Outgoing Gateway "Encryption" setting SM16 6885
Problem reported by Nicolas Fertig - November 12 at 11:24 PM
Submitted
Hi,

Since more than a year, we're using SM16 with all mails sent through an outgoing gateway.

We've updated this sunday to monday night from 6870 to 6885.

After the update, while looking at the spool if everything was running well, we've noticed that all outgoing mails were staying for at least 5 minutes in "Waiting to deliver" state.
(It wasn't the case before the update).


After a good hour of investigating, we've noticed that this corresponded to the first 5 minutes of the "retry" settings we've set in spool general options.

Going through the logs showed that the issue was the TLS certificate of the outgoing gateway being rejected because it was expired since 2012. 

Grepping the logs for "is expried" shows:

[2018.11.12] 01:45:01 [93288] Certificate is expired as of 07.01.2012 06:53:26.
[2018.11.12] 01:45:07 [41005] Certificate is expired as of 07.01.2012 06:53:26.
[2018.11.12] 01:45:13 [41016] Certificate is expired as of 07.01.2012 06:53:26.
[2018.11.12] 01:45:16 [41026] Certificate is expired as of 07.01.2012 06:53:26.
[2018.11.12] 01:45:16 [41033] Certificate is expired as of 07.01.2012 06:53:26.
[2018.11.12] 01:45:23 [41042] Certificate is expired as of 07.01.2012 06:53:26.
[2018.11.12] 01:45:38 [41067] Certificate is expired as of 07.01.2012 06:53:26.
[2018.11.12] 01:45:38 [41066] Certificate is expired as of 07.01.2012 06:53:26.
[2018.11.12] 01:45:50 [41068] Certificate is expired as of 07.01.2012 06:53:26.
[2018.11.12] 01:45:53 [41088] Certificate is expired as of 07.01.2012 06:53:26.
[2018.11.12] 01:45:53 [41088] Certificate is expired as of 07.01.2012 06:53:26.
[Cropped a lot more]



So SM tries to send the mail, rejects the certificate and wait for the retry time, then try to send the mail without TLS (and it's going through at this point).

All this seems logical, but the problem is that we've never used TLS with the outgoing gateway and in the configuration encryption is set to "None".


It looks that in the last update, even if encryption is set to None, SM tries to use TLS anyway if the gateway announce STARTTLS in it's capabilities.

We had two way of fixing this. Disabling completly TLS on the gateway or installing a valid certificate. We opted for the 2nd option and it fixed it, no more outgoing mail stuck for 5 minutes in "Waiting to deliver" state.

My question here is why since latest update SM is ignoring the fact that we set encryption to None in the outgoing gateway configuration ?

Might this be related to this changelog entry:

Fixed: Errors in delivery and SMTP logs regarding certificate problems. (Logs now show certificate issues, if encountered).

I understand this should be only a logging change but we never had SM delaying outgoing delivery before the latest update because of a certificate problem.
Has some code changed about how it handles the "Encryption" setting in gateway configuration? Is it now ignored?

Thanks for reading

1 Reply

Reply to Thread
0
Nicolas Fertig Replied
By the way I notice that inline images posted in our previous message aren't readable (too small) and you can't click on it to zoom, but copying the image and pasting it in paint or any image editor show it it's original size.
Would be nice to be able to zoom them without this trick.

Reply to Thread