Mailing List CGatePro@mail.stalker.com Message #106554
From: Technical Support support@communigate.com <CGatePro@mail.stalker.com>
Subject: Re: TLS Issues since installing 6.1.17
Date: Fri, 1 Sep 2017 13:28:42 +0300
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
Hello,

On 2017-08-29 20:14 , Tom Rymes trymes@rymes.com wrote:
Now that I have posted to the list, I found this message from 2013. Can anyone confirm whether this is still recommended practice? I frankly am not sure what this setting is even controlling and what the downsides to disabling it might be:

http://lists.communigate.com/Lists/CGatePro/Message/104067.html

Also in WebAdmin -> Settings -> General -> Other -> TLS sessions disable "Abort on Wrong Client Certificate".

The problem is that the client certificates were processed incorrectly in older versions, making authentication via certificates impossible.

On teh other hand, if you don't use authentication via certificates, select the empty field (no CA) in the domain's "Security -> Request Client Certificates -> Issued by" menu.

Tom

On 08/29/2017 12:58 PM, Tom Rymes trymes@rymes.com wrote:
All,

I have had two messages that I sent to myself from a gmail account bounce back due to a TLS issue since upgrading to 6.1.17 recently. The error I receive in the bounce notice is:

"Diagnostic-Code: smtp; TLS Negotiation failed: generic::failed_precondition: starttls error (0): protocol error"

I have also noticed a lot of these entries in the logs:
"00:03:19.492 3 SMTPI-012109(mail-pg0-f73.google.com) failed to accept a secure connection for DOMAIN(rymes.com). Error Code=wrong issuer for client TLS certificate"

Here is the entire transcript of that connection:

00:04:51.812 4 SMTPI-012119([209.85.223.179]:35366) [10.10.10.10]:25 <- [209.85.223.179]:35366 incoming connection(rymes.com)
00:05:11.986 5 SMTPI-012119([209.85.223.179]:35366) out: 220 rymes.com ESMTP CommuniGate Pro 6.1.17\r\n
00:05:12.023 5 SMTPI-012119([209.85.223.179]:35366) inp: EHLO mail-io0-f179.google.com
00:05:12.024 5 SMTPI-012119(mail-io0-f179.google.com) out: 250-rymes.com is pleased to meet you\r\n250-DSN\r\n250-SIZE\r\n250-STARTTLS\r\n250-AUTH LOGIN PLAIN CRAM-MD5 DIGEST-MD5\r\n250-ETRN\r\n250-TURN\r\n250-ATRN\r\n250-NO-SOLICITING\r\n250-8BITMIME\r\n250-HELP\r\n250-PIPELINING\r\n250 EHLO\r\n
00:05:12.062 5 SMTPI-012119(mail-io0-f179.google.com) inp: STARTTLS
00:05:12.062 5 SMTPI-012119(mail-io0-f179.google.com) out: 220 please start a TLS connection\r\n
00:05:13.000 2 TLS-016266 created(TLSv1.2,ECDHE_AES128_SHA) for SMTPI-012119
00:05:13.385 2 TLS-016266 closed by SMTPI-012119
00:05:13.385 3 SMTPI-012119(mail-io0-f179.google.com) failed to accept a secure connection for DOMAIN(rymes.com). Error Code=wrong issuer for client TLS certificate
00:05:13.385 4 SMTPI-012119(mail-io0-f179.google.com) closing connection
00:05:13.385 4 SMTPI-012119(mail-io0-f179.google.com) releasing stream

Has anyone else seen this, and how should I proceed?

Tom


#############################################################
This message is sent to you because you are subscribed to
  the mailing list <CGatePro@mail.stalker.com>.
To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
Send administrative queries to  <CGatePro-request@mail.stalker.com>

--
Best regards,
Dmitry Akindinov.
=======================================================================
When answering to letters sent to you by the tech.support staff, make
sure the original message you have received is included into your
reply.
Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster