Mailing List CGatePro@mail.stalker.com Message #105853
From: Mark J Strawcutter <mjstraw@iup.edu>
Subject: Re: HEADS UP: If you're queueing to Office365 domains (was Re: Error: none of client TLS cipher methods is supported)
Date: Wed, 28 Oct 2015 13:26:16 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
CGP 6.1.4

Oldest accepted = TLSv1.0
CBC Ciphers for old TLS NOT selected
Accept SSLv2 'hello' selected

no delivery problems to domains hosted by Microsoft (that I'm aware of)

Mark

On 10/28/2015 10:20 AM, Tom Rymes wrote:
On 10/27/2015 12:38 PM, Bill Cole wrote:
On 17 Sep 2015, at 11:45, Tom Rymes wrote:

Can anyone indicate to me why one would NOT enable the "CBC Ciphers
for Old TLS" setting?

Well, as I discovered yesterday, you might switch that off if you want
to mysteriously deliver nothing to domains hosted by Microsoft.

There is definitely a CGP flaw here. Current OpenSSL will negotiate
TLS 1.2,ECDHE_AES256_SHA384 with the *.mail.protection.outlook.com
machines, but the garbage TLS library CGP is using needs a
non-standard config to get TLSv1.0,ECDHE_AES256_SHA and without that
setting just gets tossed out during negotiation. As far as I can tell
from the 2014-2015 logs of a handful of test and production instances
running 6.x versions, CGP never bothers trying to use TLSv1.1 or
TLSv1.2 for SMTP client sessions.

Bill: Are you saying that you run into problems when you have the option
enabled, disabled, or no matter what you do?

Tom

#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster