So recently I changed my mail server over to postfix, this not that long after I ranted about e-mail security with plusnet. It turns out this has led to an interesting problem. So SSL settings were set pretty strictly on the smtps port, so only strong TLSv1.2 ciphers were available. On the smtp port I was a little more permissive, as long as it was TLSv1.2 it would accept even very weak ciphers (well a weak cipher is better than no cipher at all, and I was accepting mail that didn't use the starttls command) and everything was good. Accept that it turns out emails coming from Plusnet's mail servers was failing, they would connect, try to starttls, not like any of the ciphers and fail, breaking the connection. Once they tried again they didn't remember that starttls didn't work so they tried again. Until the mail timed out, and was bounced. So I've had to make the setting even more permissive, as getting emails from people I know on plusnet (like my Father for example) is sort of important.

posted at 04:44:47 PM on 21 Feb 2017 by Craig Stewart

Tags:not-good-enough fail rant email security sysadmin