Opened 8 months ago

Last modified 8 months ago

#33413 needs_information defect

ida.org can't mail torproject.org ("Connection reset by peer")

Reported by: arma Owned by: tpa
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

A person at ida.org is trying to mail my torproject.org address, and the mail never arrives. I see these lines in our torproject.org mailserver (timestamps are in UTC):

Feb 21 10:58:30 eugeni/eugeni postfix/smtpd[17909]: connect from mail5.ida.org[129.246.225.242]
Feb 21 10:58:32 eugeni/eugeni postfix/smtpd[17909]: SSL_accept error from mail5.ida.org[129.246.225.242]: Connection reset by peer
Feb 21 10:58:32 eugeni/eugeni postfix/smtpd[17909]: lost connection after STARTTLS from mail5.ida.org[129.246.225.242]
Feb 21 10:58:32 eugeni/eugeni postfix/smtpd[17909]: disconnect from mail5.ida.org[129.246.225.242] ehlo=1 starttls=0/1 commands=1/2

i.e. it is trying to connect to us, and then it's hanging up.

The issue repeats, e.g. mail5.ida.org comes back and tries again 60 minutes later, and the same "Connection reset by peer" issue stops it then too.

For comparison, mail from ida.org directly to moria.csail.mit.edu (e.g. my @freehaven.net address) does work (times in EST):

Feb 21 06:32:49 moria postfix/smtpd[64015]: connect from mail4.ida.org[129.246.225.241]
Feb 21 06:32:49 moria postfix/smtpd[64015]: setting up TLS connection from mail4.ida.org[129.246.225.241]
Feb 21 06:32:50 moria postfix/smtpd[64015]: Anonymous TLS connection established from mail4.ida.org[129.246.225.241]: TLSv1.2 with cipher RC4-SHA (112/128 bits)
Feb 21 06:32:50 moria postgrey[2193]: action=pass, reason=triplet found, client_name=mail4.ida.org, client_address=129.246.225.241, sender=xxx@ida.org, recipient=arma@freehaven.net
Feb 21 06:32:50 moria postfix/smtpd[64015]: 48FD91E03BE: client=mail4.ida.org[129.246.225.241]
Feb 21 06:32:50 moria postfix/cleanup[64106]: 48FD91E03BE: message-id=<8o7jf1knqetkgvld41v8dken.1582284768637@emailplus.mobileiron.com>
Feb 21 06:32:50 moria postfix/qmgr[2303]: 48FD91E03BE: from=<xxx@ida.org>, size=6337, nrcpt=1 (queue active)
Feb 21 06:32:51 moria postfix/local[64128]: 718821E030F: to=<arma@seul.org>, relay=local, delay=2.5, delays=0.19/0/0/2.3, dsn=2.0.0, status=sent (delivered to command: /usr/bin/procmail)
Feb 21 06:32:51 moria postfix/qmgr[2303]: 718821E030F: removed

(moria's log mentions mail4, not mail5, but eugeni is seeing failures from both mail4 and mail5.)

Child Tickets

Change History (4)

comment:1 Changed 8 months ago by cypherpunks

RC4-SHA

this

comment:2 Changed 8 months ago by anarcat

Status: newneeds_information

i wrote postmaster@… about this problem, we'll see if they find anything more.

comment:3 Changed 8 months ago by anarcat

they tried to reply to my email and (obviously) failed because they replied to my @torproject.org email (silly me).

arma nevertheless pursued the thread and we have more information from their end. it looks like they might have some firewall issues because they can't telnet into port 25 on our end. but it's also possible the cipher suites don't match, so i provided them with a detailed review of our configuration, as follows:

That's why one of the theories is "your side doesn't like our ssl".

