Mailing List CGatePro@mail.stalker.com Message #106878
From: Ralf Zenklusen, BAR Informatik AG r.zenklusen@barinformatik.ch <CGatePro@mail.stalker.com>
Subject: AW: TLS version, fix one break another
Date: Sun, 01 Jul 2018 17:28:30 +0200
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.52.54.12/1.54.12.21
Hi Dmitry,
that really sounds great.

We'll try this asap.


Regards
Ralf


-----Ursprüngliche Nachricht-----
Von: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com]
Gesendet: Sonntag, 1. Juli 2018 14:18
An: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Betreff: Re: TLS version, fix one break another

Hello,

On 2018-06-25 18:19 , Ralf Zenklusen, BAR Informatik AG r.zenklusen@barinformatik.ch wrote:
> Hi Dmitry
> that sounds great - thanks.
>
> What exactly means " offered TLS version will be reduced after each connection failure"?
> -From the set TLS to just one below?

Yes, from 3 (1.2) to 2 (1.1) and so on.

> -Or one down for every following failure? First failure one down and again one down for the next failure etc. until plain?

Until plain or sent.

> What happens if the lowest/lower TLS version is reached?
> - Will the server try that version until the message fails -Or will it
> start again with the highest (the one set) version? And if that fails go one version down?

STARTTLS won't be tried for all future attempts.

> Kind regards
> Ralf
>
>
> -----Ursprüngliche Nachricht-----
> Von: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com]
> Gesendet: Montag, 25. Juni 2018 16:25
> An: CommuniGate Pro Discussions
> Betreff: Re: TLS version, fix one break another
>
> Hello,
>
> On 2018-06-05 13:00, Ralf Zenklusen, BAR Informatik AG
> r.zenklusen@barinformatik.ch wrote:
>> Well, yes that's probably our main problem at the moment mainly because we see this more and more.
>> Some servers support only weak cyphers, others need strong cyphers. Some need TLS3 others support  only 2.... etc.
>> It's impossible to satisfy all these requirements.
>>
>> We get more and more complains that emails don't get through.
>> We then need to identify the reason for the "broken connection and set the domain manually to "send plain" at Settings->Mail->SMTP->Sending->Send Encrypted.
>>
>> CGate should really (try to) fall back to plain automatically, if it fails to make a secure connection.
>> Obviously it would be good to have a setting per domain or the possibility to override for connections that you need to keep safe.
>>
>> Really hope this will appear in one of the next releases.
>
> In 6.2.6 (due early July) there will be an option with TLS version to
> suggest on outgoing connections and for connections with optional
> security (that is, not for the hosts in the Send securely list) the
> offered TLS version will be reduced after each connection failure.
>
>>
>>
>> Kind regards
>> Ralf
>>
>>    
>> r.zenklusen@barinformatik.ch
>> -----Ursprüngliche Nachricht-----
>> Von: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com]
>> Gesendet: Dienstag, 5. Juni 2018 03:23
>> An: CommuniGate Pro Discussions
>> Betreff: TLS version, fix one break another
>>
>> I had some emails stuck in the queue, with the already known error
>> "Error Code=TLS record version is not 3.x"
>> So I implemented the solution detailed on a post here a couple of
>> months ago, creating a Startup.sh file with the parameter
>> "--SMTPOutgoingTLSVersion 3"
>> Voilà ! after restarting, those emails that were stuck went through..!
>>
>> But... (why always a but!?) ... another whole set of emails began
>> queuing up, with "connection is broke" and no further explanation.
>> Specifically all domains hosted by Microsoft's services.
>>
>> I removed the Startup.sh fix, restarted, and all those emails went through.
>>
>> So, is there a solution that works for all and does not create it's
>> own set of problems?
>>
>> best regards,
>>
>> Roberto
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>     the mailing list <CGatePro@mail.stalker.com>.
>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch
>> to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
>> To switch to the INDEX mode, E-mail to
>> <CGatePro-index@mail.stalker.com> Send administrative queries to  
>> <CGatePro-request@mail.stalker.com>
>>
>>
>>
>>
>> #############################################################
>> This message is sent to you because you are subscribed to
>>     the mailing list <CGatePro@mail.stalker.com>.
>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch
>> to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
>> To switch to the INDEX mode, E-mail to
>> <CGatePro-index@mail.stalker.com> Send administrative queries to  
>> <CGatePro-request@mail.stalker.com>
>>
>

--
Best regards,
Dmitry Akindinov.
=======================================================================
When answering to letters sent to you by the tech.support staff, make sure the original message you have received is included into your reply.

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com> Send administrative queries to  <CGatePro-request@mail.stalker.com>



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster