Mailing List CGatePro@mail.stalker.com Message #105858
From: Bill Cole <cgp-2015@billmail.scconsult.com>
Subject: Re: HEADS UP: If you're queueing to Office365 domains (was Re: Error: none of client TLS cipher methods is supported)
Date: Thu, 29 Oct 2015 23:34:29 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: MailMate (1.9.2r5148)
On 28 Oct 2015, at 13:26, Mark J Strawcutter wrote:

CGP 6.1.4

Oldest accepted = TLSv1.0
CBC Ciphers for old TLS NOT selected
Accept SSLv2 'hello' selected

no delivery problems to domains hosted by Microsoft (that I'm aware of)

Interesting. My working settings are identical to the above except "CBC Ciphers for old TLS" is enabled. Any command line TLS tweaks? (I've got no special command line options on my systems)

I had 100% abrupt disconnects during negotiation that started seconds after "CBC Ciphers for old TLS" was switched off and stopped immediately when it was switched back on. That host was 6.1.2 when the switch was made and 6.1.6 when it was corrected, less than a day total. The switch was an 'oops' in prep for that update: I misremembered the background of that setting and was checking the arcane TLS settings because the one report here of problems with 6.1.6 sounded to me like a TLS issue. So when it was functionally broken, it was exactly like your settings.

I wonder if it's a platform issue. The machine where I broke delivery by switching that off is FreeBSD 9.3. I have not tested that breakage on our test CGP systems, which are FreeBSD 8.3 and were upgraded ahead of that one (I'm a seasoned pro: I only break production boxes...) nor on our other production box which is still on 6.1.2 (upgrading for Halloween). I had assumed it was not a platform-specific issue because CGP brings along its own TLS implementation rather than using what the OS provides.

HOWEVER, the other issue that this lead me to discover is visible across all instances going back over a year to 6.0.7: CGP *NEVER* has negotiated a TLSv1.1 or TLSv1.2 on an outbound connection on any of the 4 systems. On the order of a million outbound SMTP sessions using TLS, every one of them TLSv1.0 or (before we disabled it) SSLv3.0. That's a lesser immediate problem than undeliverable domains, but it is worrisome.

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster