Mailing List Message #105862
From: Technical Support <>
Subject: Re: HEADS UP: If you're queueing to Office365 domains (was Re: Error: none of client TLS cipher methods is supported)
Date: Sun, 1 Nov 2015 11:11:21 +0300
To: CommuniGate Pro Discussions <>

On 2015-10-30 06:34 , Bill Cole wrote:
On 28 Oct 2015, at 13:26, Mark J Strawcutter wrote:

CGP 6.1.4

Oldest accepted = TLSv1.0
CBC Ciphers for old TLS NOT selected
Accept SSLv2 'hello' selected

no delivery problems to domains hosted by Microsoft (that I'm aware of)

Interesting. My working settings are identical to the above except "CBC
Ciphers for old TLS" is enabled. Any command line TLS tweaks? (I've got
no special command line options on my systems)

I had 100% abrupt disconnects during negotiation that started seconds
after "CBC Ciphers for old TLS" was switched off and stopped immediately
when it was switched back on. That host was 6.1.2 when the switch was
made and 6.1.6 when it was corrected, less than a day total. The switch
was an 'oops' in prep for that update: I misremembered the background of
that setting and was checking the arcane TLS settings because the one
report here of problems with 6.1.6 sounded to me like a TLS issue. So
when it was functionally broken, it was exactly like your settings.

I wonder if it's a platform issue. The machine where I broke delivery by
switching that off is FreeBSD 9.3. I have not tested that breakage on
our test CGP systems, which are FreeBSD 8.3 and were upgraded ahead of
that one (I'm a seasoned pro: I only break production boxes...) nor on
our other production box which is still on 6.1.2 (upgrading for
Halloween). I had assumed it was not a platform-specific issue because
CGP brings along its own TLS implementation rather than using what the
OS provides.

HOWEVER, the other issue that this lead me to discover is visible across
all instances going back over a year to 6.0.7: CGP *NEVER* has
negotiated a TLSv1.1 or TLSv1.2 on an outbound connection on any of the
4 systems. On the order of a million outbound SMTP sessions using TLS,
every one of them TLSv1.0 or (before we disabled it) SSLv3.0. That's a
lesser immediate problem than undeliverable domains, but it is worrisome.

TLS in outgoing SMTP sessions is constrained to version 1.0 because of potential problems negotiating 1.1 and up with older SSL/TLS implementations. If you sure that negotiating 1.1. or 1.2 won't cause problems with remote servers, you can add --SMTPOutgoingTLSVersion 2 or --SMTPOutgoingTLSVersion 3 to startup options list to allow negotiation of TLS 1.1 and 1.2, respectively.

Best regards,
Dmitry Akindinov.
When answering to letters sent to you by the staff, make
sure the original message you have received is included into your
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster