Solving SMTP TLS Problems with UTM 9.210

The Sophos UTM update 9.210 solves the problem with SSLv3 and the poodle bug. The update deactivates SSLv3 ………. and TLS 1.0, 1.1 and 1.2…

you can find this entries in your smtp.log:

2014:12:10-14:30:59 astaro exim-in[1270]: 2014-12-10 14:30:59 TLS error on connection from mail-yk0-f179.google.com [209.85.160.179]:55470 (SSL_accept): error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

\ (  -_-) /     “yeah…”

you can check this with cat /var/log/smtp.log | grep SSL3

I will show you how to solve this manually. Login via SSH (User “loginuser”) to the shell and change to root with “su –“. After you are logged in, edit the exim.conf file:

vi /var/chroot-smtp/etc/exim.conf

 

now press i for Insert-Mode and go to the position where you will find this (use page down for browsing faster):

# Misc static settings

.
.
.
tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2:!SSLv3

 

replace the line with this:

tls_require_ciphers = RC4+RSA:HIGH:!MD5:!ADH:!SSLv2

 

no go to this part:

# TLS
tls_certificate = ${if eq{TLS_NAME}{} {}{INCLUDE/TLS_NAME.cert}}
tls_privatekey = ${if eq{TLS_NAME}{} {}{INCLUDE/TLS_NAME.key}}
tls_advertise_hosts = ${if eq{TLS_NAME}{} {}{!+tls_avoid}}

 

add a new line and copy this to it:

openssl_options = +no_sslv3

 

now press ESC to leave the Insert-Mode and type in “:wq” and press ENTER to write the file and quit the vi-editor.

To make your new changes effect, just restart the smtp-daemon:

/var/mdw/scripts/smtp restart

 

 

There is also a bug (ID 33990) that you can’t view live logs or saved logs. Sophos is working hard on a new patch for 9.210, I will look forward for this!

 

UPDATE:

You can now directly update to 9.304, just upload this file to your UTM: u2d-sys-9.210020-304009.tgz.gpg

7 thoughts on “Solving SMTP TLS Problems with UTM 9.210”

  1. I have the latest version, see bellow, and still had this problem. Your fix helped though. BIG THANKS!

    Current firmware version: 9.210-20
    Your firmware is up to date.

  2. I am novice to linux and as such a bit hessitent to follow you steps above, is there any way to revert back to 9.209-8 instead of reinstaling. This email issue is really hurting us. I have downloaded latest version image also, but installing will erase my month old log record which I am trying to avoid.

    Any idea in 9.304 the issue is resolved or not? Are there any critical known issues with 9.304

    “You can now directly update to 9.304, just upload this file to your UTM: u2d-sys-9.210020-304009.tgz.gpg”
    Could you please explain what will above do, as I uploaded the above using managment/advance/upload and applied. could not see any change.???

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.