[Secure-testing-team] Bug#770929: bugs.debian.org: TLS handshaking fails (cf. #707049 archived)
Gaetan RYCKEBOER
gaetan at ryckeboer.org
Tue Nov 25 09:56:00 UTC 2014
Package: bugs.debian.org
Severity: important
Tags: security
When sending a bug, the mail gets sent to the mx bugs-master.debian.org. The
handling port 25 on that box has a tls cert with CN=buxtehude.debian.org.
AFAICT there also is no subAltName extension for bugs-master.debian.org.
It seems to be a problem to establish secure connections SMTP transfer.
Nov 25 10:26:02 greedo sm-mta[17032]: STARTTLS=client, error: connect failed=-1, SSL_error=5, errno=104, retry=-1
Nov 25 10:26:02 greedo sm-mta[17032]: ruleset=tls_server, arg1=SOFTWARE, relay=buxtehude.debian.org, reject=403 4.7.0 TLS handshake failed.
Nov 25 10:26:02 greedo sm-mta[17032]: sALEe9rf025810: to=<submit at bugs.debian.org>, delay=3+18:45:52, xdelay=00:00:10, mailer=esmtp, pri=49203754, relay=buxteh.
Nov 25 10:26:09 greedo sm-mta[17055]: sAP9Q64s017055: [137.116.204.56] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA4-v4
libgnutls26 : 2.12.20-8+deb7u2 0
The only workaround (for sendmail) is to add a Tls disable specifically for buxtehude in the /etc/mail/access map :
Try_TLS:buxtehude.debian.org NO
But it is a workaround, as the main securit is not solved by disabling security…
-- System Information:
Debian Release: 7.5
Architecture: armhf (armv6l)
Kernel: Linux 3.12.22+ (PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
More information about the Secure-testing-team
mailing list