Optusnet maili delivery issues

Our recent upgrade to Debian 12 (bookworm) included a tightening of security around TLS connections used for logging in and for sending and receiving emails.

In technical terms, this means that RSA and DHE keys need to be at least 2048 bit long, SHA-1 is no longer supported for signatures in certificates and you need at least SHA-256.

Since the upgrade we have started to see errors communicating with the Optusnet mail servers as follows:

Jul 18 00:00:45 mail sm-mta[3359398]: STARTTLS=client, start=ok
Jul 18 00:00:45 mail sm-mta[3359398]: STARTTLS=client, error: connect failed=-1, reason=dh key too small, SSL_error=1, errno=0, retry=-1
Jul 18 00:00:45 mail sm-mta[3359398]: STARTTLS=client: error:0A00018A:SSL routines::dh key too small:../ssl/statem/statem_clnt.c:2092:
Jul 18 00:00:45 mail sm-mta[3359398]: ruleset=tls_server, arg1=SOFTWARE, relay=extmail.optusnet.com.au, reject=454 4.7.0 TLS handshake failed.

We anticipate that Optusnet, and any other ISPs who have not yet upgraded to the new security standards, will be forced to do so in order to remain operational.

More information on the vulnerabilities involved can be found at the link below.

Related link

• Weak Diffie-Hellman and the Logjam Attack »

Chirp office offline today »