It's a good theory. Here is our mailserver (Postfix) configuration that
should affect this (or not):

smtpd_tls_ciphers = medium
smtpd_tls_mandatory_ciphers = medium
tls_medium_cipherlist = aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH

Those parameters are documented in the postconf(5) manpage, available
(e.g.) here:

http://www.postfix.org/postconf.5.html#smtpd_tls_ciphers
http://www.postfix.org/postconf.5.html#tls_medium_cipherlist

I also stumbled upon this setting (set to the default):

tls_preempt_cipherlist = no

... which means the client (you, in this context) picks the cipher from
the list provided by the server:

http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist

In other words, if TLS is the issue, it could be that your server does
not support *any* of the OpenSSL 1.1.0l "MEDIUM" cipher suite.

Which mail server software are you running, with which TLS library and
configuration?

And for what it's worth, the above "cipherlist" configuration expands to
the following blob on our mailserver:

root@eugeni:~# openssl ciphers aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH | sed 's/:/\n/g' | sort -n
ADH-AES128-GCM-SHA256
ADH-AES128-SHA
ADH-AES128-SHA256
ADH-AES256-GCM-SHA384
ADH-AES256-SHA
ADH-AES256-SHA256
ADH-CAMELLIA128-SHA
ADH-CAMELLIA128-SHA256
ADH-CAMELLIA256-SHA
ADH-CAMELLIA256-SHA256
ADH-SEED-SHA
AECDH-AES128-SHA
AECDH-AES256-SHA
AES128-CCM
AES128-CCM8
AES128-GCM-SHA256
AES128-SHA
AES128-SHA256
AES256-CCM
AES256-CCM8
AES256-GCM-SHA384
AES256-SHA
AES256-SHA256
CAMELLIA128-SHA
CAMELLIA128-SHA256
CAMELLIA256-SHA
CAMELLIA256-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-DSS-AES128-SHA
DHE-DSS-AES128-SHA256
DHE-DSS-AES256-GCM-SHA384
DHE-DSS-AES256-SHA
DHE-DSS-AES256-SHA256
DHE-DSS-CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA256
DHE-DSS-CAMELLIA256-SHA
DHE-DSS-CAMELLIA256-SHA256
DHE-DSS-SEED-SHA
DHE-PSK-AES128-CBC-SHA
DHE-PSK-AES128-CBC-SHA256
DHE-PSK-AES128-CCM
DHE-PSK-AES128-CCM8
DHE-PSK-AES128-GCM-SHA256
DHE-PSK-AES256-CBC-SHA
DHE-PSK-AES256-CBC-SHA384
DHE-PSK-AES256-CCM
DHE-PSK-AES256-CCM8
DHE-PSK-AES256-GCM-SHA384
DHE-PSK-CAMELLIA128-SHA256
DHE-PSK-CAMELLIA256-SHA384
DHE-PSK-CHACHA20-POLY1305
DHE-RSA-AES128-CCM
DHE-RSA-AES128-CCM8
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-CCM
DHE-RSA-AES256-CCM8
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256
DHE-RSA-CAMELLIA128-SHA
DHE-RSA-CAMELLIA128-SHA256
DHE-RSA-CAMELLIA256-SHA
DHE-RSA-CAMELLIA256-SHA256
DHE-RSA-CHACHA20-POLY1305
DHE-RSA-SEED-SHA
ECDHE-ECDSA-AES128-CCM
ECDHE-ECDSA-AES128-CCM8
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-CCM
ECDHE-ECDSA-AES256-CCM8
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA384
ECDHE-ECDSA-CAMELLIA128-SHA256
ECDHE-ECDSA-CAMELLIA256-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-PSK-AES128-CBC-SHA
ECDHE-PSK-AES128-CBC-SHA256
ECDHE-PSK-AES256-CBC-SHA
ECDHE-PSK-AES256-CBC-SHA384
ECDHE-PSK-CAMELLIA128-SHA256
ECDHE-PSK-CAMELLIA256-SHA384
ECDHE-PSK-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-CAMELLIA128-SHA256
ECDHE-RSA-CAMELLIA256-SHA384
ECDHE-RSA-CHACHA20-POLY1305
PSK-AES128-CBC-SHA
PSK-AES128-CBC-SHA256
PSK-AES128-CCM
PSK-AES128-CCM8
PSK-AES128-GCM-SHA256
PSK-AES256-CBC-SHA
PSK-AES256-CBC-SHA384
PSK-AES256-CCM
PSK-AES256-CCM8
PSK-AES256-GCM-SHA384
PSK-CAMELLIA128-SHA256
PSK-CAMELLIA256-SHA384
PSK-CHACHA20-POLY1305
RSA-PSK-AES128-CBC-SHA
RSA-PSK-AES128-CBC-SHA256
RSA-PSK-AES128-GCM-SHA256
RSA-PSK-AES256-CBC-SHA
RSA-PSK-AES256-CBC-SHA384
RSA-PSK-AES256-GCM-SHA384
RSA-PSK-CAMELLIA128-SHA256
RSA-PSK-CAMELLIA256-SHA384
RSA-PSK-CHACHA20-POLY1305
SEED-SHA
SRP-AES-128-CBC-SHA
SRP-AES-256-CBC-SHA
SRP-DSS-AES-128-CBC-SHA
SRP-DSS-AES-256-CBC-SHA
SRP-RSA-AES-128-CBC-SHA
SRP-RSA-AES-256-CBC-SHA

--
Antoine Beaupré
torproject.org system administration

see also #32351

comment:4 Changed 8 months ago by anarcat

i wonder if the problem is due to eugeni offering a self-signed cert instead of one signed by the CAs:

anarcat@marcos:~(master)$ swaks -t anarcat@torproject.org --tls
=== Trying eugeni.torproject.org:25...
=== Connected to eugeni.torproject.org.
<-  220 eugeni.torproject.org ESMTP Postfix (Debian/GNU)
 -> EHLO marcos.anarc.at
<-  250-eugeni.torproject.org
<-  250-PIPELINING
<-  250-SIZE 10240000
<-  250-ETRN
<-  250-STARTTLS
<-  250-ENHANCEDSTATUSCODES
<-  250-8BITMIME
<-  250-DSN
<-  250 SMTPUTF8
 -> STARTTLS
<-  220 2.0.0 Ready to start TLS
=== TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256
=== TLS no local certificate set
=== TLS peer DN="/ST=Klatch/L=Al Khali/O=torproject.org/OU=auto-CA/CN=eugeni.torproject.org/emailAddress=hostmaster@eugeni.torproject.org"
 ~> EHLO marcos.anarc.at
<~  250-eugeni.torproject.org
<~  250-PIPELINING
<~  250-SIZE 10240000
<~  250-ETRN
<~  250-ENHANCEDSTATUSCODES
<~  250-8BITMIME
<~  250-DSN
<~  250 SMTPUTF8
 ~> MAIL FROM:<anarcat@marcos.anarc.at>
<~  250 2.1.0 Ok
 ~> RCPT TO:<anarcat@torproject.org>
<~  250 2.1.5 Ok
 ~> DATA
<~  354 End data with <CR><LF>.<CR><LF>
 ~> Date: Wed, 11 Mar 2020 16:56:14 -0400
 ~> To: anarcat@torproject.org
 ~> From: anarcat@marcos.anarc.at
 ~> Subject: test Wed, 11 Mar 2020 16:56:14 -0400
 ~> Message-Id: <20200311165614.001066@marcos.anarc.at>
 ~> X-Mailer: swaks v20181104.0 jetmore.org/john/code/swaks/
 ~> 
 ~> This is a test mailing
 ~> 
 ~> 
 ~> .
<~  250 2.0.0 Ok: queued as 09C26E0D2B
 ~> QUIT
<~  221 2.0.0 Bye
=== Connection closed with remote host.
anarcat@marcos:~(master)$ 

relevant line:

=== TLS peer DN="/ST=Klatch/L=Al Khali/O=torproject.org/OU=auto-CA/CN=eugeni.torproject.org/emailAddress=hostmaster@eugeni.torproject.org"
Note: See TracTickets for help on using tickets.