[stunnel-users] Exchange Online - SSLv3 and Sophos UTM 120 firewall update
Stephen Hogan
shogan at mila.ie
Wed Oct 29 15:44:01 CET 2014
Hi everyone,
I have been working on defending against the POODLE bug for the past couple of weeks, and at the same time I have a Sophos UTM 120 firewall just installed, whereby this update popped up over the weekend:
[cid:2ddc384e-3889-4c09-b55a-9c0519158332]
With the new firewall installed, I was having a lot of issues connecting to Exchange Online using Stunnel 5.06 with the following config:
# GLOBAL OPTIONS
client = yes
output = stunnel-log.txt
debug = 7
taskbar = yes
# SERVICE-LEVEL OPTIONS
[SMTP Outgoing]
#Accept connections on port 25 and send to Exchange Online on port 587 over TLS
accept = 25
connect = smtp.office365.com:587
protocol = smtp
... when I realised that the smtp.office365.com was not supposed to be configured as a DNS Host, but instead should have been a DNS Group within the firewall. There are additional IPs for Exchange Online that MS published, and I included these in the firewall configuration.
However, I spotted the following in stunnel's logs for a typical email being sent via the relay (highlighted in yellow):
2014.10.28 14:35:54 LOG7[4436]: Service [SMTP Outgoing] accepted (FD=476) from 127.0.0.1:61819
2014.10.28 14:35:54 LOG7[4436]: Creating a new thread
2014.10.28 14:35:54 LOG7[4436]: New thread created
2014.10.28 14:35:54 LOG7[4156]: Service [SMTP Outgoing] started
2014.10.28 14:35:54 LOG5[4156]: Service [SMTP Outgoing] accepted connection from 127.0.0.1:61819
2014.10.28 14:35:54 LOG6[4156]: s_connect: connecting 132.245.226.18:587
2014.10.28 14:35:54 LOG7[4156]: s_connect: s_poll_wait 132.245.226.18:587: waiting 10 seconds
2014.10.28 14:35:54 LOG5[4156]: s_connect: connected 132.245.226.18:587
2014.10.28 14:35:54 LOG5[4156]: Service [SMTP Outgoing] connected remote server from 192.168.200.104:61820
2014.10.28 14:35:54 LOG7[4156]: Remote socket (FD=488) initialized
2014.10.28 14:35:54 LOG7[4156]: <- 220 DB4PR03CA0002.outlook.office365.com Microsoft ESMTP MAIL Service ready at Tue, 28 Oct 2014 14:35:54 +0000
2014.10.28 14:35:54 LOG7[4156]: -> 220 DB4PR03CA0002.outlook.office365.com Microsoft ESMTP MAIL Service ready at Tue, 28 Oct 2014 14:35:54 +0000
2014.10.28 14:35:54 LOG7[4156]: -> EHLO localhost
2014.10.28 14:35:55 LOG7[4156]: <- 250-DB4PR03CA0002.outlook.office365.com Hello [87.198.240.73]
2014.10.28 14:35:55 LOG7[4156]: <- 250-SIZE 78643200
2014.10.28 14:35:55 LOG7[4156]: <- 250-PIPELINING
2014.10.28 14:35:55 LOG7[4156]: <- 250-DSN
2014.10.28 14:35:55 LOG7[4156]: <- 250-ENHANCEDSTATUSCODES
2014.10.28 14:35:55 LOG7[4156]: <- 250-STARTTLS
2014.10.28 14:35:55 LOG7[4156]: <- 250-8BITMIME
2014.10.28 14:35:55 LOG7[4156]: <- 250-BINARYMIME
2014.10.28 14:35:55 LOG7[4156]: <- 250 CHUNKING
2014.10.28 14:35:55 LOG7[4156]: -> STARTTLS
2014.10.28 14:35:55 LOG7[4156]: <- 220 2.0.0 SMTP server ready
2014.10.28 14:35:55 LOG6[4156]: SNI: sending servername: smtp.office365.com
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): before/connect initialization
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write client hello A
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read server hello A
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read server certificate A
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read server key exchange A
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read server certificate request A
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read server done A
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write client certificate A
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write client key exchange A
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write change cipher spec A
