Re: [swinog] Bluewin SMTP server reachable from outside bluewin/swisscom?
Follow-up: do not test with new tools. So, as a few folks pointed me off-list rightly to it.. but my brain did not click to this old issue... it is all because of the short key. I think it was discussed on swinog before, but I'll add it again, as I found the ticket where I reminded myself about it but that was from July 2019... Due to the logjam attack OpenSSL (especially on Debian) disabled DH keys <= 1024 bytes. https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ https://lists.debian.org/debian-lts-announce/2015/06/msg00013.html 8< Additionally OpenSSL will now reject handshakes using DH parameters shorter than 768 bits as a countermeasure against the Logjam attack (CVE-2015-4000). -->8 (Yes, it is 2021 today, that is from 2015) Thus if you want to test if that server works, disabling DH avoids it: openssl s_client -cipher 'DEFAULT:!DH' -connect smtpauths.bluewin.ch:587 -starttls smtp So reminder, if you properly run new tools, you might have to work around servers that are still in planning of upgrading. And in the end the origin of the issue was a DNS issue caused by a route reflection issue causing a variety of routes not to be available and yes, then things do not work as excepted... it is always DNS, except when it is IP :) PS: This seems unrelated to the IPv6 issue with the F5, even though it appears both systems run behind an F5. Greets, Jeroen -- Sidenote, without directly doing the starttls, your connection will be dropped too: $ openssl s_client -cipher 'DEFAULT:!DH' -connect smtpauths.bluewin.ch:587 CONNECTED(0003) 140142292489536:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:331: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 298 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) --- With starttls it will work. timing is key too... $ openssl s_client -cipher 'DEFAULT:!DH' -connect smtpauths.bluewin.ch:587 -starttls smtp CONNECTED(0003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 verify return:1 depth=0 C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = IT, CN = smtpauths.bluewin.ch verify return:1 --- Certificate chain 0 s:C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = IT, CN = smtpauths.bluewin.ch i:C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 1 s:C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 --- Server certificate -BEGIN CERTIFICATE- MIIH2jCCBsKgAwIBAgIUGEfAQSLKDtSxeCCekVh0nFmkCOEwDQYJKoZIhvcNAQEL BQAwUjELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEsMCoGA1UE AxMjU3dpc3NTaWduIFNlcnZlciBHb2xkIENBIDIwMTQgLSBHMjIwHhcNMTkwODA4 MDg0NDAxWhcNMjEwODA4MDg0NDAxWjB9MQswCQYDVQQGEwJDSDENMAsGA1UECBME QmVybjETMBEGA1UEBxMKV29yYmxhdWZlbjEeMBwGA1UEChMVU3dpc3Njb20gKFNj aHdlaXopIEFHMQswCQYDVQQLEwJJVDEdMBsGA1UEAxMUc210cGF1dGhzLmJsdWV3 aW4uY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJuFh6Yc/73bmW Lyedte6kZQ56Q5XGsaKFtZmXWZXqYFmlPrlZ/vKYpTT712DCwOklcpd7/CrjPFwN OhVL1aAsfr5UwfrBfFtE0pRsiUl/o3I/6NyfU1FobEVO8xnBhDKaOQOJlwZwndyR GQLz6I1wsddJeh/puh4KvIl3vHq0ge8igZFTG2MuXIsayPUOWpdrbLuvebiaDfMw FuJCtgkiSfhi9wRDLVkmXJF+q9+n/6FdJcr8+SgF+oiz2koXhSt/dVjrfrz+rL9/ 5dZz9h8JT6X/sLG56SyVpOV4Mmzgq72afizutwtGHobygMqYyusW5GfwZJPqX+cb BhiBmvNFAgMBAAGjggR7MIIEdzA4BgNVHREEMTAvghRzbXRwYXV0aHMuYmx1ZXdp bi5jaIIXc210cGF1dGhzLmxiLmJsdWV3aW4uY2gwDgYDVR0PAQH/BAQDAgWgMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQURQnYL5/oRqKp p2+CnXirj1TyDCMwHwYDVR0jBBgwFoAU5/Hn/S5TrRHlgRpXpHOPEn2YyK4wgf8G A1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lzc3NpZ24ubmV0L0U3RjFF N0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4RjEyN0Q5OEM4QUUwgaiggaWggaKGgZ9s ZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049RTdGMUU3RkQyRTUzQUQx MUU1ODExQTU3QTQ3MzhGMTI3RDk4QzhBRSUyQ089U3dpc3NTaWduJTJDQz1DSD9j ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz dHJpYnV0aW9uUG9pbnQwcwYDVR0gBGwwajBUBglghXQBWQECAQswRzBFBggrBgEF BQcCARY5aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS9Td2lzc1NpZ24t R29sZC1DUC1DUFMucGRmMAgGBgQAj3oBBzAIBgZngQwBAgIwgdUGCCsGAQUFBwEB BIHIMIHFMGQGCCsGAQUFBzAChlhodHRwOi8vc3dpc3NzaWduLm5ldC9jZ2ktYmlu L2F1dGhvcml0eS9kb3dubG9hZC9FN0YxRTdGRDJFNTNBRDExRTU4MTFBNTdBNDcz OEYxMjdEOThDOEFFMF0GCCsGAQUFBzABhlFodHRwOi8vZ29sZC1zZXJ2ZXItZzIu b2NzcC5zd2lzc3NpZ24ubmV0L0U3RjFFN0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4 RjEyN0Q5OEM4QUUwggF7BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AESUZS6w7s6v xEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABbHBmPNYAAAQDAEYwRAIgCvjTT2sR PgoaHtOiCqmh1oERGFsdlSEy01a/da2WgxQCIAXM1dSNyXhiWTLGGKlg7fYjsVEx Ed/WM6NYSh0AJPK+AHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMA AAFscGY9CQAABAMARz
Re: [swinog] Bluewin SMTP server reachable from outside bluewin/swisscom?
On 2021-03-11 11:46, Jeroen Massar wrote: So apparently there is a DNS entry for smtp.bluewin.ch, but that is not the one to use as it was apparently EOLd in 2006 or so. Thanks for offlist info that it is and this link[1] that describes: smtpauths.bluewin.ch:465 so TLS only (which is good!) But, see below, connect with openssl and it drops from Init7, Quickline but works from BIT.nl... Anybody similar sightings? PCAP attached. Connection succeeds, but TLS alert and drop Maybe passing through the same "load balancer" as: http://lists.swinog.ch/public/swinog/2021-March/007457.html Greets, Jeroen swisscom.pcap Description: Binary data ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Bluewin SMTP server reachable from outside bluewin/swisscom?
So apparently there is a DNS entry for smtp.bluewin.ch, but that is not the one to use as it was apparently EOLd in 2006 or so. Thanks for offlist info that it is and this link[1] that describes: smtpauths.bluewin.ch:465 so TLS only (which is good!) But, see below, connect with openssl and it drops from Init7, Quickline but works from BIT.nl... Anybody similar sightings? Greets, Jeroen [1] https://www.swisscom.ch/de/privatkunden/hilfe/internet/e-mail-einrichten-reparieren.html#lightbox=sel%3A%5Btarget%3D%22sdxlightbox%22%5D%5Bhref%3D%22%2Fde%2Fprivatkunden%2Fhilfe%2Finternet%2Fe-mail-einrichten-reparieren%2Fserver-einstellungen-overlay.html%22%5D From quickline: openssl s_client -connect smtpauths.bluewin.ch:465 CONNECTED(0003) depth=2 C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 verify return:1 depth=1 C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 verify return:1 depth=0 C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = IT, CN = smtpauths.bluewin.ch verify return:1 140365288952960:error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small:../ssl/statem/statem_clnt.c:2150: --- Certificate chain 0 s:C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = IT, CN = smtpauths.bluewin.ch i:C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 1 s:C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 i:C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 --- Server certificate -BEGIN CERTIFICATE- MIIH2jCCBsKgAwIBAgIUGEfAQSLKDtSxeCCekVh0nFmkCOEwDQYJKoZIhvcNAQEL BQAwUjELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEsMCoGA1UE AxMjU3dpc3NTaWduIFNlcnZlciBHb2xkIENBIDIwMTQgLSBHMjIwHhcNMTkwODA4 MDg0NDAxWhcNMjEwODA4MDg0NDAxWjB9MQswCQYDVQQGEwJDSDENMAsGA1UECBME QmVybjETMBEGA1UEBxMKV29yYmxhdWZlbjEeMBwGA1UEChMVU3dpc3Njb20gKFNj aHdlaXopIEFHMQswCQYDVQQLEwJJVDEdMBsGA1UEAxMUc210cGF1dGhzLmJsdWV3 aW4uY2gwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJuFh6Yc/73bmW Lyedte6kZQ56Q5XGsaKFtZmXWZXqYFmlPrlZ/vKYpTT712DCwOklcpd7/CrjPFwN OhVL1aAsfr5UwfrBfFtE0pRsiUl/o3I/6NyfU1FobEVO8xnBhDKaOQOJlwZwndyR GQLz6I1wsddJeh/puh4KvIl3vHq0ge8igZFTG2MuXIsayPUOWpdrbLuvebiaDfMw FuJCtgkiSfhi9wRDLVkmXJF+q9+n/6FdJcr8+SgF+oiz2koXhSt/dVjrfrz+rL9/ 5dZz9h8JT6X/sLG56SyVpOV4Mmzgq72afizutwtGHobygMqYyusW5GfwZJPqX+cb BhiBmvNFAgMBAAGjggR7MIIEdzA4BgNVHREEMTAvghRzbXRwYXV0aHMuYmx1ZXdp bi5jaIIXc210cGF1dGhzLmxiLmJsdWV3aW4uY2gwDgYDVR0PAQH/BAQDAgWgMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQURQnYL5/oRqKp p2+CnXirj1TyDCMwHwYDVR0jBBgwFoAU5/Hn/S5TrRHlgRpXpHOPEn2YyK4wgf8G A1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lzc3NpZ24ubmV0L0U3RjFF N0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4RjEyN0Q5OEM4QUUwgaiggaWggaKGgZ9s ZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049RTdGMUU3RkQyRTUzQUQx MUU1ODExQTU3QTQ3MzhGMTI3RDk4QzhBRSUyQ089U3dpc3NTaWduJTJDQz1DSD9j ZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlz dHJpYnV0aW9uUG9pbnQwcwYDVR0gBGwwajBUBglghXQBWQECAQswRzBFBggrBgEF BQcCARY5aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS9Td2lzc1NpZ24t R29sZC1DUC1DUFMucGRmMAgGBgQAj3oBBzAIBgZngQwBAgIwgdUGCCsGAQUFBwEB BIHIMIHFMGQGCCsGAQUFBzAChlhodHRwOi8vc3dpc3NzaWduLm5ldC9jZ2ktYmlu L2F1dGhvcml0eS9kb3dubG9hZC9FN0YxRTdGRDJFNTNBRDExRTU4MTFBNTdBNDcz OEYxMjdEOThDOEFFMF0GCCsGAQUFBzABhlFodHRwOi8vZ29sZC1zZXJ2ZXItZzIu b2NzcC5zd2lzc3NpZ24ubmV0L0U3RjFFN0ZEMkU1M0FEMTFFNTgxMUE1N0E0NzM4 RjEyN0Q5OEM4QUUwggF7BgorBgEEAdZ5AgQCBIIBawSCAWcBZQB1AESUZS6w7s6v xEAH2Kj+KMDa5oK+2MsxtT/TM5a1toGoAAABbHBmPNYAAAQDAEYwRAIgCvjTT2sR PgoaHtOiCqmh1oERGFsdlSEy01a/da2WgxQCIAXM1dSNyXhiWTLGGKlg7fYjsVEx Ed/WM6NYSh0AJPK+AHYAb1N2rDHwMRnYmQCkURX/dxUcEdkCwQApBo2yCJo32RMA AAFscGY9CQAABAMARzBFAiBgWjl7D2nTcHPMOY8UVM0qvV9vG1Oqrf8J1zBrJuvw kwIhAOtIKQQSbapV8Aw8q3+E5iLYYSMQdPXHUhDHueBebXygAHQA7ku9t3XOYLrh Qmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFscGY7sgAABAMARTBDAh9koSaw1fr6 ZrNJsVN2+v2+2QQ9VkMU4KJSQEfedRUbAiBY6V8yU93utvDWtrGnSck9X6aV9M7q WhrZz7q9dQr5QzANBgkqhkiG9w0BAQsFAAOCAQEAdYPLeU/e7ugYfozqShEja1IT LOrJ+FGQ6NNIYoRtilYX79tr+vpieN+P3q0W7M5Y9XEOpLWjuFWe/Ea67j2N4ixa ZrTFNpw3gHHHJmYnARvKqZpKtC32MAj+NPWDLxy1e8+zcMw0YweZHc6506LPgioo X6d5IXWcStolqJBWnbYs1KQdgH8sbWLyhHJ9kCedX39vwQE/N+cBvharzwccjedv crxeTX/NNjicD6YqobSiehIv+xI8QUWHr8lzPQmFFFBWl01mNJFM3aPs5bZCI+bM bc1zPKsXNIeDuRJAqBtVCMoOUu6sRjobwEwL5QGWfuQjaHe7zXLSXk1HV6Zztg== -END CERTIFICATE- subject=C = CH, ST = Bern, L = Worblaufen, O = Swisscom (Schweiz) AG, OU = IT, CN = smtpauths.bluewin.ch issuer=C = CH, O = SwissSign AG, CN = SwissSign Server Gold CA 2014 - G22 --- No client certificate CA names sent --- SSL handshake has read 4373 bytes and written 319 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher: Session-ID: 4C3B5E25409E722974428474E8275BF0B97C775BEE2F8EE50BADDF9D38372A81 Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username:
[swinog] Bluewin SMTP server reachable from outside bluewin/swisscom?
Hi, (Possibly in relation to http://lists.swinog.ch/public/swinog/2021-March/007457.html, but in this case not even a TCP ACK...) It seems smtp.bluewin.ch (25 and 465 tested) is unreachable from all places I checked (Init7, Quickline, BIT.nl). Is that service normally open for Bluewin customers to connect to smtp.bluewin.ch? As apparently Swisscom is sending out mails to providers that their customers are complaining that their customers on non-swisscom/bluewin cannot use their SMTP service. But telnet does not even answer (no TCP ACK at all, no ICMP, nada nothing), thus looks like it is firewalled away. Greets, Jeroen ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] OVH datacenter SBG2 in Strasbourg on fire 🔥
> Very sad day for our colleagues at OVH AS16276 as they lost their > datacenter SBG-2 in Strasbourg completly („everything is destroyed“) in > a fire 🔥 and the neighboring SBG1/SBG3/SBG4 at least temporary. A tragic event, it evokes some faint memories on what happened at Fukushima No.1 NPP in 2011. I think this is a good time to remind everyone to review their disaster recovery procedures regularly, and ensure they still work as expected. ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog