Mailing List CGatePro@mail.stalker.com Message #106365
From: Ralf Zenklusen, BAR Informatik AG <r.zenklusen@barinformatik.ch>
Subject: AW: connection with smtp-in.sfr.fr is broken
Date: Wed, 22 Mar 2017 11:20:16 +0100
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro MAPI Connector 1.52.54.11/1.54.12.11
Hi Christoph
yes, true - an automatic "use plain if TLS fails" would be great.
To set this manually per domain, if problems arise, is time consuming and a bad user experience.

That said, we use the "wherever possible (low security)" since a long time without many problems.
There're only very few exceptions in the "Send Encrypted (SSL/TLS)" setting.

Well, maybe CommuniGate could at this to 6.2.

Regards
Ralf


-----Ursprüngliche Nachricht-----
Von: CommuniGate Pro Discussions [mailto:CGatePro@mail.stalker.com] Im Auftrag von Christoph Roethlisberger
Gesendet: Mittwoch, 22. März 2017 10:22
An: CommuniGate Pro Discussions
Betreff: Re: connection with smtp-in.sfr.fr is broken

The problem with smtp-in.sfr.fr regarding TLS connections and CGPro are most likely the supported cipher suites on both sides that do not find a match...

smtp-in.sfr.fr currently supports TLS 1.2 connetions (no SSLv3, TLS 1.0 or TLS 1.1) and high grade ECDHE cipher suites only.
While TLS 1.2 should not pose a problem for CGPro, the ciphers suites most likely do:

######### STARTTLS via SMTP on smtp-in.sfr.fr:25 ######### Testing protocols (via openssl, SSLv2 via sockets)

  SSLv2      not offered (OK)
  SSLv3      not offered (OK)
  TLS 1      not offered
  TLS 1.1    not offered
  TLS 1.2    offered (OK)

Testing ~standard cipher lists

  Null Ciphers                           not offered (OK)
  Anonymous NULL Ciphers       not offered (OK)
  Anonymous DH Ciphers          not offered (OK)
  40 Bit encryption                   not offered (OK)
  56 Bit encryption                   not offered (OK)
  Export Ciphers (general)        not offered (OK)
  Low (<=64 Bit)                      not offered (OK)
  DES Ciphers                          not offered (OK)
  Medium grade encryption      not offered (OK)
  Triple DES Ciphers                not offered (OK)
  High grade encryption           offered (OK


Testing all 181 locally available ciphers against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
--------------------------------------------------------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc028   ECDHE-RSA-AES256-SHA384            ECDH 256   AES           256         TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128         TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256    AES           128         TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
###########################################


The real problem with CGPro is that it does not support a fallback solution to plain text transmissions, in case of problems with the TLS connection.
That's why I don't recommend using the "wherever possible (low security)" option in CGPro, as this will try to use TLS for any server that proclaims STARTTLS in the HELO/EHLO

We circumvented this problem long ago by using a Postfix based relay server for outbound emails....

regards
Christoph Röthlisberger





#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com> Send administrative queries to  <CGatePro-request@mail.stalker.com>



Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster