Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Support > Archive > TLS problem after migration to new server

 [F] Alt-N Discussion Groups  / MDaemon Discussion Groups  / MDaemon Support  / Archive  /

TLS problem after migration to new server

[Baldewig, Udo]
Udo Baldewig
Newbie
Newbie
Posts: 11
Udo Baldewig - 04:44am, Aug 23 2021

Hello,
Since our MDaemon 21.0.2 was moved to new server (WinSvr 2019) we have a problem with sending mails to some other servers (connection will be closed).
We use Let's encrypt cert and I have create a new cert after starting mdaemon on new server.
Option "SMTP server sends mail using STARTTLS when possible" is active
When this option will be disabled - all mails are send without problem.

Any known problem about this ? Never see this on our old server

Best Regards,
Udo Baldewig

Log:
[09514236] <-- 250-VI1EUR05FT044.mail.protection.outlook.com [09514236] <-- 250-SIZE 49283072 [09514236] <-- 250-PIPELINING [09514236] <-- 250-DSN [09514236] <-- 250-ENHANCEDSTATUSCODES [09514236] <-- 250-STARTTLS [09514236] <-- 250-8BITMIME [09514236] <-- 250-BINARYMIME [09514236] <-- 250-CHUNKING [09514236] <-- 250 SMTPUTF8 [09514236] --> STARTTLS
[09514236] <-- 220 2.0.0 SMTP server ready [09514236] Socket connection closed by the other side (how rude!)

  (older msg: 4)All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Arron Caruth - Aug 26, 2021 7:20 am (#5 Total: 6)  

Guest User  

Photo of Author
Posts: 1
Its difficult to say why Office 365 is disconnecting without more info from their support team.  

When trying to send to protection.outlook.com and an error occurs, is an event logged in the windows event viewer for SChannel?  I'm guessing since there is no error logged, there will also not be an error in the event log, but its worth a shot.

Does your backup MX use the same SSL configurations as the MDaemon server that is having the issues?  If not, I would suggest configuring SSL the same on primary MDaemon server to see if it makes a difference.  

You could try a packet capture of the network traffic, but since there is no error being logged, I'm afraid all it is going to show is Office 365 disconnecting.

--
Arron Caruth
Vice President of Product Development
o: 817-601-3222    e: Arron.Caruth@mdaemon.com

MDaemon Technologies
Simple Secure Email

Visit us on www.mdaemon.com | Facebook | LinkedIn | YouTube
Sent using the MDaemon Email Server

On Thu, 26 Aug 2021 04:37:33 -0500, "lists-md-support@mdaemon.com (Udo Baldewig)" <lists-md-support@mdaemon.com> wrote:
Microsoft support said there are not problems with our IP numbers

I spend some additional time and found problems and solution
TLS and MTA-STS problems

e.g on mails for hotmail.com I found in logs
 MTA-STS policy for hotmail.com found in cache
 * version: STSv1
 * mode: testing
 * mx: *.olc.protection.outlook.com
 * max_age: 604800

Solution
1.)
Problem does not happen on all domains working with protection.outlook.com
MTA-STS should be a problem

2.)
Adding *.protection.outlook.com to "STARTTLS White List" and disable MTA-STS seems to fix the problem - see no further disconnect

Now it works.


View/reply at TLS problem after migration to new server
--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe 
from this mailing list send an email to md-support-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
--------------------------------------------------------------------------

--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe 
from this mailing list send an email to md-support-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
--------------------------------------------------------------------------

David Dougherty via md-support - Aug 26, 2021 8:24 am (#6 Total: 6)  

Guest User  

Photo of Author
Posts: 1

Your error screams Cipher mismatch (no common matches) to me.

 

You can try targeting a recipient’s domain that uses MS hosted email with: https://ssl-tools.net/mailservers  That might provide helpful information regarding which TLS versions – and hopefully which TLS Ciphers – MS is using in their production environment.  But it also might not work, in which case you are going to be doing a lot of trial and error.

 

I would go back in to IIS Crypto and under Schannel – for the Client Protocols only – I would turn TLS 1.0 and 1.1 back on, unless you have a very good reason not to.  Restricting the Client Protocols has in our experience negated too much legitimate traffic.

 

Also check the listings under Cipher Suites.  At a minimum all of the TLS_RSA_WITH_AES_* options should be checked.  And don’t use a custom template for this, as the cipher list has changed significantly between 2012R2 and 2019.

 

Dave

 

From: md-support@mdaemon.com <md-support@mdaemon.com> On Behalf Of Udo Baldewig (lists-md-support@mdaemon.com)
Sent: Thursday, August 26, 2021 1:08 AM
To: md-support@mdaemon.com
Subject: [md-support] TLS problem after migration to new server

 

Hello,

I've done the following steps:

Move the entire mdaemon folder to new server (W2008R2 to W2019)
Shutdown old server und set identical IP to new server.
Running the MD21.0.2 installer and install service. All settings from old server are available - looks really good - every one can work.

Setup Protocols/Cipher Suites with current version of iiscrypto.exe using "Best proctive settings" and allow only TLS1.2

Seems that we have ony a problem with disconnected sessions after STARTTLS to ...mail.protection.outlook.com

[09592346] <-- 220 VE1EUR02FT039.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Thu, 26 Aug 2021 05:28:46 +0000 [09592346] --> EHLO csgmail.cad-schroer.de
[09592346] <-- 250-VE1EUR02FT039.mail.protection.outlook.com Hello [80.149.70.117] [09592346] <-- 250-SIZE 49283072 [09592346] <-- 250-PIPELINING [09592346] <-- 250-DSN [09592346] <-- 250-ENHANCEDSTATUSCODES [09592346] <-- 250-STARTTLS [09592346] <-- 250-8BITMIME [09592346] <-- 250-BINARYMIME [09592346] <-- 250-CHUNKING [09592346] <-- 250 SMTPUTF8 [09592346] --> STARTTLS
[09592346] <-- 220 2.0.0 SMTP server ready [09592346] Socket connection closed by the other side (how rude!)

What cloud be the problem ? I don't know

Sending from our Backup MX (MD21.0.2/W2012R2) are always successful.
As workround I use "Send all email directly first, and then to smart hosts if there are problems" and use Backup MX as smart host

Thanks in advanced
Udo Baldewig

Additionally I'm waiting for answer from the Microsoft support team


View/reply at TLS problem after migration to new server

 
 
--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe 
from this mailing list send an email to md-support-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!-----------------------------------------------------
 
--------------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
--------------------------------------------------------------------------

--MD-SUPPORT--------------------------------------------------------------
This list is for questions and discussion about MDAEMON. To unsubscribe 
from this mailing list send an email to md-support-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!-----------------------------------------------------

--------------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user 
support and discussion.  MDaemon staff members may participate in the 
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical 
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
--------------------------------------------------------------------------



  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items



 Content:

Read New | Search

 Guest:

Email to Admin



You are visiting as a Guest user.