TLS handshake fails with outlook

Discussion forum for Enterprise Edition.
Post Reply
Sitepoint
Posts: 17
Joined: Wed Oct 26, 2011 1:47 pm

TLS handshake fails with outlook

Post by Sitepoint » Thu Jul 09, 2015 4:46 pm

Hi,

did anyone knows about the issue, that the TLS handshake failes with Microsoft Outlook Exchange Servers?

Deferred: 403 4.7.0 TLS handshake failed.

This error-message is returned to the sender. If I deactivate TLS, mails come through.

But my TLS seems to be alright. Test is here:
http://www.checktls.com/perl/TestReceiver.pl

Result:

Code: Select all

Checking tb@sitepoint.de
looking up MX hosts on domain "sitepoint.de"
mail.sitepoint.de (preference:10)
mail2.sitepoint.de (preference:15)
Trying TLS on mail.sitepoint.de[62.112.132.25] (10):
seconds		test stage and result
[000.106]		Connected to server
[000.214]	<--	220 mail.sitepoint.de ESMTP MailEnable Service, Version: 8.60--8.60 ready at 07/09/15 18:14:01
[000.214]		We are allowed to connect
[000.215]	-->	EHLO checktls.com
[000.320]	<--	250-mail.sitepoint.de [69.61.187.232], this server offers 7 extensions
250-AUTH NTLM LOGIN
250-SIZE 52428800
250-HELP
250-AUTH=LOGIN
250-STARTTLS
250-XSAVETOSENT
250 X-SAVETOSENT
[000.320]		We can use this server
[000.496]		TLS is an option on this server
[000.496]	-->	STARTTLS
[000.614]	<--	220 Ready to start TLS
[000.614]		STARTTLS command works on this server
[000.980]		Cipher in use: ECDHE-RSA-AES128-SHA
[000.980]		Connection converted to SSL
[001.000]		
Certificate 1 of 4 in chain:
subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.sitepoint.de
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA                                                                                                                                                                                                                                                                                                        
[001.016]		
Certificate 2 of 4 in chain:
subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority                                                                                                                                                                                                                                                                                                          
[001.031]		
Certificate 3 of 4 in chain:
subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root                                                                                                                                                                                                                                                                                                            
[001.047]		
Certificate 4 of 4 in chain:
subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root                                                                                                                                                                                                                                                                                                              
[001.047]		Cert VALIDATED: ok
[001.047]		Cert Hostname VERIFIED (mail.sitepoint.de = mail.sitepoint.de)
[001.048]	~~>	EHLO checktls.com
[001.155]	<~~	250-mail.sitepoint.de [69.61.187.232], this server offers 6 extensions
250-AUTH NTLM LOGIN
250-SIZE 52428800
250-HELP
250-AUTH=LOGIN
250-XSAVETOSENT
250 X-SAVETOSENT
[001.156]		TLS successfully started on this server
[001.156]	~~>	MAIL FROM:<test@checktls.com>
[001.267]	<~~	250 Requested mail action okay, completed
[001.267]		Sender is OK
[001.963]	~~>	RCPT TO:<tb@sitepoint.de>
[002.190]	<~~	250 Requested mail action okay, completed
[002.190]		Recipient OK, E-mail address proofed
[002.191]	~~>	QUIT
[002.296]	<~~	221 Service closing TLS SSL transmission session
Trying TLS on mail2.sitepoint.de[62.112.132.26] (15):
seconds		test stage and result
[000.106]		Connected to server
[000.646]	<--	220 mail.sitepoint.de ESMTP MailEnable Service, Version: 8.60--8.60 ready at 07/09/15 18:14:04
[000.646]		We are allowed to connect
[000.646]	-->	EHLO checktls.com
[000.751]	<--	250-mail.sitepoint.de [69.61.187.232], this server offers 7 extensions
250-AUTH NTLM LOGIN
250-SIZE 52428800
250-HELP
250-AUTH=LOGIN
250-STARTTLS
250-XSAVETOSENT
250 X-SAVETOSENT
[000.752]		We can use this server
[000.752]		TLS is an option on this server
[001.345]	-->	STARTTLS
[001.459]	<--	220 Ready to start TLS
[001.459]		STARTTLS command works on this server
[001.806]		Cipher in use: ECDHE-RSA-AES128-SHA
[001.806]		Connection converted to SSL
[001.824]		
Certificate 1 of 4 in chain:
subject= /OU=Domain Control Validated/OU=PositiveSSL/CN=mail.sitepoint.de
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA                                                                                                                                                                                                                                                                                                                                                                  
[001.840]		
Certificate 2 of 4 in chain:
subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
issuer= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority                                                                                                                                                                                                                                                                                                                                                                    
[001.855]		
Certificate 3 of 4 in chain:
subject= /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root                                                                                                                                                                                                                                                                                                                                                                      
[002.347]		
Certificate 4 of 4 in chain:
subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root                                                                                                                                                                                                                                                                                                                                                                        
[002.347]		Cert VALIDATED: ok
[002.348]		Cert Hostname DOES NOT VERIFY (mail2.sitepoint.de != mail.sitepoint.de)
[002.348]		So email is encrypted but the host is not verified
[002.950]	~~>	EHLO checktls.com
[003.059]	<~~	250-mail.sitepoint.de [69.61.187.232], this server offers 6 extensions
250-AUTH NTLM LOGIN
250-SIZE 52428800
250-HELP
250-AUTH=LOGIN
250-XSAVETOSENT
250 X-SAVETOSENT
[003.060]		TLS successfully started on this server
[003.060]	~~>	MAIL FROM:<test@checktls.com>
[003.169]	<~~	250 Requested mail action okay, completed
[003.169]		Sender is OK
[003.170]	~~>	RCPT TO:<tb@sitepoint.de>
[003.356]	<~~	250 Requested mail action okay, completed
[003.356]		Recipient OK, E-mail address proofed
[003.357]	~~>	QUIT
[003.830]	<~~	221 Service closing TLS SSL transmission session
Any idea? Can I write an event or something that, in case the handshake failes, I provide an alternative?


Anyone else has this kind of issue? Thank you for your support.


Best regards -


Tom

MailEnable-Ian
Site Admin
Posts: 9101
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: TLS handshake fails with outlook

Post by MailEnable-Ian » Fri Jul 17, 2015 2:09 am

Hi,

When I telnet to your server and check the advertised SMTP extensions I cannot see the STARTTLS extension being advertised. Therefore the first question is: Have you enabled SMTP inbound TLS under the SMTP "General" properties window? Have you also configured and set a valid SSL certificate within MailEnable?
Regards,

Ian Margarone
MailEnable Support

Sitepoint
Posts: 17
Joined: Wed Oct 26, 2011 1:47 pm

Re: TLS handshake fails with outlook

Post by Sitepoint » Fri Jul 17, 2015 7:44 am

I deactive Enable TLS, cause we didn't received mails from Office 365.
We use a valid SSL Certificate. You can check it out at mail.sitepoint.de (Port 993 e.g.).

The result of the connection when I enable TLS, I posted here.
When you want to telnet, I can turn it on for a short period of time.

Best regards -


Tom

Post Reply