TLS Negotiations and proper settings.
Question asked by Barbara Renowden - July 26 at 11:03 AM
Unanswered

Recently we have been having an issue with TLS negotiations from a few mail servers.

STARTTLS250-8BITMIME250 OK

[2018.07.22] 23:51:09 [50.198.160.177][1951716] cmd: STARTTLS

[2018.07.22] 23:51:09 [50.198.160.177][1951716] rsp: 220 Start TLS negotiation

[2018.07.22] 23:51:09 [50.198.160.177][1951716] rsp: 554 Security failure

[2018.07.22] 23:51:09 [50.198.160.177][1951716] Exception negotiating TLS session: The secure connection has failed due to an unsupported protocol such as TLS 1.0 or SSL 3.0. A call to SSPI failed, see inner exception..

[2018.07.22] 23:51:09 [50.198.160.177][1951716] disconnected at 7/22/2018 11:51:09 PM

 

I did a https://www.ssllabs.com/ ; on this particular mail server and it came back with an F rating.  smtp.portlandia-servers.com

The mail admin sent the email below to his client and myself.  So I guess I am asking, is requesting TLS negotiation a bad setting as he says below or is he totally off the mark?  

By the way we have been managing mail for almost 20 years and work extremely hard to make sure our mail servers have as much security and proper settings as possible.  If there is something that I have miss here please let me know and Thanks for any input. 

Hi Alan,

It is a common misconception among inexperienced or new-to-the-business admins, Particularly those who come from a Windows background and have no experience with Unix or anything outside of the Windows ecosphere, that TLS has something to do with Mailserver-to-mailserver SMTP communication on the Internet.

TLS is only used when sending mail from a mail client to a mail server.  It’s purpose is to Protect the password used for authentication from client to server.  This is used because Clients typically don’t have static IPs nor complete DNS records the way mailservers do.

Mailservers on the Internet do not encrypt mail from server to server because they Do not use passwords between server to server.

TLS is based on the concept of trust.   I can trust that your email client is legitimate because It is using a password that I assigned.  But Barbara cannot trust that my or ANY mailserver is Legitimate because nothing prevents a spammer from going out there, running the latest TLS, and getting a DNS record setup that matches – then drowning her mailserver in spam.

Mailservers on the Internet do not trust each other because there is no way to guarantee That a random SMTP connection is coming from a legitimate host or not.  If Barbara Thinks different I encourage her to patent her invention as if it works she would be a millionaire.

This is why TLS between mailservers does absolutely nothing and it is why it’s not used.  RFC3207 makes it quite clear on this:

“…This document describes an extension to the SMTP (Simple Mail    Transfer Protocol) service that allows an SMTP server AND CLIENT…” 

This is NOT a server-to-server protocol.  Furthermore: 

“…A publicly-referenced SMTP server MUST NOT require use of the    STARTTLS extension in…”

Also, it’s NOT secure NO MATTER WHAT version is in use: 

“…It should be noted that SMTP is not an end-to-end mechanism.  Thus,    if an SMTP client/server pair decide to add TLS privacy, they are not  securing the transport from the originating mail user agent to the recipient….” 

See   https://tools.ietf.org/html/rfc3207

The problem is that she has misconfigured her mailserver.  It’s likely she has pressed some sort Of Exchange server into use as an Internet mailserver.  These make very very  unsatisfactory

Servers because their defaults are completely wrong for the Internet and unless the admin Has a lot of experience in email they will be led down rabbithole after rabbithole.

It is likely, that seeing some sort Of button or knob saying “security” with inadequate understanding of secure email she has Clicked it – and now has a false sense of security that she is “securing” email when in reality It is doing nothing other than causing problems.

I would recommend that for further education that she go to the O’Reilly book on Sendmail and Read it cover to cover.  That book is regarded as the standard handbook for email communication On the Internet and it has a lot about the protocol itself not just the program that invented Internet email.

Ted

 

 

Barbara Renowden President / Co-Founder Centric Web, Inc. https://www.centricweb.com

Reply to Thread