[Solved] ME is sending via TLS but not receiving via TLS

Discussions on webmail and the Professional version.
Post Reply
dreniarb
Posts: 316
Joined: Mon Jan 19, 2004 5:00 pm
Location: Marion, IN

[Solved] ME is sending via TLS but not receiving via TLS

Post by dreniarb » Fri May 04, 2018 6:18 pm

I am starting a new thread as I feel this is now a different issue than a TLS/SSL version problem. My installation of ME does not appear to be receiving inbound emails via TLS, though it is sending via TLS.

When I run a test on my server through this site it passes and shows TLS 1.2 being used:

https://www.checktls.com/TestReceiver

Our domain is marionutilities.com.

However when I look through the headers of any outside emails there is no information at all about TLS or Ciphers being used. Here is an email from gmail to myself:
Received: from mail-wm0-f49.google.com ([74.125.82.49]) by marionutilities.com with MailEnable ESMTPS; Fri, 4 May 2018 13:39:31 -0400
Received: by mail-wm0-f49.google.com with SMTP id t11so5227498wmt.0
for <jdoe@marionutilities.com>; Fri, 04 May 2018 10:39:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=HP7M8vew8q+71LlIu+Ntt4GTsrHajua60LJKdIFsfyc=;
b=i0ihki/x5iyWCqbao/x2+vzJihncfq0gxfUhlfvsDeVv/YnaCJ6ksJLAkmmr7cbgNO
T3NUp3GDO8eR8NHlA6KacSza/Zmm0mqiCTRls+5RJRwFJzan7rAtxNDMNrrUeN/tlH45
3Wv+aZjLSHbl81fZkG7O32+aqltzr4IkFCXf0x/pPkdPElTfy+W6VYQ1TSKqHCgFM6e1
If4HI0AXl1+cb0Pft/3n/3hymcFeEhKSwg3YMEdx/ufXJdyaadyr5P3R6ZwQxhbkN3SC
J2QZ4OTpXcodlwGkafv3tRmFI0tpMV4E8TOvfOqGC6fACx7pxQIy/9YNUafSppnMjXSS
CsMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=HP7M8vew8q+71LlIu+Ntt4GTsrHajua60LJKdIFsfyc=;
b=tr2hh50nPpwonciSgukeSvjGOePYDuZTgMoELXKR10+y4ZZWJ4uhKwR9lKTi5dcgGx
hXTMDYS0U28taFzPFNUQQjIooxyFddZreOcmgtiwsuz53yAFdClfnLgUax4+YQbxFmoO
zHu8Myye0onFybQEXIw2OC7vWXOHGG53RByvaD517udC623QhijD4KK0iHT4Lp2Pkzwr
QgB5+tBRMhd7hUnoq9kx72W6wsNzNWjhY7JjM/qCklxS0kdk9ugHDnLRV4auiKXc2z0p
jT1NqixRYpgCJ9eXwRMs248otc920LyLA7afRmtEv7xF+gbuwK3J0iomk9JjpNjOPB02
kBZw==
X-Gm-Message-State: ALQs6tAEX60ABgX4tzILKtfG/rfmyDqnZuQNefhpgStd9xpl+Egt3Qz3
k32nF6uPDyIerrSo1IkbseIUVjXxsphWBDMyVAA=
X-Google-Smtp-Source: AB8JxZqfDKqdisSezSQ/5hsxNGO3Yz6+jT1F2zrz0MUT8uq4CkS1gP2+gIrDFTIUOgxho1rlvEoqt1x2hBXdQnqElTc=
X-Received: by 10.28.63.199 with SMTP id m190mr16487180wma.158.1525455569178;
Fri, 04 May 2018 10:39:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.61.3 with HTTP; Fri, 4 May 2018 10:39:28 -0700 (PDT)
From: John Doe <jdoe@gmail.com>
Date: Fri, 4 May 2018 13:39:28 -0400
Message-ID: <CALZaCmGtmzF50RQibo+FadtBL8Bf-h3JEi0FOMatSwbtOA5WrA@mail.gmail.com>
Subject: Testing from gmail to ME
To: jdoe@marionutilities.com
Content-Type: multipart/alternative; boundary="001a114c245e525461056b64cd4f"
X-ME-Bayesian: 0.000000
Return-Path: <jdoe@gmail.com>

--001a114c245e525461056b64cd4f
Content-Type: text/plain; charset="UTF-8"
Now here is an email from ME webmail to gmail:
Delivered-To: jdoe@gmail.com
Received: by 10.28.129.130 with SMTP id c124csp351228wmd;
Fri, 4 May 2018 10:57:01 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZomP0/FnfzhVah7r1VKcuUnq6HLiy55QQ0yEhxdWYSu17HTS4s7fI/z2QGBS3dh2e1Zk8so
X-Received: by 2002:a6b:9589:: with SMTP id x131-v6mr6912194iod.40.1525456621472;
Fri, 04 May 2018 10:57:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1525456621; cv=none;
d=google.com; s=arc-20160816;
b=TZONHLSAJsbX8y8y8LcrJii1V1H9NdcFAV8Y+UpXVnicp8rKABlzw9TVFSZBoOPhzv
UH2IU9jyIiQOXHq0u4DkcyahF5brxlAanEh8byzRtnvyNFKV4cq1cY7LiC8V1NtFk4OY
Ablp4gjkjZMmCmMcmJB/zc7ctrf1pKhaEoJDzRpqPo5JLmCiVg5vv2nBXSvpSGVCNMjx
ubeXsYwMGzIwA5QCgF572d+PlYKei0ZFnCSQOQld0F8dxzaeB3oXnM1mAZZ937I64fWk
cN3c2LNMg+66iH0s/XuS5QI4tWSkkwmNi47eLkFDnRnUUEt6VIGJW9oXOWwVh3vk7KCY
rHow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=mime-version:message-id:date:subject:from:to
:arc-authentication-results;
bh=lGKAw9Og+nGoZToKdOPXKh4zlzS1EDQd+w4Z8PfGhTU=;
b=hMZIvBPSnEpsobAhkUF9RXdscYDb0rkhHahnW5oK2njtnuOVL+tVz1aNzsfbpadiE4
ipGUp1o0SgscwW7r5JVn5JzWBDUkHG/L0MYxtFshxZJg0i/jMWsufoGNw+8WqRNj4cCS
so8gkn9ozGZVOMtrNuNbJxNx3tWqP659SEpFLpq1/OlGoIPDPbKh9SOsLWlY8oEuto4+
E0hbzRoBkYCq2XtBR2AWBvFnyPHYBA/ns2baWY0asqwL1SgwdCPpTBW2SV668B+m/Apa
vUJdvSKwHCBUbs1S/h76e60dAiRqs23t8Sv0nL0sR+FDrzi7kSqXuAMY9AHvezeZqk8D
yU/A==
ARC-Authentication-Results: i=1; mx.google.com;
spf=pass (google.com: domain of jdoe@marionutilities.com designates 24.123.208.162 as permitted sender) smtp.mailfrom=jdoe@marionutilities.com
Return-Path: <jdoe@marionutilities.com>
Received: from marionutilities.com (smtp.marionutilities.com. [24.123.208.162])
by mx.google.com with ESMTPS id u63-v6si3872562ioe.206.2018.05.04.10.57.00
for <jdoe@gmail.com>
(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Fri, 04 May 2018 10:57:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of jdoe@marionutilities.com designates 24.123.208.162 as permitted sender) client-ip=24.123.208.162;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of jdoe@marionutilities.com designates 24.123.208.162 as permitted sender) smtp.mailfrom=jdoe@marionutilities.com
Received: from ([172.17.17.105]) by marionutilities.com with MailEnable WebMail; Fri, 4 May 2018 13:56:58 -0400
To: <jdoe@gmail.com>
From: John Doe <jdoe@marionutilities.com>
Subject: Test from Me to gmail
Date: Fri, 4 May 2018 13:56:58 -0400
Message-ID: <54047D9509504644AD066F8BF07248D5.MAI@marionutilities.com>
MIME-Version: 1.0
X-MimeOLE: Produced By MailEnable WebMail.NET V10.15.0.0
X-Mailer: MailEnable WebMail.NET
X-Read: 0
Content-Type: multipart/alternative; boundary="__=_AltPart_1510233092_530426079"
X-ME-Bayesian: 0.000000

--__=_AltPart_1510233092_530426079
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
As you can see it's using TLS 1.2.

What makes this even more confusing is that internal emails from our Exchange Server to our Mailenable server do seem to be using TLS. This is an email I sent via OWA to an email address that does not exist on the Exchange Server - thus it routed to ME:
Received: from mucex02.marionutilities.com ([172.17.16.4]) by marionutilities.com with MailEnable ESMTPS; Fri, 4 May 2018 14:03:24 -0400
Received: from mucex02.marionutilities.com (172.17.16.4) by
mucex02.marionutilities.com (172.17.16.4) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id
15.1.1415.2; Fri, 4 May 2018 14:03:24 -0400
Received: from mucex02.marionutilities.com ([fe80::1895:57ca:337c:1b0]) by
mucex02.marionutilities.com ([fe80::1895:57ca:337c:1b0%12]) with mapi id
15.01.1415.002; Fri, 4 May 2018 14:03:24 -0400
From: Administrator <Administrator@marionutilities.com>
To: "MEonlyAddress@marionutilities.com" <MEonlyAddress@marionutilities.com>
Subject: Test from Exchange to ME
Thread-Topic: Test from Exchange to ME
Thread-Index: AQHT49Ix8NcBimHkBEOPDYn95//2Jw==
Date: Fri, 4 May 2018 18:03:24 +0000
Message-ID: <f01b763fc0fe410daad0a9ebc80a449f@marionutilities.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.17.17.105]
Content-Type: multipart/alternative;
boundary="_000_f01b763fc0fe410daad0a9ebc80a449fmarionutilitiescom_"
MIME-Version: 1.0
X-CrossPremisesHeadersFilteredBySendConnector: mucex02.marionutilities.com
X-OrganizationHeadersPreserved: mucex02.marionutilities.com
X-ME-Bayesian: 0.006245
Return-Path: <Administrator@marionutilities.com>

--_000_f01b763fc0fe410daad0a9ebc80a449fmarionutilitiescom_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
There it is - TLS 1.2 being used on an inbound email. So to me that means we have things configured correctly in ME.

Yet it seems all inbound email from outside addresses do not use TLS. In the logs I can see STARTTLS being advertised and even initiated I think:
05/04/18 10:55:26 SMTP-IN A38B099A8C1C41149A0207F1A8ED5566.MAI 1652 74.125.82.49 220 smtp.marionutilities.com - YO YO YO 0 0
05/04/18 10:55:26 SMTP-IN A38B099A8C1C41149A0207F1A8ED5566.MAI 1652 74.125.82.49 EHLO EHLO mail-wm0-f49.google.com 250-marionutilities.com [74.125.82.49], this server offers 3 extensions 116 30
05/04/18 10:55:27 SMTP-IN A38B099A8C1C41149A0207F1A8ED5566.MAI 1652 74.125.82.49 STARTTLS 24 10
05/04/18 10:55:27 SMTP-IN A38B099A8C1C41149A0207F1A8ED5566.MAI 1652 74.125.82.49 STARTTLS STARTTLS 24 10
05/04/18 10:55:27 SMTP-IN A38B099A8C1C41149A0207F1A8ED5566.MAI 1652 74.125.82.49 EHLO EHLO mail-wm0-f49.google.com 250-marionutilities.com [74.125.82.49], this server offers 2 extensions 102 30
05/04/18 10:55:27 SMTP-IN A38B099A8C1C41149A0207F1A8ED5566.MAI 1652 74.125.82.49 MAIL MAIL FROM:<jdoe@gmail.com> SIZE=59726 250 Requested mail action okay, completed 43 49
05/04/18 10:55:27 SMTP-IN A38B099A8C1C41149A0207F1A8ED5566.MAI 1652 74.125.82.49 RCPT RCPT TO:<jdoe@marionutilities.com> 250 Requested mail action okay, completed 43 41
05/04/18 10:55:27 SMTP-IN A38B099A8C1C41149A0207F1A8ED5566.MAI 1652 74.125.82.49 DATA DATA 354 Start mail input; end with <CRLF>.<CRLF> 46 6
Yet the headers in the emails do not show any signs of TLS being used.

