By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to upgrade TLS used by MTA towards SES on Linux

0

So to detail our issue : our Debian server summons sendmail towards a light MTA through PHP to deliver newsletter via SES SMTP servers. We recently got told by Amazon that it was done under TLS 1.0 or 1.1, and asked to upgrade to 1.2, with TLS log provided on bottom of that request.

We then started to perform some tests of configuration with various MTAs and settings, but upto this day we ignore what TLS version they're using for sending. We have OpenSSL installed with 1.2 TLS confirmed capabilities. We tested Ssmtp, Esmtp, Msmtp, nullmailer, opensmtpd, sendmail-bin. It seems some of them rather summon an old version of GNUTls that we couldn't config for 1.2 TLS.

We tried to obtain same log level than on bottom of the email Amazon sent us and showing TLS version for each call, but couldn't. We've read pages of documentation for SNS, CWatch, CTrail, etc, but that doesn't show TLS metrics we need for that upgrade. Our server side we also installed some network utilities but none showed what TLS version was performed during our tests.

TO SUM THINGS UP :

  • we cannot obtain SES log level to see what TLS is called when we sendmail upon various MTAs and config tests
  • we cannot obtain our server side infos about this neither, no matter what utility nor MTA we're testing

So this upgrade is totally blindfolded so far and therefore unable to be finalized.

Any help or suggestion is welcomed.

Topics
Front-End Web & MobileBusiness Applications
Tags
Amazon Simple Email Service
Language
English
Afrinico
asked 8 months ago312 views
1 Answer
0

So after days of fighting around i ended up like this so far :

1: NONE of the logging provided into whole AWS documentation i've read extensively (including complex & painfull stacking of services over SES : IAM, SNS, Lambda, CloudWatch, CloudTrail/Lake, S3 etc) would ever display SMTP TLS version used during handshake & packet exchanges from my Debian server ! Therefore useless to test anything.

2: after testing several uncomplete network utilities on Debian (and trying to avoid massive packet install for wireshark and even lighter tshark) i FINALLY spotted a difference within tcpdump command line over port 587 ; in the resulting dump i could see the mention DOWNGRD right after a READY FOR TLS & before seing AWS certificate name shown.

I assumed that very last element would imply TLS 1.2 or over to be refused on handshake and therefore backported into 1/1.1 triggering the upgrade alerts Amazon sent me. From there i've tested several MTA alternative & config to choose one quite recent (even though summoning GnuTls instead of OpenSsl, but still nice). Performing some sending test with it, no more DOWNGRD spotted in the tcpdumps.

Hoping i can consider this maze over ...

Afrinico
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content