Not receiving emails from VA.gov - TLS & AES ciphers?
Not receiving emails from VA.gov - TLS & AES ciphers?
(OP)
Hi,
I'm running Exchange Server 2003 on Windows 2003 R2 Enterprise with all patches with a current Thawte SSL certificate installed on my Default SMTP Virtual Server. We've been unable to receive emails from VA.gov addresses for the past 2 months. VA.gov users receive an NDR:
5.0.0 smtp; 5.4.7 - Delivery expired (message too old) [Outbound_Profile] "(336130315, 'error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number')" (delivery attempts: 52)
Based on my SMTP logs, I've found that they send email out using TLS, and using SSLScan, I found that they support the following ciphers:
Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Prefered Server Cipher(s):
TLSv1 256 bits AES256-SHA
Our server supports these ciphers:
Supported Server Cipher(s):
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Prefered Server Cipher(s):
TLSv1 128 bits RC4-MD5
Although we both support 3DES, I also installed hotfix kb948963 that adds AES128-SHA and AES256-SHA, and then rebooted the server. After doing so, my supported ciphers change to:
Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Prefered Server Cipher(s):
TLSv1 128 bits AES128-SHA
However, I still can't receive email from them, and I also stop receiving emails from other mail servers. I ran a Basic Receiver Test on checktls.com and found that it failed with error:
checktls cannot proof e-mail address (reason: mail from rejected)
The cipher used was AES128-SHA
After disabling AES128 and AES256 via the registry, I re-ran the Basic Receiver Test, and then all tests passed. The cipher used was RC4-MD5.
I'm stumped, and would appreciate any new ideas.
Thank you.
I'm running Exchange Server 2003 on Windows 2003 R2 Enterprise with all patches with a current Thawte SSL certificate installed on my Default SMTP Virtual Server. We've been unable to receive emails from VA.gov addresses for the past 2 months. VA.gov users receive an NDR:
5.0.0 smtp; 5.4.7 - Delivery expired (message too old) [Outbound_Profile] "(336130315, 'error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number')" (delivery attempts: 52)
Based on my SMTP logs, I've found that they send email out using TLS, and using SSLScan, I found that they support the following ciphers:
Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Prefered Server Cipher(s):
TLSv1 256 bits AES256-SHA
Our server supports these ciphers:
Supported Server Cipher(s):
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Prefered Server Cipher(s):
TLSv1 128 bits RC4-MD5
Although we both support 3DES, I also installed hotfix kb948963 that adds AES128-SHA and AES256-SHA, and then rebooted the server. After doing so, my supported ciphers change to:
Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Prefered Server Cipher(s):
TLSv1 128 bits AES128-SHA
However, I still can't receive email from them, and I also stop receiving emails from other mail servers. I ran a Basic Receiver Test on checktls.com and found that it failed with error:
checktls cannot proof e-mail address (reason: mail from rejected)
The cipher used was AES128-SHA
After disabling AES128 and AES256 via the registry, I re-ran the Basic Receiver Test, and then all tests passed. The cipher used was RC4-MD5.
I'm stumped, and would appreciate any new ideas.
Thank you.
RE: Not receiving emails from VA.gov - TLS & AES ciphers?
RE: Not receiving emails from VA.gov - TLS & AES ciphers?
Good luck!
RE: Not receiving emails from VA.gov - TLS & AES ciphers?
Interestingly enough, even with AES on, I could still get some messages - for some reason gmail messages wouldn't come through, but messages from facebook would come through.
Another thought: I did read somewhere that some govt organizations (notably DoD) will only accept a cert with a chain of trust from certain providers - verisign being one, digi-cert being another. I wonder if there might be a similar issue, although the error messages don't indicate this. Our cert was from starfield/godaddy. CheckTLS was happy with it, but perhaps va.gov is not?
RE: Not receiving emails from VA.gov - TLS & AES ciphers?
I read on some forum that Exchange 2003's implementation of 3DES was flawed. I would guess that AES was never supported, and MS never bothered to issue a fix. Link
Haven't thought of using another CA.
We're looking at moving to MS's Office 365 cloud solution soon so I won't have to deal with these issues anymore.
RE: Not receiving emails from VA.gov - TLS & AES ciphers?
Dave Shackelford
ThirdTier.net
TrainSignal.com