BUMP: SMTP TLS Error / Transient?

nmnadmin
Posts: 6
Joined: Fri Mar 17, 2017 10:07 am

BUMP: SMTP TLS Error / Transient?

Postby nmnadmin » Sat May 06, 2017 7:18 pm

I have a very odd behavior on my mail server, in which the server will sometimes throw the dreaded 454 TLS temp error, but not always. I have gone through all the requisite forum posts and KBs and verified that the proper cert (the ONLY cert on the box) is selected and checked then re-did the permissions in both the winhttpcfg (I'm running 2003) and the registry.

Here is a little log excerpt to show the on/off scenario...

05/06/17 11:49:51 SMTP-IN E4D30EA1B9584CE28B6BACF16653AB03.MAI 1168 206.165.243.98 EHLO EHLO dominos-98.dominos.postdirect.com 250-xxxxxx.net [206.165.243.98], this server offers 5 extensions 140 40
05/06/17 11:49:51 SMTP-IN E4D30EA1B9584CE28B6BACF16653AB03.MAI 1168 206.165.243.98 STARTTLS 24 10
05/06/17 11:49:51 SMTP-IN E4D30EA1B9584CE28B6BACF16653AB03.MAI 1168 206.165.243.98 STARTTLS STARTTLS 24 10

05/06/17 11:49:59 SMTP-IN B85BF5EC39E14E009E4A419EDB1C2D4A.MAI 1220 63.236.77.214 220 mail.xxxxxx.net ESMTP MailEnable Service, Version: 9.50-9.50- ready at 05/06/17 11:49:59 0 0
05/06/17 11:49:59 SMTP-IN B85BF5EC39E14E009E4A419EDB1C2D4A.MAI 1220 63.236.77.214 EHLO EHLO mta833.cm.directv.com 250-xxxxxx.net [63.236.77.214], this server offers 5 extensions 139 28
05/06/17 11:49:59 SMTP-IN B85BF5EC39E14E009E4A419EDB1C2D4A.MAI 1220 63.236.77.214 STARTTLS STARTTLS 454 TLS not available due to temporary reason 71 10

05/06/17 11:50:47 SMTP-IN 8B72E1749B43486C91D664441A84AB4C.MAI 1304 63.146.96.123 220 mail.xxxxxx.net ESMTP MailEnable Service, Version: 9.50-9.50- ready at 05/06/17 11:50:47 0 0
05/06/17 11:50:47 SMTP-IN 8B72E1749B43486C91D664441A84AB4C.MAI 1304 63.146.96.123 EHLO EHLO mta813.email.chicos.com 250-xxxxxx.net [63.146.96.123], this server offers 5 extensions 139 30
05/06/17 11:50:47 SMTP-IN 8B72E1749B43486C91D664441A84AB4C.MAI 1304 63.146.96.123 STARTTLS STARTTLS 454 TLS not available due to temporary reason 71 10

So as you can see there are within seconds connections in which it works and then not. (Note: There were several successful TLS connections afterwards as well.)

For the time being I have disabled inbound TLS, but I would like to re-enable and could use some help troubleshooting.

Thanks.

MailEnable-Ian
Site Admin
Posts: 8392
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: BUMP: SMTP TLS Error / Transient?

Postby MailEnable-Ian » Thu May 11, 2017 2:44 am

Hi,

The first step is to upgrade MailEnable from 9.50 to 9.74 and reassess from there to ensure that you have the latest fixes and updates to MailEnable core services.
Regards,

Ian Margarone
MailEnable Support

nmnadmin
Posts: 6
Joined: Fri Mar 17, 2017 10:07 am

Re: BUMP: SMTP TLS Error / Transient?

Postby nmnadmin » Sat May 13, 2017 9:20 am

I completed the upgrade to 9.74. No change in the behavior. Still about 1/2 - 2/3 of the TLS transactions yield the 454 error, while the rest work.

MailEnable-Ian
Site Admin
Posts: 8392
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: BUMP: SMTP TLS Error / Transient?

Postby MailEnable-Ian » Mon May 15, 2017 3:04 am

Hi,

Most likely its because of Windows 2003 server your running which does not support TLS 1.1 and TLS 1.2 and some clients/servers are failing on the STARTTLS because they are requiring TLS 1.1 or TLS 1.2. Might be an idea planning a server migration and updating your windows server platform (Windows 2008 R2 onwards) for TLS 1.1 and TLS 1.2 support.

Here is an article that explains how to enable TLS 1.1. and TLS 1.2 on windows 2008 R2 (onwards) servers:

https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx#BKMK_SchannelTR_TLS12
Regards,

Ian Margarone
MailEnable Support

nmnadmin
Posts: 6
Joined: Fri Mar 17, 2017 10:07 am

Re: BUMP: SMTP TLS Error / Transient?

Postby nmnadmin » Mon May 15, 2017 1:35 pm

That was our assessment, too. The only thing I am foggy on is why MailEnable would not opt of "opportunistic TLS", i.e. to rather allow an unencrypted connection then to hard fail on a missing protocol/cypher.

Is there any way to make ME ignore TLS 1.1/1.2 attempts until we can migrate?

Who is online

Users browsing this forum: No registered users and 8 guests