Re: IETF mail server and SSLv3
"John Levine" <johnl@taugh.com> Fri, 05 February 2016 21:11 UTC
Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FF201B29E9 for <ietf@ietfa.amsl.com>; Fri, 5 Feb 2016 13:11:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.036
X-Spam-Level:
X-Spam-Status: No, score=-1.036 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, KHOP_DYNAMIC=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kTUi5q_pRxnc for <ietf@ietfa.amsl.com>; Fri, 5 Feb 2016 13:11:08 -0800 (PST)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D63DF1B29CD for <ietf@ietf.org>; Fri, 5 Feb 2016 13:11:07 -0800 (PST)
Received: (qmail 39798 invoked from network); 5 Feb 2016 21:11:04 -0000
Received: from unknown (64.57.183.18) by mail1.iecc.com with QMQP; 5 Feb 2016 21:11:04 -0000
Date: Fri, 05 Feb 2016 21:10:42 -0000
Message-ID: <20160205211042.74052.qmail@ary.lan>
From: John Levine <johnl@taugh.com>
To: ietf@ietf.org
Subject: Re: IETF mail server and SSLv3
In-Reply-To: <01PWBMOLI82000008P@mauve.mrochek.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/ScHCkrw8SHrov6uDTzxEXZ1BVgI>
Cc: ned+ietf@mauve.mrochek.com
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 21:11:09 -0000
>The issue at hand is whether or not to disable the use of old ciphersuites in >the IETF's use of STARTTLS in SMTP. Irrespective of the reasons we have for >doing that, John's point was and is that it can adverse effect on our ability >to reach everyone who wants to participate. Has anyone looked at the logs to see how much SSL3 there actually is? In my logs, which are doubtless not representative of anyone but they're what I've got, here's what I see for the past six weeks of starttls on my IPv4 server: 22617 TLS1.2/X.509/AEAD 16791 TLS1.0/X.509/SHA1 2526 TLS1.2/X.509/SHA256 2069 TLS1.2/X.509/SHA384 1058 TLS1.2/X.509/SHA1 339 TLS1.1/X.509/SHA1 232 SSL3.0/X.509/SHA1 147 TLS1.0/X.509/MD5 8 TLS1.0/X.509/SHA256 And here's the past year on my lower volume IPv6 server: 130886 TLS1.2/X.509/AEAD 44172 TLS1.0/X.509/SHA1 6610 TLS1.2/X.509/SHA1 1485 TLS1.1/X.509/SHA1 259 TLS1.2/X.509/SHA384 (The much higher numbers are mostly because gmail sends all their mail to me over IPv6 with TLS.) I was surprised to see 237 SSL3 connections, so I looked at the ones in the past day, all of which are from two servers on a network in Turkey running ancient versions of Merak, and trying to send me spam. One is sending spam from the bogus domain globalconferences.org (no A, AAAA, or MX record) presumably for fake conferences. So at least here, rejecting SSL3 would only block a little spam. What do other people see? R's, John
- Re: IETF mail server and SSLv3 Lixia Zhang
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 John Levine
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- IETF mail server and SSLv3 IETF Chair
- Re: IETF mail server and SSLv3 tom p.
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Jari Arkko
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Jari Arkko
- Re: IETF mail server and SSLv3 Derek Atkins
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 ned+ietf
- Re: IETF mail server and SSLv3 Lixia Zhang
- Re: IETF mail server and SSLv3 John C Klensin
- Re: IETF mail server and SSLv3 Martin Rex
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Solarus
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Solarus
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Martin Rex
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Russ Housley
- Re: IETF mail server and SSLv3 Randy Bush
- Re: IETF mail server and SSLv3 Stephen Farrell
- Re: IETF mail server and SSLv3 Phillip Hallam-Baker
- Re: IETF mail server and SSLv3 Viktor Dukhovni
- Re: IETF mail server and SSLv3 Doug Barton
- RE: IETF mail server and SSLv3 Christian Huitema