www.ruby-lang.org
www.ruby-lang.org copied to clipboard
ruby
lists.ruby-lang.org mail server (neon) TLS support
Hi,
@hsbt Since a while I don't receive any e-mails anymore from the Ruby-Talk and ruby-de mailinglists. It looks as if this is related to me enforcing current TLS support on my mail server as part of my GDPR compliance (EU data protection law). Could you please check if neon.ruby-lang.org supports TLS (via STARTTLS) and at least TLSv1.1? SSLv2, SSLv3, and TLSv1 are known to be not be secure anymore.
I've tried sending help requests to [email protected] and what I see in the mail server logs is this when Mailman wants to reply (timestamps are UTC):
Jul 8 10:33:12 montblanc postfix/postscreen[24490]: CONNECT from [221.186.184.75]:56661 to [193.25.100.36]:25
Jul 8 10:33:14 montblanc postfix/postscreen[24490]: PASS OLD [221.186.184.75]:56661
Jul 8 10:33:15 montblanc postfix/smtpd[24495]: connect from neon.ruby-lang.org[221.186.184.75]
Jul 8 10:33:16 montblanc postfix/smtpd[24495]: disconnect from neon.ruby-lang.org[221.186.184.75] ehlo=1 mail=0/1 rcpt=0/1 data=0/1 rs
et=0/1 quit=1 commands=2/6
It looks as if neon doesn't even attempt to deliver the mail. I think this is related to it failing to connect at the TLS level.
I've lowered my security settings for the moment and re-sent the help email. Now it tries to deliver, but hangs in greylisting.
Jul 8 10:35:35 montblanc postfix/postscreen[26061]: CONNECT from [221.186.184.75]:56746 to [193.25.100.36]:25
Jul 8 10:35:36 montblanc postfix/postscreen[26061]: PASS OLD [221.186.184.75]:56746
Jul 8 10:35:36 montblanc postfix/smtpd[26066]: connect from neon.ruby-lang.org[221.186.184.75]
Jul 8 10:35:40 montblanc policyd-spf[26068]: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=221.186.184.75; helo=neon.ruby-lang.org; [email protected]; receiver=<UNKNOWN>
Jul 8 10:35:40 montblanc postgrey[384]: action=greylist, reason=new, client_name=neon.ruby-lang.org, client_address=221.186.184.75, [email protected], [email protected]
Jul 8 10:35:40 montblanc postgrey[384]: cleaning up old logs...
Jul 8 10:35:40 montblanc postfix/smtpd[26066]: NOQUEUE: reject: RCPT from neon.ruby-lang.org[221.186.184.75]: 450 4.2.0 <[email protected]>: Recipient address rejected: Greylisted, see http://postgrey.schweikert.ch/help/phoenixmail.de.html; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<neon.ruby-lang.org>
Jul 8 10:35:40 montblanc postfix/smtpd[26066]: disconnect from neon.ruby-lang.org[221.186.184.75] ehlo=1 mail=1 rcpt=0/1 data=0/1 rset=1 quit=1 commands=4/6
Okay, so openssl s_client tells me that both STARTTLS and TLSv1.2 are supported. It's probably the self-signed certificate that knocks Postfix out then... I'll have to reconsider that
Testing shows that reducing TLS security to a bare "may" (i.e. allow it, but don't enforce it) makes things work. I conclude from that that neon accepts incoming STARTTLS, but tries to deliver outgoing mail in plaintext without STARTTLS. @hsbt I think you should change that. You might also consider using a LetsEncrypt certificate instead of a self-signed one.
As I said, European companies are ordered by data protection laws to enforce TLS on mail transport now (and that's a good idea anyway).
lists.ruby-lang.org is shutdown now. We moved to https://ml.ruby-lang.org/mailman3/postorius/lists/
