[unisog] Re: Rejecting incoming mail with from addresses in your own domain.

David Bronder david-bronder at uiowa.edu
Thu Jul 24 01:24:59 GMT 2003


Paul Russell wrote:
> 
> On 22 Jul 2003, Joseph Brennan <brennan at columbia.edu> wrote:
> > Recent versions of all popular mail clients now do STARTTLS--
> > Outlook, Outlook Express (Windows), Netscape, Eudora, Apple Mail,
> > Mulberry.  The only glaring exception is Entourage.
> 
> Eudora will not perform SSL negotiation with OpenSSL. This makes it virtually 
> impossible to provide SSL service for Eudora users unless you are willing and
> able to disable the CBC Countermeasure in OpenSSL on the mail server. See
> <http://www.eudora.com/techsupport/kb/2431hq.html> for additional information
> about this problem.

While technically true (needing to disable the CBC countermeasure that
was added in OpenSSL 0.9.6c or d), in practice it's not necessarily an
issue.

Later OpenSSL versions added an option to disable that countermeasure,
and included it in the all-options option (which is really many but not
all options).  Many applications, including UW IMAP, set that option
group when setting up with OpenSSL, which disables the countermeasure
effectively by default.  (I would hope that the SSL libraries used by
Eudora will eventually support the CBC countermeasure, though.)

Read on for nitty-gritty on another Eudora SSL issue...

A more practical issue with Eudora is specific to UW IMAP.  Crispin is
especially strict about adhering to his interpretation of the RFCs (and
in many cases, he's even the author), and in the case of STARTTLS, he
and the SSL implementation used by Eudora came to different conclusions.

Eudora will, by default, attempt to use SSLv3 for STARTTLS.  Crispin's
interpretation of RFC 2595 is that you must use TLSv1 for STARTTLS.  He
adhered to that in the UW IMAP toolkit.  So Eudora tries to negotiate
using SSLv3 and UW IMAP says buh-bye.

Workarounds include hacking UW IMAP (in the function ssl_server_init()
in osdep/unix/ssl_unix.c) to use the more generic server method or
telling Eudora to negotiate STARTTLS using TLSv1 (set the eudora.ini
option SSLReceiveVersion=7 or use the Eudora magic option link
<x-eudora-option:SSLReceiveVersion=7>).  Qualcomm was going to change
the defaults in an upcoming Eudora release, but I don't know if it made
it into 5.2 or not (there may have been another issue with their SSL
libraries).

=Dave

-- 
Hello World.                                    David Bronder - Systems Admin
Segmentation Fault                                     ITS-SPA, Univ. of Iowa
Core dumped, disk trashed, quota filled, soda warm.   david-bronder at uiowa.edu



More information about the unisog mailing list