Mailing List CGatePro@mail.stalker.com Message #106414
From: Bill Cole <cgp-2015@billmail.scconsult.com>
Subject: Re: none of client TLS cipher methods is supported
Date: Wed, 17 May 2017 15:10:58 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: MailMate (2.0BETAr6082)
On 17 May 2017, at 4:34, Jona Tallieu (T & T nv) wrote:

Dear,

We are having problems with receiving mail from yahoo.com <http://yahoo.com/> on a CGP 5.1.16 running on Limux (old version, I know…).

We get the error:
SMTPI-393710(sonic319-29.consmr.mail.ir2.yahoo.com) failed to accept a secure connection for ‘mail.ourserver.com’. Error Code=none of client TLS cipher methods is supported

Any ideas?

CGP 5.1.x does not support any TLS version and ciphersuite which can rationally be considered "safe" in the modern world. There is a SSL/TLS quality scanner at https://www.ssllabs.com/index.html which you can use if your server has a listener on port 443 (https) and will show all of the details of how CGP 5.1.16 TLS/SSL is unsafe.

You cannot fix this in CGP except by upgrading because CGP uses a proprietary security layer.

When I do:
openssl s_client -connect mail.ourserver.com:465 -showcerts

I do get an error:

CONNECTED(00000003)
depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

But I don not see a self signed cert in the CGP settings?

That's spurious. Every root CA certificate is self-signed, and if your openssl config (or command line arguments) doesn't include a trusted root cert or cert collection, you get this result.

At the end I get:

---
No client certificate CA names sent
---
SSL handshake has read 4908 bytes and written 448 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DES-CBC3-SHA

That cipher is only strong enough to prevent realtime passive snooping by random amateurs. That might be as strong as you practically need, but it is also a clue visible from the outside that there are probably worse weaknesses in the encryption layer and for CGP, there most certainly are.

But maybe this is unrealted to the yahoo.com <http://yahoo.com/> TLS cipher methods problem we are having?

The fact that you can't do anything stronger than DES-CBC3-SHA is why some mail systems (including Yahoo) won't send to you using encryption. In principle they should fall back to plain text after that failure, but I would not bet on that being done properly by Yahoo.

Seems to be isolated to mails from yahoo. Any way to turn off TLS just for yahoo?

You can disable TLS outbound, but I don't think there's any way to be selective inbound.

Any other ideas?

Stop exposing obsolete and inherently insecure software to the open Internet.

In  principle it would be possible to wrap CGP with a modern TLS proxy layer for full-time TLS services (https, pops, imaps) and put a securable MTA in between it and the world for SMTP but that's a lot of work, possibly as much as switching to free alternatives.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster