Home » Kerio User Forums » Kerio Connect » Secure transmission (how to keep up with the ever increasing security demands on the internet)
  •  
Macoperator

Messages: 11
Karma: 0
Send a private message to this user
A customer requires us to exclusively send mail to his "secure.mailbox.org" mail address. The receiving mail server requires TLS 1.2, otherwise mail gets rejected.
We use Kerio Connect in its current newest version 9.2.7 p2 and connections keep getting rejected. This is what comes back from their server:

Action: failed
Status: 5.1.8
Remote-MTA: mxtls2.mailbox.org
Diagnostic-Code: SMTP; 530 5.7.0 Must issue a STARTTLS command first
X-Kerio-Anti-Spam: Build: [Engines: 2.15.8.1169, Stamp: 3], Multi: [Enabled, t: (0.000004,0.001458)], BW: [Enabled, t: (0.000012)], RTDA: [Enabled, t: (0.261272), Hit: No, Details: v2.7.13; Id: 15.1i6ap7n.1ckq1mmsd.5ubro], total: 0(700)
X-Spam-Status: No, hits=0.0 required=5.4
tests=KERIO_ANTI_SPAM: -0.000, BAYES_00: -1.665, TOTAL_SCORE: -1.665,autolearn=ham
X-Spam-Level:
X-Footer: ZGV1dHNjaGUtZmVybnNjaHVsZS5kZQ==
Received: from [192.168.x.xx] ([192.168.x.xx])
(authenticated user x<_at_>y.de)
by mail.y (Kerio Connect 9.2.7 patch 2) with ESMTPSA
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256 bits))
for foo<_at_>secure.mailbox.org

Now I am out of ideas. I might try to go all the way to implement DANE, but I guess this is currently not possible with Kerio, is it? Is there anything I can do to make our server talk to theirs?
  •  
Macoperator

Messages: 11
Karma: 0
Send a private message to this user
In order to further investigate the issue, I found this Kerio support article (https:// manuals.gfi.com/en/kerio/connect/content/server-configuratio n/services/services-in-kerio-connect-1153.html), which states about SMTP:

"The traffic on port 25 starts as unencrypted. If both sides support TLS, TLS is started via STARTTLS." Might this be the problem, why connections are blocked?
  •  
freakinvibe

Messages: 493
Karma: 72
Send a private message to this user
Kerio can use TLS for sending mails (STARTTLS is supported).

But you have to switch it on: Go to

Configuration > SMTP Server > SMTP Delivery > Use SSL/TLS if supported by remote SMTP server

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Macoperator

Messages: 11
Karma: 0
Send a private message to this user
That checkbox is checked, of course.
  •  
freakinvibe

Messages: 493
Karma: 72
Send a private message to this user
So this should definitely work. The only thing I can think of is that you have a firewall inbetween your KC server and the Internet and that somehow interfers with TLS.

Please also look at this forum entry:

http://forums.kerio.com/?t=msg&goto=128444&

Also check this:

https://serverfault.com/questions/641056/starttls-fails-afte r-ip-address-change

It could be that your firewall is messing with the STARTTLS command.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
  •  
Macoperator

Messages: 11
Karma: 0
Send a private message to this user
Thanks for your links, one of which I had already read before. There is no firewall involved except the macOS firewall on the Kerio server itself. I have no idea what else setting I can change.

As a workaround I set our secondary mail server (running on macOS Server/Postfix) as a mail forwarder for outgoing mail and this does work! But my solution can only be a workaround. Can anyone test, if their Kerio can send mail to a secure.mailbox.org account? What else can I do?
  •  
freakinvibe

Messages: 493
Karma: 72
Send a private message to this user
If you can give me a real email address on secure.mailbox.org I can send a mail to it and provide the debug log for it.

My KC server is on Windows, but it should not make a difference.

If you don't want to provide a real email address in a public forum, you can also PM me.

Dexion AG - The Blackberry Specialists in Switzerland
https://dexionag.ch
Previous Topic: Secure Password Authentication + HAProxy
Next Topic: Renewing License - "Find a Partner or Buy Online"
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Dec 17 14:56:26 CET 2018

Total time taken to generate the page: 1.22459 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.