Unable to communicate with TLS 1.0 senders
Question asked by Douglas Foster - 3/18/2021 at 8:20 AM
I discovered that with TLS1.0 disabled, incoming connections from senders that can only do TLS1.0 are failing, as expected, but are not falling back to no encryption.    Instead, the connection is dropped and reattempted, again with STARTTLS, and the failure repeats.   Does anybody have a workaround other than re-enabling TLS 1.0 for incoming connections?

4 Replies

Reply to Thread
echoDreamz Replied
We disabled it too, but it caused massive problems. So back to enabled it is. We had issues outside of other mail servers, we had email clients that crapped themselves as well, it was a disaster.
Kyle Kerst Replied
Employee Post
Just commenting here with my test results for reference of other users.

I was able to complete further testing on this, and I am reaching out to outline my findings. First, I configured one of my test servers so that only TLS 1.0 was supported, then configured another test server (which is configured for TLS 1.2+ only) to relay mail to this test server for a particular domain. What I found during the SMTP session is that the initial attempt to deliver uses STARTTLS, fails, then the second attempt ignores the STARTTLS flag and transmits in the clear.

So this looks to be working as expected in my own testing at least! With that out of the way though, disabling TLS 1.0/1.1 will definitely lead to connectivity issues on older email clients and devices, so this is something you'll want to roll out with plenty of prep beforehand. Hope this helps!
Kyle Kerst
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
Douglas Foster Replied
Marked As Answer
Kyle confirms that SmarterMaul recovers gracefully to no-encryption if it is the submitting server.   But my problem is  servers submitting to my incoming gateway and not recovering gracefully.  No workaround to bad code at the other end.  I guess I will collect more data, then decide if I am wrong to miss that traffic.
echoDreamz Replied
That was our results as well. SM didnt seem to have issues, but some sending servers did, which resulted in tickets asking why email wasnt arriving. Ultimately, we have to leave it enabled, caused way too many issues with old email clients as well as many mail servers.

It isnt just SM though, our rSpamD gateways, if we disabled TLS 1.0 on Postfix, we have delivery issues.

Reply to Thread