This site is now 100% read-only, and retired.

XML logo

Whitelisting hosts in Exim4 causing TLS errors
Posted by lee on Sun 15 Dec 2013 at 17:27

By the end of 2013 the minimum key-size for signed TLS certificates will be 2048 bits. Older 1024 bit certificates will be revoked and web browsers will throw errors on anyone attempting to connect using 1024 bit keys.

Unfortunately, in the context of server-to-server opportunistic encryption, such as used by ESMTPS, this is a dangerous choice. 1024 bit encryption is still far harder to decode than plaintext (which is currently the usual fall-back delivery).

Sadly that's what's happened in some Debian derived releases of Exim4 (using GnuTLS). An affected mail server will likely see something like the following in the logs:

TLS error on connection to [] (gnutls_handshake): The Diffie-Hellman prime sent by the server is not acceptable (not long enough).

(Even worse, the choice to increase the minimum prime size also breaks connections to many servers that implement EDH - i.e. Ephemeral Diffie-Hellman with smaller encryption keys such as allowed by export.)

The quickest way to check if a remote mail server has a small key is to run a command such as:

$ echo QUIT | openssl s_client -connect -starttls smtp 2>/dev/null| grep "public key is"

If the server public key is less than 2048 bit in size, you may want to contact the postmaster or other administrative contact to let them know they need to generate a new server key.[1] If the key is 2048 bit and above, you may need to use another tool to see what's happening.

As of Exim 4.80 there is a new transport option, tls_dh_min_bits, which lets the minimum key size to be set.

So if this affects you, you could modify the minimum key size for the default transport (add " TLS_DH_MIN_BITS = 512 "). However, for these sort of workarounds it's my preference to add in special-case configuration.

(Filenames assume the split-config of debian deployments.)

Create /etc/exim4/conf.d/transport/40_temp_tls_smallprime (a modified copy of 30_exim4-config_remote_smtp)

  debug_print = "T: remote_smtp_tls_smallprime for $local_part@$domain"
  driver = smtp
  multi_domain = false
  tls_dh_min_bits = 512
dkim_domain = DKIM_DOMAIN
dkim_selector = DKIM_SELECTOR
dkim_private_key = DKIM_PRIVATE_KEY
dkim_canon = DKIM_CANON
dkim_strict = DKIM_STRICT
dkim_sign_headers = DKIM_SIGN_HEADERS

Then create /etc/exim4/conf.d/router/177_temp_tls_smallprime (i.e. so it appears before the normal external router) with two entries, one for mail servers that have <2048 keys, and ones that negotiate EDH.

  debug_print = "R: dnslookup_tls_smallprime for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains : ! +relay_to_domains
  condition = ${if forany{${lookup dnsdb{>: mxh=$domain}}}{match_domain{$item}{+smallkey}}}
  transport = remote_smtp_tls_smallprime
  same_domain_copy_routing = yes

  debug_print = "R: dnslookup_tls_edh for $local_part@$domain"
  driver = dnslookup
  domains = ! +local_domains : ! +relay_to_domains
  condition = ${if forany{${lookup dnsdb{>: mxh=$domain}}}{match_domain{$item}{+tlsexport}}}
  transport = remote_smtp_tls_smallprime
  same_domain_copy_routing = yes

Then you add in the lists of mail servers to your main config. For example adding the following to /etc/exim4/conf.d/main/10_temp_smallprime

## Servers that present small keys
domainlist smallkey = :
## Hosts that use large keys to sign small "export" size keys for encryption
domainlist tlsexport = *

[1] It may be more complex than that, of course.[3] While most MTAs operating in client mode would be expected to deal with a 2048 bit key, there are known older email clients that would not be able to cope with keys larger than 1024 bits. Servers may need to maintain backward compatibility for these older clients.

[2] Using GnuTLS to inspect the key negotiation is slightly more involved since you need to do the SMTP negotiation

$ gnutls-cli --crlf --insecure --starttls --port 25
EHLO Hello
250 HELP
220 TLS go ahead
(Hit Ctrl-D)
*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
- Using prime: 768 bits
- Secret key: 766 bits
- Peer's public key: 767 bits

[3] You'll note that the example above, adapted from a real "secure email provider", tops out at 768 bits. Which is still the US export limit for asymmetric algorithms used by exported software not in the public domain. They use a 2048 bit key merely to sign the small key used to encrypt the session.