Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Starttls / SSL for outgoing SMTP connections
  •  
Spacey

Messages: 154
Karma: -8
Send a private message to this user
Hi,
actually there's a new going around saying that many companies mailserver don't support outgoing encrypted mail submussion. Since everything is enabled (and it shouuuld work of course) for my server I did a quick check just to be sure everything works - but it doesn't.

1) Here I did check if my mailserver sends emails encrypted: https://de.ssl-tools.net/mails - this one reports me as "unsave - not encrypted".

So I checked my kerio settings:

2) SMTP-Server -> SMTP-Zustellung (submission) -> SMTP-Client-Options -> checked (activated) -> Use SSL/TLS if SMTP-remote server supports it.

3) All my services are up and running - Normal SMTP - Secure SMTP - SMTP Submission....

4) These ports are open in my firewall (Cisco ASA 5510) -> 465, 587, 6569, 993, 995, https, smtp

5) What else: I've got a valid & active Thawte SSL Cert for my mailserver domain.... Incoming eMail transfers from other servers seem to be encrypted if I read my logs correctly.

6) It seems that the communication between my mailclients and my kerio server *is* encrypted.

So where else can I look why my kerio can't send encrypted to other mailservers? What can I do?

Here are some Logfiles - various SSL actions and the connection to the testserver ssl-tools.net

[15/Sep/2014 09:54:31][4503187456] {conn} Established secure server connection from 172.19.1.33:52228 to 172.19.0.3:465 using TLSv1 with cipher DHE-RSA-AES256-SHA, id 0x122285230
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 read client hello A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 write server hello A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 write certificate A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 requested 1024 bit parameters for Ephemeral Diffie-Hellman key exchange
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 write key exchange A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 write server done A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 flush data
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:error in SSLv3 read client certificate A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:error in SSLv3 read client certificate A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 read client key exchange A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 read finished A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 write session ticket A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 write change cipher spec A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 write finished A
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL_accept:SSLv3 flush data
[15/Sep/2014 09:54:31][4734959616] {conn} SSL debug: id 0x12af66640 SSL handshake done: SSL negotiation finished successfully
[15/Sep/2014 09:54:31][4734959616] {conn} Established secure server connection from 172.19.1.22:50152 to 172.19.0.3:443 using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384, id 0x11bbac630
[15/Sep/2014 09:54:31][4910510080] {smtpc} Sending email to SMTP server ssl-tools.net, delivering mail from <my.email<_at_>address.de>
[15/Sep/2014 09:54:31][4910510080] {conn} Looking up host ssl-tools.net in DNS...
[15/Sep/2014 09:54:31][4910510080] {conn} DNS: host ssl-tools.net found, IP address 91.202.41.201
[15/Sep/2014 09:54:31][4910510080] {smtpc} Connecting to 91.202.41.201 (ssl-tools.net) using local interface 0.0.0.0...
[15/Sep/2014 09:54:31][4910510080] {conn} Connecting to 91.202.41.201:25 via local interface 0.0.0.0 ...
[15/Sep/2014 09:54:31][4910510080] {conn} Connection from 91.202.41.201:25 to 172.19.0.3:61029, socket 295.
[b][15/Sep/2014 09:54:31][4910510080] {smtpc} Connected to ssl-tools.net
[15/Sep/2014 09:54:31][4950331392] {conn} SSL debug: id 0x125b65aa0 SSL3 alert read:warning:close notify
[15/Sep/2014 09:54:31][4950331392] {conn} SSL debug: id 0x125b65aa0 SSL3 alert write:warning:close notify[/b]
[15/Sep/2014 09:54:31][4950331392] {conn} Closing socket 108
[15/Sep/2014 09:54:32][4910510080] {smtpc} Received greeting: 220 ***************************
[15/Sep/2014 09:54:32][4910510080] {smtpc} Sending EHLO
[15/Sep/2014 09:54:32][4910510080] {smtpc} Sent MAIL command
[15/Sep/2014 09:54:32][4910510080] {smtpc} Got reply: 250 2.1.0 Ok
[15/Sep/2014 09:54:32][4910510080] {smtpc} Sent RCPT TO: <check<_at_>ssl-tools.net>
[15/Sep/2014 09:54:32][4910510080] {smtpc} Got reply: 250 2.1.5 Ok
[15/Sep/2014 09:54:32][4910510080] {smtpc} Sent DATA command
[15/Sep/2014 09:54:32][4910510080] {smtpc} Got reply: 354 End data with <CR><LF>.<CR><LF>
[15/Sep/2014 09:54:32][4910510080] {smtpc} Sending message body...
[15/Sep/2014 09:54:32][4910510080] {smtpc} Data sent, got reply: 250 2.0.0 Ok: queued as AD58560236
[15/Sep/2014 09:54:32][4910510080] {smtpc} QUIT sent, got reply: 221 2.0.0 Bye
[15/Sep/2014 09:54:32][4910510080] {conn} Closing socket 295


Thanks! Razz

[Updated on: Mon, 15 September 2014 10:03]

  •  
Spacey

Messages: 154
Karma: -8
Send a private message to this user
Hell... tested around 2h before posting this. But several minutes later:

Found the solution: Another test ( http://checktls.com ) provided me some more details why it isn't working:

http://www.exim.org/exim-html-4.40/doc/html/FAQ_0.html#TOC53

An SMTP inspection option was enabled within my cisco asa. I disabled it and now my outgoing SMTPs are encrypted....

[Updated on: Mon, 15 September 2014 11:19]

Previous Topic: Kerio Connect API sendRequest
Next Topic: Rsync working server
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Mar 29 01:34:16 CEST 2017

Total time taken to generate the page: 0.00698 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.