What's even more concerning is that when I go into SMTP properties/Inbound tab/Port Settings and place a check next to Requires SSL on the SMTP service port all inbound email stops. Nothing comes in from outside, nothing internally from Exchange. I have to remove that check mark to get inbound email working again.

I've tried a few other outside test sites and the ones that appear to actually try to send an email fail due to a problem with TLS. All 3 of these sites fail me on TLS:

https://www.wormly.com/test-smtp-server
https://luxsci.com/extranet/tlschecker.html
https://ssl-tools.net/mailservers/marionutilities.com

I'm at a loss for what I'm doing wrong. Any help is greatly appreciated.
Last edited by dreniarb on Thu May 10, 2018 5:08 am, edited 1 time in total.

MailEnable-Ian
Site Admin
Posts: 8965
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: ME is sending via TLS but not receiving via TLS

Post by MailEnable-Ian » Thu May 10, 2018 3:23 am

Hi,
Yet the headers in the emails do not show any signs of TLS being used.


We do mark the the received header. We follow the RFC standard and change the SMTP registry used in the received header. I,e:

"ESMTP" for non encrypted layer
"ESMTPS" for encrypted layer "STARTTLS".
The new keyword "ESMTPS" indicates the use of ESMTP when STARTTLS
[1] is also successfully negotiated to provide a strong transport
encryption layer.
https://tools.ietf.org/html/rfc3848
What's even more concerning is that when I go into SMTP properties/Inbound tab/Port Settings and place a check next to Requires SSL on the SMTP service port all inbound email stops. Nothing comes in from outside, nothing internally from Exchange. I have to remove that check mark to get inbound email working again.
Port 25 needs to be non SSL as all mail servers will send over non SSL for port 25 and thus why you cant receive.

Your problems could also be related to your Comodo SSL wildcard certificate where it is known to cause problems on some mail servers when sending over TLS 1.2.
Regards,

Ian Margarone
MailEnable Support

dreniarb
Posts: 316
Joined: Mon Jan 19, 2004 5:00 pm
Location: Marion, IN

Re: ME is sending via TLS but not receiving via TLS

Post by dreniarb » Thu May 10, 2018 5:07 am

MailEnable-Ian wrote:Hi,
Yet the headers in the emails do not show any signs of TLS being used.


We do mark the the received header. We follow the RFC standard and change the SMTP registry used in the received header. I,e:

"ESMTP" for non encrypted layer
"ESMTPS" for encrypted layer "STARTTLS".
The new keyword "ESMTPS" indicates the use of ESMTP when STARTTLS
[1] is also successfully negotiated to provide a strong transport
encryption layer.
Awesome. This is comforting to know. :)

Much appreciated.

Admin
Site Admin
Posts: 804
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: [Solved] ME is sending via TLS but not receiving via TLS

Post by Admin » Thu May 10, 2018 11:45 pm

Hi,

We've also updated the SMTP service for the next minor update so it will indicate the TLS version and the cipher as well in the received header. This should help make it easier to see.

Post Reply