no cypher overlap - TLS and QMAIL
Upgrading to Thunderbird 38.1+ breaks SMTP TLS with Qmail.
Timestamp: 2015-08-22 21:33:32 Error: An error occurred during a connection to mail.metatek.org:465. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)
I recently replaced the certificates per https://weakdh.org/sysadmin.html but this problem with Thunderbird started more than a week later.
I find this note at http://kb.odin.com/en/123160 :
Qmail MTA
Create (or edit) the /var/qmail/control/tlsserverciphers file so it looks like:
ALL:!ADH:!LOW:!SSLv2:!SSLv3:!EXP:+HIGH:+MEDIUM
Note: disabling SSLv3 cipher leads to impossibility to use 465 (TLS) in Thunderbird.
I find that if I enable SSLv3 I can send with TLS on port 465 or STARTTLS on port 587. This sounds like a bug that should be fixed.
Gekose oplossing
Solution: switched server from qmail to postfix which is easier to configure and more transparent in specifying cipher suites & certificates.
Lees dié antwoord in konteks 👍 0All Replies (5)
What cipher suites does your server offer? Note, the sequence is important. This is a good example: https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt
Gewysig op
I don't know how to tell what cipher suites the server offers for SMTP. (IMAP works fine, its just SMTP that is the problem.)
starttls.info says:
Protocol
Supports SSLV3. Supports TLSV1. Supports TLSV1.1. Supports TLSV1.2.
Key exchange
Key size is 2048 bits; that's good.
Cipher
Weakest accepted cipher: 128. Strongest accepted cipher: 256.
But that's not cipher suites.
How do I find out what cipher suites Thunderbird prefers?
I don't know how to tell what cipher suites the server offers for SMTP.
If you're the admin of the server you should be able to tell that. Google is your friend.
How do I find out what cipher suites Thunderbird prefers?
That isn't really the point. If you set up your server for the cipher suites as per the GRC information I'm certain you won't see the 'ssl_error_no_cypher_overlap' error.
Gekose oplossing
Solution: switched server from qmail to postfix which is easier to configure and more transparent in specifying cipher suites & certificates.