Mailing List CGatePro@mail.stalker.com Message #106804
From: Tom Rymes trymes@rymes.com <CGatePro@mail.stalker.com>
Subject: Re: Correcting TLS error
Date: Fri, 13 Apr 2018 08:43:29 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
I had issues with SSL/TLS in the past, and It doesn't seem like it's the same problem, but perhaps this might jumpstart you looking in the right direction.

Enabling older versions of TLS/SSL wasn't enough, as certain vendors have configured their TLS 1.0 only systems to work with newer ciphers that are technically non-compliant with the TLS1.0 RFC (they hadn't been developed at the time the RFC was created). Communigate is pretty pedantic about this, and will refuse a connection using a combination of TLS 1.0 and AES256_SHA, for example. Unfortunately, many people have built their systems to allow this combination, as they cannot upgrade to a system that supports TLS 1.2, but they are not permitted to support a weaker cipher.

You might want to (if you haven't already) play with the "CBC Ciphers for old TLS" and "Weak Ciphers" settings to see how that affects your system.

http://lists.communigate.com/Lists/CGatePro/Message/105816.html

http://lists.communigate.com/Lists/CGatePro/Message/105819.html

Also, if you haven't, you might want to try connecting to your server from hosts that support only TLS 1.0 and TLS 1.2 to see how your server responds differently to them.

These are two messages from that same thread that might help:

http://lists.communigate.com/Lists/CGatePro/Message/105820.html
http://lists.communigate.com/Lists/CGatePro/Message/105821.html

Here's to hoping something here might be helpful. I do remember finding various settings to be counter-intuitive at first (i.e.: The name sounded like it reduced security, the effect was to increase security).

Tom

On 04/13/2018 2:47 AM, Thomas Bleek bl@gfz-potsdam.de wrote:
Perhaps --SMTPOutgoingTLSVersion <n> in Startup.sh?
https://support.communigate.com/kb_article.php?ref=3776-YPZB-4708

Mit freundlichen Grüßen,
Thomas Bleek

Am 13.04.2018 um 04:12 schrieb Shaun Gamble listrdr@redco.com.au <CGatePro@mail.stalker.com>:

My server is already set to accepting SSLv3 as the oldest and I still experience these problems.

I don't know if you have tried to get people to update certificates with their mail servers, however when I send emails off to people, I am lucky if they even know the difference between SSL and TLS. Gone are the days when administrators actually know what they are doing and what the current requirements, etc are.


On 13/04/2018 8:01 AM, Christian F Buser mac-christian@gmx.ch wrote:
Hello James Moejimoe@sohnen-moe.com. On Sun, 8 Apr 2018 00:24:56 -0700, you wrote:
Hello,
   CGPro 6.1.19
   linux 4.4.120-45-default x86_64

   CG could not send a message:
22:06:55.705 3 SMTP-000424(tucsonwomenschorus.org) failed to establish a
secure connection with [216.222.193.110]:25. Error Code=TLS record
version is not 3.x

   What does the error about TLS mean?
   What is the best way to correct it?
I think your server did encounter another server which is not "modern" enough.

Here [1] is the manual how to set what is acceptable for CG Pro. I have mine set to SSLv3 (which is, if I am not mistaken, the oldest version of SSL/TLS, all TLSv1.x being newer).

Probably the only possibilities you have are
(a) ask the receiving party to update their mail servers
(b) use an intermediary server which can talk to "older" mail server implementations to deliver your messages.

Christian

[1]https://www.stalker.com/CommuniGatePro/PKI.html#TLS


#############################################################
This message is sent to you because you are subscribed to
   the mailing list<CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to:<CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to<CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to<CGatePro-index@mail.stalker.com>
Send administrative queries to<CGatePro-request@mail.stalker.com>

-- Shaun
Fitzroy Island<http://www.fitzroyisland.com>  Cairns, QLD
Destination Darwin NT<http://www.destinationnt.com>  Darwin, NT
MOM Backpackers<http://www.momdarwin.com>  Darwin, NT
Value Inn Hotel<http://www.valueinn.com.au>  Darwin, NT
Crocosaurus Cove<http://www.croccove.com>  Darwin, NT
Please do not send any unsolicited email. It is not wanted.

--
Dr. Thomas Bleek, Netzwerkadministrator
Helmholtz-Zentrum Potsdam
Deutsches GeoForschungsZentrum
Telegrafenberg A20/225
D-14473 Potsdam
Tel.: +49 331 288- 1818/1681 Fax.: 1730 Mobil: +49 172 1543233
E-Mail: bl@gfz-potsdam.de


Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster