FreeNAS 9.3 - Available TLS protocols for smtp

[xenu]

Hello,

I just got done building my first NAS and wanted to setup Email reporting. I run my own mailserver and had to enable TLS v1.0 to get FreeNAS to connect. Is there no support for v1.1 or v1.2 or did I miss some setting?

This is my mailserver log with TLS1 enabled:

Code:

Anonymous TLS connection established from ip-xx-xx-xx-xx.unity-media.net[xx.xx.xx.xx]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)

This is my mailserver log with only TLS1.1 & TLS1.2 allowed:

Code:

SSL_accept error from ip-xx-xx-xx-xx.unity-media.net[xx.xx.xx.xx]: -1
warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:647:

And this is the FreeNAS maillog for the failed connection:

Code:

Nov 26 10:45:55 freenas freenas[2612]: Traceback (most recent call last):
Nov 26 10:45:55 freenas freenas[2612]:   File "/usr/local/www/freenasUI/../freenasUI/common/system.py", line 182, in send_mail
Nov 26 10:45:55 freenas freenas[2612]:     local_hostname=local_hostname)
Nov 26 10:45:55 freenas freenas[2612]:   File "/usr/local/lib/python2.7/smtplib.py", line 781, in __init__
Nov 26 10:45:55 freenas freenas[2612]:     SMTP.__init__(self, host, port, local_hostname, timeout)
Nov 26 10:45:55 freenas freenas[2612]:   File "/usr/local/lib/python2.7/smtplib.py", line 251, in __init__
Nov 26 10:45:55 freenas freenas[2612]:     (code, msg) = self.connect(host, port)
Nov 26 10:45:55 freenas freenas[2612]:   File "/usr/local/lib/python2.7/smtplib.py", line 311, in connect
Nov 26 10:45:55 freenas freenas[2612]:     self.sock = self._get_socket(host, port, self.timeout)
Nov 26 10:45:55 freenas freenas[2612]:   File "/usr/local/lib/python2.7/smtplib.py", line 787, in _get_socket
Nov 26 10:45:55 freenas freenas[2612]:     new_socket = ssl.wrap_socket(new_socket, self.keyfile, self.certfile)
Nov 26 10:45:55 freenas freenas[2612]:   File "/usr/local/lib/python2.7/ssl.py", line 392, in wrap_socket
Nov 26 10:45:55 freenas freenas[2612]:     ciphers=ciphers)
Nov 26 10:45:55 freenas freenas[2612]:   File "/usr/local/lib/python2.7/ssl.py", line 148, in __init__
Nov 26 10:45:55 freenas freenas[2612]:     self.do_handshake()
Nov 26 10:45:55 freenas freenas[2612]:   File "/usr/local/lib/python2.7/ssl.py", line 310, in do_handshake
Nov 26 10:45:55 freenas freenas[2612]:     self._sslobj.do_handshake()
Nov 26 10:45:55 freenas freenas[2612]: error: [Errno 54] Connection reset by peer

Thanks for your help and for FreeNAS. I still have a lot of reading to do and this forum is invaluable.

 

[jgreco]

I'm guessing that FreeNAS uses some random python smtp transmission library.

<switching on Postmaster hat>

So I'm just curious, why wouldn't you have TLS 1.0 support? Mail servers need to be fairly permissive because there are so many different things that've been implemented out on the Internet. Many sites have weak ciphers or crap certificates. The only place it might make sense to disable TLS 1.0 would seem to be something like a MSA role, but in that situation you can just as easily make sure that your clients are configured for it.

 

[xenu]

First off "Thanks" for your guides jgreco. I just started your "Hard Drive Burn-In Testing" guide after 24 hours (>10 passes) of memtest86+ (though you would probably say that is not enough :)).

To be honest: I only set up this mail server to learn about them and how they work (SSL vs STARTTLS, DKIM, SPF, DMARC). Many people recommend against running your own mailserver (I might be an example of why that is) but I am mostly using it for internal purposes (homelab reporting). I had "TLS v1 has known vulnerabilities" stuck in the back of my head so I just disabled it. BEAST, CRIME etc only seem to affect https though as I just looked up. So far all my other tools supported TLS > 1.0 which is why I didn't give it anymore thought. Thanks for making me look into it again!

 

[jgreco]

Well, I'm an Internet old-timer, and ran (/still run) one of the very first places in the city here where the public could get access to stuff like e-mail.

Running your own mail server has its ups and downs. The technical part of "put up :25" isn't that rough, but it's all the extraneous crap that's a pain. There's not a huge amount of value to encryption at the MTA transit level, because most other sites do it halfway, not at all, wrong, weakly, etc. Things like validation of certificates is much worse than the Web side of things, and many sites just don't, and it's probably better to assume that some TLA is reading your e-mail anyways.

The real hard part is all the crap and spam, and keeping a decent spam filtering setup working well, and then maybe a reasonable webmail gateway, lots of work. I can see why people don't want to run mail servers anymore, but on the flip side, I just cannot bring myself to outsource basic infrastructure to some random third party. A lot of people picture cloud computing as unicorns farting rainbows, but the actual reality is that all you're doing is outsourcing your problems to someone else to run on their servers, with an unknown amount of competence, lord only knows what business plan, and what happens when their business priorities change and they shutter it? By comparison, the mail spool here has been continuously in service since before the Death of the Internet We All Loved. Saw Hotmail come and go. Saw MySpace come and go. Etc.

So I'm very much in favor of you experimenting and learning the technology. We need fewer massive mail services and more end user mail servers.