Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » [German] Fehler bei Mailzustellung: Deferred: 403 4.7.0 TLS handshake failed.
  •  
work242

Messages: 15
Karma: -5
Send a private message to this user
Hallo in die Runde,
ich habe hier ein kleines Mailproblem dass ich mir erklären kann. Wir haben hier einen Kerio Mailserver mit der aktuellen Version 8.5.

Wenn ich eine Mail an einen bestimmten Kunden senden will bekomme ich immer die folgende Fehlermeldung:

The original message was received at Mon, 11 May 2015 17:54:37 +0200
from mail.windrich-soergel.de [192.168.1.240]

----- Transcript of session follows -----
<xxx.xxx<_at_>xxx.com>... Deferred: 403 4.7.0 TLS handshake failed.
Warning: message still undelivered after 2 hours
Will keep trying until message is 1 day old
Reporting-MTA: dns; post.windrich-soergel.de
Arrival-Date: Mon, 11 May 2015 17:54:37 +0200

Final-Recipient: RFC822; xxx.xxx<_at_>xxx.com
Action: delayed
Status: 4.7.0
Diagnostic-Code: SMTP; 403 4.7.0 TLS handshake failed.
Last-Attempt-Date: Mon, 11 May 2015 20:16:22 +0200
Will-Retry-Until: Tue, 12 May 2015 17:54:37 +0200

Kann mir kurz jemand weiterhelfen an welcher Stelle ich hier irgendwas falsch mache?

Danke und Gruß
Christian.
  •  
Jmast

Messages: 10
Karma: 1
Send a private message to this user
After upgrading to 8.5 we also disabled TLS (1.0). However after we disabled TLS 1.0 we also started getting reports from some outside contacts. They were telling us that they were no longer able to send us emails. They were getting the same bounce back messages (403 4.7.0 TLS handshake failed).

When we checked the SMTP debug log we were able to see that STARTTLS is failing. After re-enabling TLS 1.0 we are able to receive the missing emails again.

Line 9806: [28/May/2015 15:45:45][49780] {smtps} Task 50533 handler BEGIN
Line 9808: [28/May/2015 15:45:45][49780] {smtps} Task 50533 handler starting
Line 9809: [28/May/2015 15:45:45][49780] {smtps} SMTP server session begin; client connected from smtp473.redcondor.net:42300
Line 9810: [28/May/2015 15:45:45][49780] {smtps} Looking up address 208.80.204.73 in DNS blacklist SpamCop...
Line 9815: [28/May/2015 15:45:46][49780] {smtps} Address 73.204.80.208.bl.spamcop.net not found in DNS blacklist SpamCop
Line 9817: [28/May/2015 15:45:46][49780] {smtps} Looking up address 208.80.204.73 in DNS blacklist SpamHaus SBL-XBL...
Line 9818: [28/May/2015 15:45:46][49780] {smtps} Address 73.204.80.208.zen.spamhaus.org not found in DNS blacklist SpamHaus SBL-XBL
Line 9820: [28/May/2015 15:45:46][49780] {smtps} Looking up address 208.80.204.73 in DNS blacklist SORBS DNSBL...
Line 9823: [28/May/2015 15:45:46][49780] {smtps} Address 73.204.80.208.dnsbl.sorbs.net not found in DNS blacklist SORBS DNSBL
Line 9857: [28/May/2015 15:45:46][49780] {smtps} Delaying SMTP greeting to smtp473.redcondor.net:42300 for 9 seconds
Line 9930: [28/May/2015 15:45:55][49780] {smtps} Sent SMTP greeting to smtp473.redcondor.net:42300
Line 9933: [28/May/2015 15:45:56][49780] {smtps} Command EHLO smtp473.redcondor.net
Line 9935: [28/May/2015 15:45:56][49780] {smtps} Sent reply to EHLO: 250 mail.!!!.com ...
Line 9937: [28/May/2015 15:45:56][49780] {smtps} Command STARTTLS
Line 9941: [28/May/2015 15:45:56][49780] {smtps} Failed STARTTLS in SMTP connection with smtp473.redcondor.net
Line 9942: [28/May/2015 15:45:56][49780] {smtps} SMTP server session end
Line 9943: [28/May/2015 15:45:56][49780] {smtps} Task 50533 handler END

