We are running into this problem, as well, but, in our case, we have a confirmed issue of someone not being able to send to one of our clients. We are currently in communications with AppRiver about this. They've dropped us back to TLS 1.1 for the time being, which works for that one known client, but there may be others we don't know about. Here's what we're seeing:
Their log:
16:14:08.715 4 SMTP sending to weberamerica.com
16:14:08.715 5 DNR-024668(weberamerica.com) MX-request
16:14:08.715 4 DNR-024668(weberamerica.com) MX-request -> udp:[10.238.8.133]:53
16:14:08.715 5 DNR-024668(weberamerica.com) got 55 bytes from [10.238.8.133]:53: 60 5C 81 80 00 01 00 01 00 00 00 00 0C 77 65 62 65 72 61 6D 65 72 69 63 61 03 63 6F 6D 00 00 0F 00 01 C0 0C 00 0F 00 01 00 00 91 7C 00 09 00 0A 04 6D 61 69 6C C0 0C
16:14:08.715 5 DNR-024668(weberamerica.com) MX:OK
16:14:08.715 4 DNR-024668(weberamerica.com) MX[0]: weberamerica.com(pty 10) = mail.weberamerica.com
16:14:08.715 4 SMTP-085751(weberamerica.com) resolving 'mail.weberamerica.com'
16:14:08.715 5 DNR-024669(mail.weberamerica.com) A-request
16:14:08.715 4 DNR-024669(mail.weberamerica.com) A-request -> udp:[10.238.8.135]:53
16:14:08.715 5 DNR-024669(mail.weberamerica.com) got 55 bytes from [10.238.8.135]:53: 60 5D 81 80 00 01 00 01 00 00 00 00 04 6D 61 69 6C 0C 77 65 62 65 72 61 6D 65 72 69 63 61 03 63 6F 6D 00 00 01 00 01 C0 0C 00 01 00 01 00 00 95 01 00 04 CC 0D 65 20
16:14:08.715 5 DNR-024669(mail.weberamerica.com) A:OK
16:14:08.715 4 DNR-024669(mail.weberamerica.com) A[0]: mail.weberamerica.com=[204.13.101.32]
16:14:08.715 4 SMTP-085751(weberamerica.com) connecting [192.168.246.224]:0 -> [204.13.101.32]:25
16:14:08.762 4 SMTP-085751(weberamerica.com) rsp: 220 f2newmedia.net ESMTP MailEnable Service, Version: 8.60--8.60 ready at 04/26/18 15:14:06
16:14:08.762 4 SMTP-085751(weberamerica.com) [192.168.246.224]:50721 -> [204.13.101.32]:25 connected to mail.weberamerica.com(ESMTP)
16:14:08.762 4 SMTP-085751(weberamerica.com) cmd: EHLO server907.appriver.com
16:14:08.793 4 SMTP-085751(weberamerica.com) rsp: 250-f2newmedia.net [204.232.250.39], this server offers 7 extensions
16:14:08.793 4 SMTP-085751(weberamerica.com) rsp: 250-AUTH LOGIN
16:14:08.793 4 SMTP-085751(weberamerica.com) rsp: 250-SIZE 20480000
16:14:08.793 4 SMTP-085751(weberamerica.com) rsp: 250-HELP
16:14:08.793 4 SMTP-085751(weberamerica.com) rsp: 250-AUTH=LOGIN
16:14:08.793 4 SMTP-085751(weberamerica.com) rsp: 250-STARTTLS
16:14:08.793 4 SMTP-085751(weberamerica.com) rsp: 250-XSAVETOSENT
16:14:08.793 4 SMTP-085751(weberamerica.com) rsp: 250 X-SAVETOSENT
16:14:08.793 4 SMTP-085751(weberamerica.com) Connected. SIZE TLS AUTH
16:14:08.793 4 SMTP-085751(weberamerica.com) starting TLS(optional)
16:14:08.793 4 SMTP-085751(weberamerica.com) cmd: STARTTLS
16:14:08.824 4 SMTP-085751(weberamerica.com) rsp: 220 Ready to start TLS
16:14:08.856 3 SMTP-085751(weberamerica.com) failed to establish a secure connection with [204.13.101.32]:25. Error Code=TLS record version is not 3.x
16:14:08.856 4 SMTP-085751(weberamerica.com) cmd: RSET
16:14:08.949 4 SMTP-085751(weberamerica.com) rsp: 503 Bad sequence of commands
16:14:08.949 4 SMTP(weberamerica.com) re-enqueue
16:14:08.949 4 SMTP-085751(weberamerica.com) closing connection
16:14:08.949 4 SMTP-085751(weberamerica.com) releasing stream
Our log:
04/26/18 16:14:09 SMTP-IN 88B65018A4944699A18D4D9AC4DE9062.MAI 2868 204.232.250.38 220 f2newmedia.net ESMTP MailEnable Service, Version: 8.60--8.60 ready at 04/26/18 16:14:09 0 0
04/26/18 16:14:09 SMTP-IN 88B65018A4944699A18D4D9AC4DE9062.MAI 2868 204.232.250.38 EHLO EHLO server907.appriver.com 250-f2newmedia.net [204.232.250.38], this server offers 7 extensions 180 29
04/26/18 16:14:09 SMTP-IN 88B65018A4944699A18D4D9AC4DE9062.MAI 2868 204.232.250.38 STARTTLS STARTTLS 454 TLS not available due to temporary reason 71 10
04/26/18 16:14:09 SMTP-IN 88B65018A4944699A18D4D9AC4DE9062.MAI 2868 204.232.250.38 UNKN 503 Bad sequence of commands 30 13
Schannel gives the following error in Event Viewer:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.
Here are the ciphers we have in place:
- ciphers.png (54.91 KiB) Viewed 34949 times
We're currently running ME Enterprise 8.6 on Windows Server 2012R2 and have had TLS/SSL up and running for SMTP, POP3, & IMAP for a while. We require it for ports 995, 993, & 465, but not for port 25, which is where this issue seems to lie. I'm assuming that if we have any clients using port 25, and switch it to "Require SSL", they would be unable to connect until they change their settings, correct? As I understand it, STARTTLS should allow a connection to be either encrypted or unencrypted, and telnet indicates STARTTLS is offered, but it doesn't appear to do anything. OpenSSL returns the following when SSL is not required on port 25 (but works fine on the SSL-required port):
C:\Users\bj>openssl s_client -showcerts -connect f2newmedia.net:25
CONNECTED(00000210)
17676:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:794:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1524929329
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Any help on figuring this out would be appreciated.