Everyone, I didn't want to think that we'd given up on this issue that Ron had brought to the list. I'd like to update everyone with what we know so far:
1) The remote end that's having problems delivering to Spamdyke is a Tumbleweed MailGate appliance with opportunistic TLS (i.e., STARTTLS) enabled. 2) The SSL/TLS implementation on the MailGate appliance does not have "secure renegotiation" enabled. c.f. CVE-2009-3555 -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 3) The MailGate appliance initiates the SSL/TLS session with "STARTTLS", then follows up with a second "EHLO" and after that, stops communicating wth Spamdyke. After idle-timeout-secs pass, Spamdyke times out the connection and hangs up. Sometimes, the remote end times out first and disconnects first. Tumbleweed Communications was acquired by Axway back in June 2008, and I'm trying to get a dialog started with their support people to see if they've dealt with this problem before and if they have a work-around. My gut says their recommendation will be to disable opportunistic TLS for destinations that are running Spamdyke, but I'm hoping that there is a better solution here -- particularly, one that involves improving Spamdyke's code so that everyone can benefit. I'll send another update to the list when we learn more. -- Dossy Shiobara | "He realized the fastest way to change do...@panoptic.com | is to laugh at your own folly -- then you http://panoptic.com/ | can let go and quickly move on." (p. 70) * WordPress * jQuery * MySQL * Security * Business Continuity * _______________________________________________ spamdyke-users mailing list spamdyke-users@spamdyke.org http://www.spamdyke.org/mailman/listinfo/spamdyke-users
