwZJPqX+cb
BhiBmvNFAgMBAAGjggR7MIIEdzA4BgNVHREEMTAvghRzbXRwYXV0aHMuYmx1ZXdp
bi5jaIIXc210cGF1dGhzLmxiLmJsdWV3aW4uY2gwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQURQnYL5/oRqKp
p2+CnXirj1TyDCMwHwYDVR0jBBgwFoAU5/Hn/S5TrRHlgRpXpHOPEn2YyK4wgf8G
A1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lzc3NpZ24ubmV0L0U3RjFF
N0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4RjEyN0Q5OEM4QUUwgaiggaWggaKGgZ9s
ZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049RTdGMUU3RkQyRTUzQUQx
MUU1ODExQTU3QTQ3MzhGMTI3RDk4QzhBRSUyQ089U3dpc3NTaWduJTJDQz1DSD9j
ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz
dHJpYnV0aW9uUG9pbnQwcwYDVR0gBGwwajBUBglghXQBWQECAQswRzBFBggrBgEF
BQcCARY5aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS9Td2lzc1NpZ24t
R29sZC1DUC1DUFMucGRmMAgGBgQAj3oBBzAIBgZngQwBAgIwgdUGCCsGAQUFBwEB
BIHIMIHFMGQGCCsGAQUFBzAChlhodHRwOi8vc3dpc3NzaWduLm5ldC9jZ2ktYmlu
L2F1dGhvcml0eS9kb3dubG9hZC9FN0YxRTdGRDJFNTNBRDExRTU4MTFBNTdBNDcz
OEYxMjdEOThDOEFFMF0GCCsGAQUFBzABhlFodHRwOi8vZ29sZC1zZXJ2ZXItZzIu
b2NzcC5zd2lzc3NpZ24ubmV0L0U3RjFFN0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4
RjEyN0Q5OEM4QUUwggF7BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AESUZS6w7s6v
xEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABbHBmPNYAAAQDAEYwRAIgCvjTT2sR
PgoaHtOiCqmh1oERGFsdlSEy01a/da2WgxQCIAXM1dSNyXhiWTLGGKlg7fYjsVEx
Ed/WM6NYSh0AJPK+AHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMA
AAFscGY9CQAABAMARzBFAiBgWjl7D2nTcHPMOY8UVM0qvV9vG1Oqrf8J1zBrJuvw
kwIhAOtIKQQSbapV8Aw8q3+E5iLYYSMQdPXHUhDHueBebXygAHQA7ku9t3XOYLrh
Qmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFscGY7sgAABAMARTBDAh9koSaw1fr6
ZrNJsVN2+v2+2QQ9VkMU4KJSQEfedRUbAiBY6V8yU93utvDWtrGnSck9X6aV9M7q
WhrZz7q9dQr5QzANBgkqhkiG9w0BAQsFAAOCAQEAdYPLeU/e7ugYfozqShEja1IT
LOrJ+FGQ6NNIYoRtilYX79tr+vpieN+P3q0W7M5Y9XEOpLWjuFWe/Ea67j2N4ixa
ZrTFNpw3gHHHJmYnARvKqZpKtC32MAj+NPWDLxy1e8+zcMw0YweZHc6506LPgioo
X6d5IXWcStolqJBWnbYs1KQdgH8sbWLyhHJ9kCedX39vwQE/N+cBvharzwccjedv
crxeTX/NNjicD6YqobSiehIv+xI8QUWHr8lzPQmFFFBWl01mNJFM3aPs5bZCI+bM
bc1zPKsXNIeDuRJAqBtVCMoOUu6sRjobwEwL5QGWfuQjaHe7zXLSXk1HV6Zztg==
-END CERTIFICATE-
subject=C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU 
= IT, CN = smtpauths.bluewin.ch


issuer=C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22

---
No client certificate CA names sent
---
SSL handshake has read 4373 bytes and written 319 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol  : TLSv1.2
Cipher: 
Session-ID: 
4C3B5E25409E722974428474E8275BF0B97C775BEE2F8EE50BADDF9D38372A81

Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username:

[swinog] Bluewin SMTP server reachable from outside bluewin/swisscom?

2021-03-11 Diskussionsfäden Jeroen Massar
Hi,

(Possibly in relation to 
http://lists.swinog.ch/public/swinog/2021-March/007457.html, but in this case 
not even a TCP ACK...)

It seems smtp.bluewin.ch (25 and 465 tested) is unreachable from all places I 
checked (Init7, Quickline, BIT.nl).

Is that service normally open for Bluewin customers to connect to 
smtp.bluewin.ch?

As apparently Swisscom is sending out mails to providers that their customers 
are complaining that their customers on non-swisscom/bluewin cannot use their 
SMTP service.


But telnet does not even answer (no TCP ACK at all, no ICMP, nada nothing), 
thus looks like it is firewalled away.

Greets,
 Jeroen



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog


Re: [swinog] OVH datacenter SBG2 in Strasbourg on fire 🔥

2021-03-11 Diskussionsfäden Gregor Riepl
> Very sad day for our colleagues at OVH AS16276 as they lost their
> datacenter SBG-2 in Strasbourg completly („everything is destroyed“) in
> a fire 🔥 and the neighboring SBG1/SBG3/SBG4 at least temporary.

A tragic event, it evokes some faint memories on what happened at
Fukushima No.1 NPP in 2011.

I think this is a good time to remind everyone to review their disaster
recovery procedures regularly, and ensure they still work as expected.


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog