Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Bounced emails with just SSLv3 disabled
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
I am running Connect 8.4.2 (32bit) on a Win2008x64 (not R2) server.

I had previously tried disabling SSLv3 and TLSv1.0, without realizing that Win2008 (not R2) doesn't support TLS 1.1 or 1.2. So we had emails that were not being received by us until I re-enabled both SSLv3 and TLSv1.0. That was a few weeks ago.

This week I tried disabling just SSLv3. Within a couple of hours, I was notified that a reply-to email from a government employee in another city had bounced back to them. This was not them mistyping in my email address, but rather them hitting Reply To.

Another government employee that is local here forwarded me the email through the same email channel, and I received that one. I'm assuming different originating government email servers were used to send the emails.

I have re-enabled SSLv3 again to make sure we are receiving all emails.

Would there be email servers that would only support SSLv3 and NOT TLSv1.0? or is there possibly something else happening here? My concern is Connect v8.5 that has SSLv3 disabled by default (yes, I can turn it on) not receiving some emails.
  •  
Lukas Petrlik (Kerio)

Messages: 117
Karma: 7
Send a private message to this user
It is possible (but very unlikely) that someone still uses a mail server that does not know even the TLS 1.0 protocol defined in 1999.

I recommend that you turn on the debug logging for "Network Connections and SSL" and "SMTP Server" messages. If the problem is caused by an error when establishing the secure connection, it will be logged as follows:
[22/May/2015 10:28:04][2512] {smtps} Command STARTTLS
...
[22/May/2015 10:28:04][2512] {conn} SSL error stack: 2512:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:.\ssl\s3_srvr.c:1003:
[22/May/2015 10:28:04][2512] {smtps} Failed STARTTLS in SMTP connection with XXXXXX
I.e. you will see a connection-related error "wrong version number" enclosed in STARTTLS-related messages.
  •  
MarkK

Messages: 454
Karma: 46
Send a private message to this user
I disabled my SSLv3 and the WeakCiphersInSMTP. Set the debug log for the message types. Here is one of the items captured.

I don't see a FAILED entry, so I'm assuming that this means the communications was established and worked?

[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0CE03570 SSL_accept:error in SSLv3 read client certificate A
[22/May/2015 10:04:47][28344] {conn} Connection from {SENDER.IP}:49628 to {MY.IP}:443, socket 378968.
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL handshake started: before/accept initialization
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:before/accept initialization
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:error in SSLv2/v3 read client hello A
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL3 alert write:fatal:handshake failure
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:error in SSLv3 read client hello C
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:error in SSLv3 read client hello C
[22/May/2015 10:04:47][28344] {conn} Cannot accept SSL connection from {SENDER.IP}:49628 to {MY.IP}:443: SSL code 1, system error: (0) The operation completed successfully.
[22/May/2015 10:04:47][28344] {conn} SSL error stack: 28344:error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:.\ssl\s3_srvr.c:967:
[22/May/2015 10:04:47][28344] {conn} Closing socket 378968
[22/May/2015 10:04:47][28344] {conn} Connection from {SENDER.IP}:49633 to {MY.IP}:443, socket 378968.
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL handshake started: before/accept initialization
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:before/accept initialization
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:error in SSLv2/v3 read client hello A
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:SSLv3 read client hello A
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:SSLv3 write server hello A
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:SSLv3 write certificate A
[22/May/2015 10:04:47][28344] {conn} SSL debug: id 0B2A3468 requested 1024 bit parameters for Ephemeral Diffie-Hellman key exchange
[22/May/2015 10:04:48][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:SSLv3 write key exchange A
[22/May/2015 10:04:48][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:SSLv3 write server done A
[22/May/2015 10:04:48][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:SSLv3 flush data
[22/May/2015 10:04:48][28344] {conn} SSL debug: id 0B2A3468 SSL_accept:error in SSLv3 read client certificate A

[22/May/2015 10:06:48][28344] {conn} Connection timeout after 120000 ms (local={MY.IP}:443, remote={SENDER.IP}:49633)
[22/May/2015 10:06:48][28344] {conn} Cannot accept SSL connection from {SENDER.IP}:49633 to {MY.IP}:443: SSL code 2, system error: (0) The operation completed successfully.
[22/May/2015 10:06:48][28344] {conn} Closing socket 378968
  •  
Lukas Petrlik (Kerio)

Messages: 117
Karma: 7
Send a private message to this user
These connection attempts are on port 443 (https), the text "Cannot accept SSL connection" means that the connection was not established. You should look for connection attempts on port 25 (smtp) instead.
Previous Topic: Fixed: Cross-domain sharing of public folders
Next Topic: Moving Connect from Windows to Linux
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Aug 17 03:54:10 CEST 2017

Total time taken to generate the page: 0.00398 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.