×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Contact US

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Not receiving emails from VA.gov - TLS & AES ciphers?

Not receiving emails from VA.gov - TLS & AES ciphers?

Not receiving emails from VA.gov - TLS & AES ciphers?

(OP)
Hi,
I'm running Exchange Server 2003 on Windows 2003 R2 Enterprise with all patches with a current Thawte SSL certificate installed on my Default SMTP Virtual Server. We've been unable to receive emails from VA.gov addresses for the past 2 months. VA.gov users receive an NDR:

5.0.0 smtp; 5.4.7 - Delivery expired (message too old) [Outbound_Profile] "(336130315, 'error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number')" (delivery attempts: 52)

Based on my SMTP logs, I've found that they send email out using TLS, and using SSLScan, I found that they support the following ciphers:

Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA

Prefered Server Cipher(s):
TLSv1 256 bits AES256-SHA

Our server supports these ciphers:
Supported Server Cipher(s):
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5

Prefered Server Cipher(s):
TLSv1 128 bits RC4-MD5

Although we both support 3DES, I also installed hotfix kb948963 that adds AES128-SHA and AES256-SHA, and then rebooted the server. After doing so, my supported ciphers change to:

Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5

Prefered Server Cipher(s):
TLSv1 128 bits AES128-SHA

However, I still can't receive email from them, and I also stop receiving emails from other mail servers. I ran a Basic Receiver Test on checktls.com and found that it failed with error:
checktls cannot proof e-mail address (reason: mail from rejected)
The cipher used was AES128-SHA

After disabling AES128 and AES256 via the registry, I re-ran the Basic Receiver Test, and then all tests passed. The cipher used was RC4-MD5.

I'm stumped, and would appreciate any new ideas.
Thank you.

RE: Not receiving emails from VA.gov - TLS & AES ciphers?

Interesting - EXACTLY the same problem at our end too - mail to the VA worked fine and then stopped working. Now I've added the AES ciphers and I have some mail problems. Very strange. Did you find out any more?

RE: Not receiving emails from VA.gov - TLS & AES ciphers?

(OP)
I couldn't get the AES or 3DES ciphers to work with our Exchange 2003 environment, so I ended up removing the SSL certificate altogether from our default SMTP virtual server. After that inbound emails started flowing from VA.gov addresses again.

Good luck!

RE: Not receiving emails from VA.gov - TLS & AES ciphers?

Same here - although that upset all of the people using SSL over SMTP to secure their email sending to our server. I added a second virtual server on a custom port with SSL enabled to make those people happy.

Interestingly enough, even with AES on, I could still get some messages - for some reason gmail messages wouldn't come through, but messages from facebook would come through.

Another thought: I did read somewhere that some govt organizations (notably DoD) will only accept a cert with a chain of trust from certain providers - verisign being one, digi-cert being another. I wonder if there might be a similar issue, although the error messages don't indicate this. Our cert was from starfield/godaddy. CheckTLS was happy with it, but perhaps va.gov is not?

RE: Not receiving emails from VA.gov - TLS & AES ciphers?

(OP)
Yup, I too created separate secure SMTP VS's with custom ports for our users.

I read on some forum that Exchange 2003's implementation of 3DES was flawed. I would guess that AES was never supported, and MS never bothered to issue a fix. Link

Haven't thought of using another CA.

We're looking at moving to MS's Office 365 cloud solution soon so I won't have to deal with these issues anymore. tongue

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close