Mailing List CGatePro@mail.stalker.com Message #105851
From: Bill Cole <cgp-2015@billmail.scconsult.com>
Subject: HEADS UP: If you're queueing to Office365 domains (was Re: Error: none of client TLS cipher methods is supported)
Date: Tue, 27 Oct 2015 12:38:46 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: MailMate (1.9.2r5141)
On 17 Sep 2015, at 11:45, Tom Rymes wrote:

Can anyone indicate to me why one would NOT enable the "CBC Ciphers for Old TLS" setting?

Well, as I discovered yesterday, you might switch that off if you want to mysteriously deliver nothing to domains hosted by Microsoft.

There is definitely a CGP flaw here. Current OpenSSL will negotiate TLS 1.2,ECDHE_AES256_SHA384 with the *.mail.protection.outlook.com machines, but the garbage TLS library CGP is using needs a non-standard config to get TLSv1.0,ECDHE_AES256_SHA and without that setting just gets tossed out during negotiation. As far as I can tell from the 2014-2015 logs of a handful of test and production instances running 6.x versions, CGP never bothers trying to use TLSv1.1 or TLSv1.2 for SMTP client sessions.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster