Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » tls/ssl outbound SMTP problems (What's the best way to debug?)
  •  
Matt S

Messages: 230
Karma: 6
Send a private message to this user
I've run into difficulties sending e-mails to one particular server using tls/ssl. The server in question is running Exchange with Proxmea Jep(s) greylisting installed. If I switch off tls for outbound smtp connections all is fine. With tls switched on, the logs record a remote server disconnect.

Digging a bit deeper, the servers make contact, negotiate TLSv1/SSLv3 connection, say EHLO then as soon as the mail transfer begins there's an SSL version error and we get no further.

We can make tls/ssl connections to other servers. I've tried a couple of Exchange servers, gmail uses tls and all is fine. I've only seen the problem with this particular server. The guys at the other end say they're regularly getting incoming tls/ssl connections on SMTP no problems....

We have a valid SSL cert installed. The troublesome remote server is using a self signed cert.

Any ideas?
  •  
Matt S

Messages: 230
Karma: 6
Send a private message to this user
A bit more info... The error logged is:

SSL3_GET_RECORD:wrong version number:s3_pkt.c:293:

This comes after successful tlsv1/sslv3 negotiation at the point our kerio server tries to send the mail to the remote Exchange server.
  •  
Memnon

Messages: 387
Karma: 84
Send a private message to this user
Perhaps this shines some light on the situation ? http://www.mail-archive.com/openssl-users<_at_>openssl.org/msg47550.html

- https://shop.kerio.nl the Netherlands
- https://shop.kerio.be Belgium
- https://shop.kerio.lu Luxembourg
  •  
Matt S

Messages: 230
Karma: 6
Send a private message to this user
Hmmmm. Now this is interesting. It looks like it's a problem with SSLv3. A quick trawl through mailserver.cfg an I found a line about disabling SSLv2. Set that to 0 and my problems go away.

However, the logs still show a successful TLSv1/SSLv3 negotiation so I'm confused. Is Kerio logging incorrectly?
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
That option disables both SSLv2 (completely) and weak SSLv3 cipher suites. By this change the server now use weak ciphers and encryption methods and it can be reported as vulnerable in penetration testing because of this. So, do it only when you know what you're doing.
The correct way is to tell the receiver to upgrade his server and start using more secure SSL.

[Updated on: Wed, 04 May 2011 14:29]

  •  
Matt S

Messages: 230
Karma: 6
Send a private message to this user
That's what I presumed. As it is, we need to be able to send messages to this problematic server and I'd prefer to be using weak SSL than switching it off altogether, which is my only other option.

Working on getting the other party to update their server. Rolling Eyes
  •  
Matt S

Messages: 230
Karma: 6
Send a private message to this user
Ok... So I've had no luck persuading the other end to patch their server. Is there any way to make Connect use an unsecured connection for just one particular domain? I'd much rather disable SSL2, but right now my choice is to leave the less secure ssl settings enabled or disable SSL altogether, which is obviously worse.
  •  
Matt S

Messages: 230
Karma: 6
Send a private message to this user
Any ideas on this one? Or am I stuck with lower quality ssl security?
  •  
Memnon

Messages: 387
Karma: 84
Send a private message to this user
From what I know it is not possible to alter behavior of Connect for a specific domain without reverse engineering and rebuilding Connect. I hope for you that the other end will come to their senses as I'm sure this will not just lead to problems for them with your Connect server but also with other servers. Not even talking about the security issues they will be having.

I wonder how 'the boss' at the exchange end would find it if he discovers his emails travel across the web as plain text (or with weak encrypting) making it possible for anyone in between to tcpdump and read his mails or the mails that are sent to him.

So I have to stick with Kerio_pdobry's advise not to stray away from the safe path.

- https://shop.kerio.nl the Netherlands
- https://shop.kerio.be Belgium
- https://shop.kerio.lu Luxembourg
  •  
Matt S

Messages: 230
Karma: 6
Send a private message to this user
That's what I feared. Unfortunately not being able to send e-mail to this domain isn't an option so I'll have to leave things compromised for now and gently prod the other end to sort things out Sad
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
It appears this is a bug in Exchange 2003 server. There is a bug in implementation of secure channel using ciphers with 168bits strength. Exchange 2007 does not seem to have this problem.
We are trying to invent a workaround for this. But the main problem is a bug in Exchange 2003. Unfortunately, I don't think Microsoft will fix it (they haven't done this in last 7 years Sad )
  •  
Matt S

Messages: 230
Karma: 6
Send a private message to this user
Annoying isn't it. It would be great if you could implement allowing SSL2 for particular domains...
Previous Topic: Regualar Expressions in ads.map and gal_ads.map
Next Topic: performance issues: outlook and iphone
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Nov 24 14:07:45 CET 2017

Total time taken to generate the page: 0.00456 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.