1440934 - mta2.e.mozilla.org [68.232.195.239] uses ancient encryption

Status: RESOLVED FIXED

(Infrastructure & Operations :: Infrastructure: Mail, task)

Description

[Darkspirit]

This is from the confirmation email after signing up here:
https://foundation.mozilla.org/sign-up/

> Received: from mta2.e.mozilla.org (mta2.e.mozilla.org [68.232.195.239])
> 	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
> 	(Client did not present a certificate)
> 	by mx.h.terrax.net (Postfix) with ESMTPS id 3zpZKx5xrWzBbfj

* missing TLSv1.2 (e.g. with ECDHE-RSA-AES256-GCM-SHA384)
* missing client certificate (bug 1439915)
* missing IPv6
* it already has DKIM (yay! but it should be a=rsa-sha256 instead of rsa-sha1)

Comment 1

[Ed Lim [:limed]]

CC'ed appropriate person in this bug. Its a third party provider that we use.

Jessilyn I believe this email domain is managed by you?

Comment 2

[Jessilyn Davis]

Thanks! Ccing some folks to get this on our radar to investigate.

Comment 3

[bhaack]

@April - Is this something that you and/or your team would take care of, or would we do it on our end?

Thanks,
Brynne

Comment 4

[April King [:April]]

It's not my team per se, but I think it belongs to IT. :digi, do you need any help with this? I'm not entirely sure how Postgres sets its cipher list, but we could probably just use the Mozilla intermediate configuration:

https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29

Comment 5

[Brian Hourigan [:digi]]

The MTA at mta2.e.mozilla.org (68.232.195.239) is operated by ExactTarget, we don't have control over those systems.

Comment 6

[April King [:April]]

In that case, it would be something that Jessilyn would take on. Very unfortunate that Salesforce is so behind the times here.

Comment 7

[Jessilyn Davis]

Brynne or Andrew, can you file a support case with SFMC about this?

Comment 8

[Darkspirit]

There are strong signals that this bug can be closed as WFM.
It seems that all providers are improving. A very fortunate tendency. :)

> Received: from mta.e.mozilla.org (mta.e.mozilla.org [68.232.195.97])
>	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> Date: Thu, 19 Apr 2018 08:02:22 -0600

> Received: from mta2.e.mozilla.org (mta2.e.mozilla.org [68.232.195.239])
> 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> Date: Thu, 12 Apr 2018 08:13:51 -0600

> Received: from mta3.e.mozilla.org (mta3.e.mozilla.org [199.122.127.163])
> 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> Date: Wed, 25 Apr 2018 19:05:51 -0600

> Received: from mta4.e.mozilla.org (mta4.e.mozilla.org [199.122.127.164])
> 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> Date: Mon, 23 Apr 2018 09:41:06 -0600

> Received: from mta6.e.mozilla.org (mta6.e.mozilla.org [136.147.137.188])
> 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> Date: Tue, 17 Apr 2018 15:12:00 -0600

(IPv6 and a client certificate would be a nice to have.)

Comment 9

[Darkspirit]

(In reply to Brian Hourigan [:digi] from comment #5)
> is operated by ExactTarget

bug 1440935 (https://www.hardenize.com/report/e.mozilla.org/1524705376#email_tls) is the last real issue.

Comment 10

[Andrew Morales :amora]

Ticket opened with Salesforce (#18939028). Will pass info along as it comes my way.

Comment 11

[Andrew Morales :amora]

Hi All,

Just got a response from Salesforce:

"Hello Andrew,

I hope your day is going well! I am following up for Drew as he is currently out of the office. I am reaching out to let you know we have received a response from the Internal team and they have updated rsa-sha256 signing for all IPs related to e.mozilla.org.

They also mentioned "give it about 10 minutes and it will be good to go" ."

Comment 12

[Brian Hourigan [:digi]]

:darkspirit, no updates on this bug in awhile and given comment 11 I'm going to go ahead and close it. Please reopen if this is not the case. (clearing NI as request has been satisfied)