After much worrying non-communication, IBM came out with the initial POODLE for SSL patch and then the POODLE for TLS patch.
These were timely and clean fixes - thank you IBM for these.
However, we've noticed an issue with the impact these fixes have on SMTP traffic.
The issue is that the POODLE fixes completely drop support for SSLv2, which on one level is fine - SSLv2 is insecure. But there's a more subtle issue caused by completely dropping SSLv2 support:
According to various SSL/TLS RFCs (rfc2246)(rfc6176), the opening HELLO may be received even it it's SSLv2 and then a re-negotiate process must be run to upgrade the communication to an agreed, higher level.
Why is this a problem? Because there are a LARGE number of SMTP hosts that try to connect with an SSLv2-signed initial connection and Domino shuts them down. And NO mail gets received by Domino (REMINDER: Domino is a mail server, among its many other roles).
This issue has been raised and pushed by Mark Gottschalk and others - go read that thread. Historically IBM prided itself on providing robust, secure solutions. We're not seeing that here.
SMTP inbound TLS on Domino is incomplete/broken as currently offered. It only satisfies a lawyer's interpretation of 'we have given the clients a solution to the problem', and cannot be used for inbound SMTP by organizations in the real world without the risk of rejecting significant legitimate mail.
- Mr. Gottschalk
Wonder what some mailcontrol.com user is tring to send me? *sigh* I'll never know.
[0468:000A-17CC] 01/15/2015 07:54:23 AM SMTP Server: cluster-a.mailcontrol.com (18.104.22.168) connected
[0468:000A-0FA8] 01/15/2015 07:54:23.44 AM SMTP CITask StateMachine> Received 30 bytes from 22.214.171.124
[0468:000A-17CC] 01/15/2015 07:54:23.44 AM SMTP CITask StateMachine> Sent 182 bytes to 126.96.36.199
[0468:000A-17CC] 01/15/2015 07:54:23.57 AM SMTP CITask StateMachine> Received 8 bytes from 188.8.131.52
[0468:000A-0FA8] 01/15/2015 07:54:23.57 AM SMTP CITask StateMachine> Sent 24 bytes to 184.108.40.206
[0468:000A-0FA8] 01/15/2015 07:54:23 AM SMTP Server: cluster-a.mailcontrol.com (220.127.116.11) disconnected. 0 message[s] received
Craig Wiseman January 15th, 2015 09:12:21 AM
Discussion for this entry is now closed.