sSMTP is limited to using TLSv1.0 and the "old" ciphers that come with it. Here's a packet capture when ssmtp connects to smtp.sdeziel.info:587 that offers TLSv1.0 and higher:
$ tshark -ta -Vr submission.pcap | sed -n '/^Frame 14:/,/^Frame 15:/ p' | grep -E '^[[:space:]]+(Version|Cipher|Handshake Protocol)' Version: TLS 1.0 (0x0301) Handshake Protocol: Client Hello Version: TLS 1.0 (0x0301) Cipher Suites Length: 30 Cipher Suites (15 suites) Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f) Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035) Cipher Suite: TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0041) Cipher Suite: TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0084) Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x0045) Cipher Suite: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x0088) Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016) Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032) Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA (0x0044) Cipher Suite: TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA (0x0087) Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)
I would expect ssmtp to use TLSv1.2 and a recent cipher like the openssl s_client is able to do:
$ echo | openssl s_client -connect smtp.sdeziel.info:587 -starttls smtp 2>/dev/null | grep -E '^[[:space:]]+(Protocol|Cipher)' Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256
Additional information:
$ lsb_release -rd Description: Ubuntu 16.04.3 LTS Release: 16.04 $ apt-cache policy ssmtp libgnutls-openssl27 ssmtp: Installed: 2.64-8ubuntu1 Candidate: 2.64-8ubuntu1 Version table: *** 2.64-8ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages 100 /var/lib/dpkg/status libgnutls-openssl27: Installed: 3.4.10-4ubuntu1.3 Candidate: 3.4.10-4ubuntu1.3 Version table: *** 3.4.10-4ubuntu1.3 500 500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages 100 /var/lib/dpkg/status 3.4.10-4ubuntu1 500 500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages
ProblemType: Bug DistroRelease: Ubuntu 16.04 Package: ssmtp 2.64-8ubuntu1 [modified: etc/ssmtp/revaliases] ProcVersionSignature: Ubuntu 4.4.0-89.112-generic 4.4.76 Uname: Linux 4.4.0-89-generic x86_64 ApportVersion: 2.20.1-0ubuntu2.10 Architecture: amd64 Date: Mon Aug 7 18:13:33 2017 ProcEnviron: TERM=xterm PATH=(custom, no user) LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: ssmtp UpgradeStatus: No upgrade log present (probably fresh install) modified.conffile..etc.ssmtp.revaliases: [modified] mtime.conffile..etc.ssmtp.revaliases: 2017-08-05T13:44:06.274302
sSMTP is limited to using TLSv1.0 and the "old" ciphers that come with it. Here's a packet capture when ssmtp connects to smtp.sdeziel. info:587 that offers TLSv1.0 and higher:
$ tshark -ta -Vr submission.pcap | sed -n '/^Frame 14:/,/^Frame 15:/ p' | grep -E '^[[:space: ]]+(Version| Cipher| Handshake Protocol)'
Version: TLS 1.0 (0x0301)
Cipher Suite: TLS_RSA_ WITH_AES_ 128_CBC_ SHA (0x002f)
Cipher Suite: TLS_RSA_ WITH_AES_ 256_CBC_ SHA (0x0035)
Cipher Suite: TLS_RSA_ WITH_CAMELLIA_ 128_CBC_ SHA (0x0041)
Cipher Suite: TLS_RSA_ WITH_CAMELLIA_ 256_CBC_ SHA (0x0084)
Cipher Suite: TLS_RSA_ WITH_3DES_ EDE_CBC_ SHA (0x000a)
Cipher Suite: TLS_DHE_ RSA_WITH_ AES_128_ CBC_SHA (0x0033)
Cipher Suite: TLS_DHE_ RSA_WITH_ AES_256_ CBC_SHA (0x0039)
Cipher Suite: TLS_DHE_ RSA_WITH_ CAMELLIA_ 128_CBC_ SHA (0x0045)
Cipher Suite: TLS_DHE_ RSA_WITH_ CAMELLIA_ 256_CBC_ SHA (0x0088)
Cipher Suite: TLS_DHE_ RSA_WITH_ 3DES_EDE_ CBC_SHA (0x0016)
Cipher Suite: TLS_DHE_ DSS_WITH_ AES_128_ CBC_SHA (0x0032)
Cipher Suite: TLS_DHE_ DSS_WITH_ AES_256_ CBC_SHA (0x0038)
Cipher Suite: TLS_DHE_ DSS_WITH_ CAMELLIA_ 128_CBC_ SHA (0x0044)
Cipher Suite: TLS_DHE_ DSS_WITH_ CAMELLIA_ 256_CBC_ SHA (0x0087)
Cipher Suite: TLS_DHE_ DSS_WITH_ 3DES_EDE_ CBC_SHA (0x0013)
Version: TLS 1.0 (0x0301)
Handshake Protocol: Client Hello
Cipher Suites Length: 30
Cipher Suites (15 suites)
I would expect ssmtp to use TLSv1.2 and a recent cipher like the openssl s_client is able to do:
$ echo | openssl s_client -connect smtp.sdeziel. info:587 -starttls smtp 2>/dev/null | grep -E '^[[:space: ]]+(Protocol| Cipher) ' AES128- GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-RSA-
Additional information:
$ lsb_release -rd archive. ubuntu. com/ubuntu xenial/universe amd64 Packages dpkg/status openssl27: archive. ubuntu. com/ubuntu xenial-updates/main amd64 Packages security. ubuntu. com/ubuntu xenial- security/ main amd64 Packages dpkg/status 4.10-4ubuntu1 500 archive. ubuntu. com/ubuntu xenial/main amd64 Packages
Description: Ubuntu 16.04.3 LTS
Release: 16.04
$ apt-cache policy ssmtp libgnutls-openssl27
ssmtp:
Installed: 2.64-8ubuntu1
Candidate: 2.64-8ubuntu1
Version table:
*** 2.64-8ubuntu1 500
500 http://
100 /var/lib/
libgnutls-
Installed: 3.4.10-4ubuntu1.3
Candidate: 3.4.10-4ubuntu1.3
Version table:
*** 3.4.10-4ubuntu1.3 500
500 http://
500 http://
100 /var/lib/
3.
500 http://
ProblemType: Bug revaliases] ature: Ubuntu 4.4.0-89. 112-generic 4.4.76 conffile. .etc.ssmtp. revaliases: [modified] .etc.ssmtp. revaliases: 2017-08- 05T13:44: 06.274302
DistroRelease: Ubuntu 16.04
Package: ssmtp 2.64-8ubuntu1 [modified: etc/ssmtp/
ProcVersionSign
Uname: Linux 4.4.0-89-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.10
Architecture: amd64
Date: Mon Aug 7 18:13:33 2017
ProcEnviron:
TERM=xterm
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: ssmtp
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
mtime.conffile.