When I send to some domains, I’ve noticed that I get an SSL error and it just won’t send to the recipient. I don’t know if it’s the recipient since I can send to most other domains, but wanted to see if anyone else had this issue or could help out. Below is the SMTP Send log for the specific message I can’t send:
2020-11-05 17:04:00 -0700 08 Server SMTP-OUT:00000003: Use 66.96.140.74 to relay mail 34B617 for domain recipient.domain
2020-11-05 17:04:00 -0700 08 Server SMTP-OUT:00000004: Relay mail 34B617: connecting to 66.96.140.74:25
2020-11-05 17:04:00 -0700 08 Server SMTP-OUT:00000004: Relay mail 34B617: connected to 66.96.140.74:25
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << 220 bosimpinc14 bizsmtp ESMTP server ready
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: >> EHLO Server
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << 250-bosimpinc14 hello [my IP address], pleased to meet you
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << 250-HELP
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << 250-SIZE 30000000
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << 250-8BITMIME
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << 250-STARTTLS
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << 250 OK
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: >> STARTTLS
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << 220 Ready to start TLS
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: >> SSL: client hello, remote 66.96.140.74:25, version TLS 1.3 (0304)
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: >> SSL: client hello, remote 66.96.140.74:25, session id d3eb46be07987b7bd692bf59850d4018bbd2c85fea0d60205f14578ab272f588
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: >> SSL: client hello, remote 66.96.140.74:25, 31 cipher suites: 130213031301c02cc030009fcca9cca8ccaac02bc02f009ec024c028006bc023c0270067c00ac0140039c009c0130033009d009c003d003c0035002f00ff
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << SSL: server hello, remote 66.96.140.74:25, version TLS 1.3 (0304)
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << SSL: server hello, remote 66.96.140.74:25, cipher suite 0039
2020-11-05 17:04:01 -0700 16 Server SMTP-OUT:00000004: << SSL: server hello, remote 66.96.140.74:25, version TLS 1.3 (0304)
2020-11-05 17:04:01 -0700 02 Server SMTP-OUT:00000004: SSL alert remote 66.96.140.74:25, undefined:fatal:protocol version
2020-11-05 17:04:01 -0700 02 Server SMTP-OUT:00000004: SSL error remote 66.96.140.74:25, SSL_connect:failed in error
2020-11-05 17:04:01 -0700 02 Server SMTP-OUT:00000004: Unable to perform STARTTLS
2020-11-05 17:04:01 -0700 08 Server SMTP-OUT:00000004: Disconnected from 66.96.140.74
2020-11-05 17:04:01 -0700 08 Server SMTP-OUT:00000004: Relay mail 34B617: no more relays for recipient.domain
2020-11-05 17:04:01 -0700 04 Server SMTP-OUT:00000004: Delivery attempt completed for mail 34B617; 1 recipients remaining; reschedule for delivery
2020-11-05 17:04:01 -0700 08 Server SMTP-OUT:00000004: Set mail state to SEND FAILURE
As mentioned into the log you have shared the main problem is:
This means that Axigen, as an SMTP client, has noticed that remote side advertise StartTLS capability but when it tries to use it, the SSL negotiation fails. Because that domain have no other MX server to be tried, the message delivery fails and the message remains into the queue.
This could be an indication that the remote side SSL configuration is not compatible with the one configured into Axigen SMTP-OUT service (usually it happens when the remote side is using old SSL/TLS versions and unsecure ciphers that are not listed into SMTP-OUT configuration).
This is why, in my opinion, the relevant KB you may consult is this one: How to configure the TLS settings for SMTP … where you should check Configure the outgoing TLS settings for compatibility section.
Note: on the other side, the best option would be to contact the other side postmaster and inform him to upgrade their SSL configuration.
You may also check from your side using openssl and checking the SSL negotiation results:
Thank you! I can see what you’re seeing and did reference that article, so I did add TLS 1.0 to my list of SSL versions, but still have the same problem.
When I look at the cipher suite, I currently have:
If I understand it correctly, I am missing the last 3 from the list:
AES128-SHA
RC4-SHA
RC4-MD5
And looking at the very end of the cipher suite, I see !RC4 and !MD5, so I’m thinking that might be it, especially since the article shows a cipher suite of “ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH”
Ok - so you have enabled TLS 1.0 so now you should have a non empty intersection for the ciphers supported by the Axigen SMTP-OUT service and the remote mail server.
Because you still have problems I could bet the issue is that the DH parameter file is not setup up so some ciphers configured on Axigen side that depends on DH could not be used.
Could you please check if you have the axigen_dh.pem file in Axigen working dir (default location on Linux is /var/opt/axigen) so you could refer it into WebAdmin > Security & Filtering > Acceptance & Routing > Routing basic settings > Outgoing delivery settings > DH parameter file: axigen_dh.pem + Save configuration.
If there are still problems please reshare a fresh new set of SMTP-OUT logs for sending to that remote server so we could see what is now happening.
Thank you for that!!! While I enabled TLS 1.0 on my SMTP Receiving, I didn’t check it on my Connection Settings in the Basic Routing Settings. It shows as unchecked in the document, so I didn’t think about trying it. Once I understood that what they’re looking for on the connection, I checked the box and was able to send them e-mail. I didn’t have to put in a DH parameter file.