Is there any work around other then re-enabling TLS (1.0)? Is there a way to disable STARTTLS? You would think that STARTTLS should be able to fallback to plain text if can't negotiate a secure protocol.
  •  
Lukas Petrlik (Kerio)

Messages: 109
Karma: 7
Send a private message to this user
Jmast wrote on Mon, 01 June 2015 15:14
Is there any work around other then re-enabling TLS (1.0)? Is there a way to disable STARTTLS? You would think that STARTTLS should be able to fallback to plain text if can't negotiate a secure protocol.
Unfortunately, you cannot disable TLSv1 still be compatible with common clients and servers. I recommend rather to stick to the default settings unless you are solving a particular problem - the default settings are the best compromise between security and compatibility with supported clients and other servers at the time of the release.

Regarding STARTTLS on server, it cannot be disabled. The sending server may perform fallback to plaintext if it fails to initiate a secure connection, but the receiving server cannot.
  •  
Jmast

Messages: 10
Karma: 1
Send a private message to this user
What about all the companies that need to disable TLS v1.0 because of PCI regulations? Is this going to be a choice between compliance and also compatibility?

Based off of the SMTP logs, it looks like the Kerio server is initiating STARTTLS, and is also the one failing the secure connection. In this case we know it is because TLS v1.0 is disabled. If we disable TLS v1.0 on the Kerio server, doesn't the server also know not to use TLS v1.0 when trying to negotiate STARTTLS connection?

This was happening with quite a few different outside servers were trying to send email. I really can't believe that these outside senders were not capable of negotiating a secure connection using (TLS v1.1 or v1.2). Some of the emails not being delivered were from Chase Paymentech, Amazon, Ebay and Trustwave.


Line 1734: [28/May/2015 15:32:02][57100] {smtps} Sent SMTP greeting to sf1.jpmchase.com:24872
Line 1735: [28/May/2015 15:32:02][57100] {smtps} Command EHLO sf1.jpmchase.com
Line 1736: [28/May/2015 15:32:02][57100] {smtps} Sent reply to EHLO: 250 mail.!!!.com ...
Line 1737: [28/May/2015 15:32:02][57100] {smtps} Command STARTTLS
Line 1738: [28/May/2015 15:32:02][57100] {smtps} Failed STARTTLS in SMTP connection with sf1.jpmchase.com
Line 1739: [28/May/2015 15:32:02][57100] {smtps} SMTP server session end
  •  
Lukas Petrlik (Kerio)

Messages: 109
Karma: 7
Send a private message to this user
Jmast wrote on Tue, 02 June 2015 14:17
What about all the companies that need to disable TLS v1.0 because of PCI regulations? Is this going to be a choice between compliance and also compatibility?
According to the most recent PCI DSS standard you may still use TLSv1 and be compliant with PCI DSS (until 30th June, 2016). We can only hope that at that time most SMTP servers will understand higher TLS protocol versions.

Quote:
Based off of the SMTP logs, it looks like the Kerio server is initiating STARTTLS, and is also the one failing the secure connection. In this case we know it is because TLS v1.0 is disabled. If we disable TLS v1.0 on the Kerio server, doesn't the server also know not to use TLS v1.0 when trying to negotiate STARTTLS connection?
STARTTLS command is initiated by the client (i.e. sending SMTP server) and it is interpreted by the receiving SMTP server. The command either succeeds at establishing a secure connection or it fails - for example if there is no protocol that is understood by both the client and the server (e.g. if the sending server speaks only TLSv1, and if the receiving Connect server speaks only TLSv1.1 and TLSv1.2 because you disabled TLSv1, there is no common protocol understood by both sides and secure connection cannot be established).
Previous Topic: Kerio 8.5 - Problem witch Attachments
Next Topic: Delegation, appointment, iPhone
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Jan 21 01:22:25 CET 2017

Total time taken to generate the page: 0.00923 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.