only search Wiseman.La

The World NEXT ends 


After much worrying non-communication, IBM came out with the initial POODLE for SSL patch and then the POODLE for TLS patch.

These were timely and clean fixes - thank you IBM for these.


However, we've noticed an issue with the impact these fixes have on SMTP traffic.


The issue is that the POODLE fixes completely drop support for
SSLv2, which on one level is fine - SSLv2 is insecure. But there's a more subtle issue caused by completely dropping SSLv2 support:
According to various SSL/TLS RFCs (rfc
2246)(rfc6176), the opening HELLO may be received even it it's SSLv2 and then a re-negotiate process must be run to upgrade the communication to an agreed, higher level.

Why is this a problem? Because there are a LARGE number of SMTP hosts that try to connect with an SSLv2-signed initial connection and Domino shuts them down. And NO mail gets received by Domino
(REMINDER: Domino is a mail server, among its many other roles).


This issue has been
raised and pushed by Mark Gottschalk and others - go read that thread. Historically IBM prided itself on providing robust, secure solutions. We're not seeing that here.

SMTP inbound TLS on Domino is incomplete/broken as currently offered.  It only satisfies a lawyer's interpretation of 'we have given the clients a solution to the problem', and cannot be used for inbound SMTP by organizations in the real world without the risk of rejecting significant legitimate mail.
- Mr. Gottschalk


Wonder what some mailcontrol.com user is tring to send me? *sigh* I'll never know.


[0468:000A-17CC] 01/15/2015 07:54:23 AM  SMTP Server: cluster-a.mailcontrol.com (85.115.52.190) connected

[0468:000A-0FA8] 01/15/2015 07:54:23.44 AM SMTP CITask StateMachine> Received 30 bytes from 85.115.52.190

[0468:000A-17CC] 01/15/2015 07:54:23.44 AM SMTP CITask StateMachine> Sent 182 bytes to 85.115.52.190

[0468:000A-17CC] 01/15/2015 07:54:23.57 AM SMTP CITask StateMachine> Received 8 bytes from 85.115.52.190

[0468:000A-0FA8] 01/15/2015 07:54:23.57 AM SMTP CITask StateMachine> Sent 24 bytes to 85.115.52.190

[0468:000A-0FA8] 01/15/2015 07:54:23 AM  SMTP Server: cluster-a.mailcontrol.com (85.115.52.190) disconnected. 0 message[s] received

Comments (2)
Craig Wiseman January 15th, 2015 09:12:21 AM

 Comments
1) IBM’s POODLE TLS fixes for Domino, while timely (thanks!) breaks SMTP email connectivity (BAD,BAD)
Gavin Bollard http://dominogavin.blogspot.com 1/17/2015 5:09:42 PM

Ok, Now I see why this issue doesn't affect us. Our domino server ONLY talks SMTP to our web filtering service (which is obviously ok about the whole HELO thing).

All other SMTP connections to and from our mail system occur on the other side of the mail filter (effectively outside of our control).

2) IBM’s POODLE TLS fixes for Domino, while timely (thanks!) breaks SMTP email connectivity (BAD,BAD)
Craig Wiseman 1/17/2015 10:25:19 PM

Yep, you're right.

If you have some other service or device receiving your email first and then relaying it to Domino, and that vendor has taken the time *and care* to actually maintain the security stack of their product, you won't see the issue.


Discussion for this entry is now closed.