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 write finished A
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 flush data
2014.10.28 14:35:55 LOG7[4156]: SSL state (connect): SSLv3 read finished A
2014.10.28 14:35:55 LOG7[4156]: 80 items in the session cache
2014.10.28 14:35:55 LOG7[4156]: 335 client connects (SSL_connect())
2014.10.28 14:35:55 LOG7[4156]: 335 client connects that finished
2014.10.28 14:35:55 LOG7[4156]: 0 client renegotiations requested
2014.10.28 14:35:55 LOG7[4156]: 0 server connects (SSL_accept())
2014.10.28 14:35:55 LOG7[4156]: 0 server connects that finished
2014.10.28 14:35:55 LOG7[4156]: 0 server renegotiations requested
2014.10.28 14:35:55 LOG7[4156]: 0 session cache hits
2014.10.28 14:35:55 LOG7[4156]: 0 external session cache hits
2014.10.28 14:35:55 LOG7[4156]: 0 session cache misses
2014.10.28 14:35:55 LOG7[4156]: 0 session cache timeouts
2014.10.28 14:35:55 LOG6[4156]: SSL connected: new session negotiated
2014.10.28 14:35:55 LOG6[4156]: Negotiated TLSv1 ciphersuite ECDHE-RSA-AES256-SHA (256-bit encryption)
2014.10.28 14:35:55 LOG6[4156]: Compression: null, expansion: null
2014.10.28 14:35:58 LOG6[4156]: Read socket closed (readsocket)
2014.10.28 14:35:58 LOG7[4156]: Sending close_notify alert
2014.10.28 14:35:58 LOG7[4156]: SSL alert (write): warning: close notify
2014.10.28 14:35:58 LOG6[4156]: SSL_shutdown successfully sent close_notify alert
2014.10.28 14:35:58 LOG6[4156]: SSL socket closed (SSL_read)
2014.10.28 14:35:58 LOG7[4156]: Sent socket write shutdown
2014.10.28 14:35:58 LOG5[4156]: Connection closed: 22332 byte(s) sent to SSL, 615 byte(s) sent to socket
2014.10.28 14:35:58 LOG7[4156]: Remote socket (FD=488) closed
2014.10.28 14:35:58 LOG7[4156]: Local socket (FD=476) closed
2014.10.28 14:35:58 LOG7[4156]: Service [SMTP Outgoing] finished (0 left)
Note that the emails are being generated on the same server (Windows Server 2008 R2, hosted on Hyper-V).
I have a basic (shaky) understanding that the "handshake" for TLS does downgrade to SSLv3 if newer versions of TLS fail, but I am wondering if I apply the update recommended on the firewall, will this cut the communication for the SMTP relay, the way I am using it?
However, I also see the TLSv1 ciphersuite being negotiated.
Are there any other settings that I should be using in the .conf file? (I adapted a configuration from MessageOps a few years back.)
Is this something I need to sort out with Microsoft's Office365 team?
Maybe it's my lack of understanding of the log, but I thought I'd check with you guys first that the log file generated as above is OK (or not!).
Thanks for taking the time-out top read this, and apologies for all the yellow. ;)
Regards,
Stephen
________________________________
[Mila Logo] Stephen Hogan | System Administrator | Mila Limited
Kilbarrack Industrial Estate, Kilbarrack, Dublin 5, IRELAND
Tel: +353 (0)1 839 0402 | Fax: +353 (0)1 839 0589
Email: shogan at mila.ie | Web: www.mila.ie
Company Reg. No. 143406. Registered address: 24/26 City Quay, Dublin 2, Ireland.
DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the attention and use of the individual or entity to whom they are addressed. No copyright or other intellectual rights to any material attached to this email, either inline or as an attachment are transferred to the recipient unless explicitly stated. If you have received this email in error please reply to inform us accordingly, prior to deleting the message.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20141029/6ad3cb27/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pastedImage.png
Type: image/png
Size: 69903 bytes
Desc: pastedImage.png
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20141029/6ad3cb27/attachment.png>
More information about the stunnel-users
mailing list