STARTTLS250-8BITMIME250 OK
[2018.07.22] 23:51:09 [50.198.160.177][1951716] cmd: STARTTLS
[2018.07.22] 23:51:09 [50.198.160.177][1951716] rsp: 220 Start TLS negotiation
[2018.07.22] 23:51:09 [50.198.160.177][1951716] rsp: 554 Security failure
[2018.07.22] 23:51:09 [50.198.160.177][1951716] Exception negotiating TLS session: The secure connection has failed due to an unsupported protocol such as TLS 1.0 or SSL 3.0. A call to SSPI failed, see inner exception..
[2018.07.22] 23:51:09 [50.198.160.177][1951716] disconnected at 7/22/2018 11:51:09 PM
Hi Alan,
It is a common misconception among inexperienced or new-to-the-business admins, Particularly those who come from a Windows background and have no experience with Unix or anything outside of the Windows ecosphere, that TLS has something to do with Mailserver-to-mailserver SMTP communication on the Internet.
TLS is only used when sending mail from a mail client to a mail server. It’s purpose is to Protect the password used for authentication from client to server. This is used because Clients typically don’t have static IPs nor complete DNS records the way mailservers do.
Mailservers on the Internet do not encrypt mail from server to server because they Do not use passwords between server to server.
TLS is based on the concept of trust. I can trust that your email client is legitimate because It is using a password that I assigned. But Barbara cannot trust that my or ANY mailserver is Legitimate because nothing prevents a spammer from going out there, running the latest TLS, and getting a DNS record setup that matches – then drowning her mailserver in spam.
Mailservers on the Internet do not trust each other because there is no way to guarantee That a random SMTP connection is coming from a legitimate host or not. If Barbara Thinks different I encourage her to patent her invention as if it works she would be a millionaire.
This is why TLS between mailservers does absolutely nothing and it is why it’s not used. RFC3207 makes it quite clear on this:
“…This document describes an extension to the SMTP (Simple Mail Transfer Protocol) service that allows an SMTP server AND CLIENT…”
This is NOT a server-to-server protocol. Furthermore:
“…A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in…”
Also, it’s NOT secure NO MATTER WHAT version is in use:
“…It should be noted that SMTP is not an end-to-end mechanism. Thus, if an SMTP client/server pair decide to add TLS privacy, they are not securing the transport from the originating mail user agent to the recipient….”
See https://tools.ietf.org/html/rfc3207
The problem is that she has misconfigured her mailserver. It’s likely she has pressed some sort Of Exchange server into use as an Internet mailserver. These make very very unsatisfactory
Servers because their defaults are completely wrong for the Internet and unless the admin Has a lot of experience in email they will be led down rabbithole after rabbithole.
It is likely, that seeing some sort Of button or knob saying “security” with inadequate understanding of secure email she has Clicked it – and now has a false sense of security that she is “securing” email when in reality It is doing nothing other than causing problems.
I would recommend that for further education that she go to the O’Reilly book on Sendmail and Read it cover to cover. That book is regarded as the standard handbook for email communication On the Internet and it has a lot about the protocol itself not just the program that invented Internet email.
Ted