Back to Community Threads
1
Can not locate setting "Enable TLS if supported by the remote server"
Problem reported by John Quest - 12/28/2023 at 2:56 PM
Submitted
Using build 8747, under Protocols, SMTP Out, there is not "Enable TLS if supported by the remote server" setting there." 

I am experiencing a problem with sending to some domains that have an expired certificate and want to make sure that it is being bypassed correctly.

What I am seeing in the delivery log is this:

CMD: EHLO xxxxxxxx
RSP: blahblahblah
CMD: STARTTLS
RSP: 220 2.0.0 Ready to Start TLS
Certificate is expired as of 01/20/2023 3:59:59 PM. (Bypassed due to setting)
Attempt to ip, 'xxx.xxx.xxx.xxx' success: 'False'

It is acting like it is not bypassing per the setting "Bypass certificate validation checks" even though it is set to ENABLED.

7 Replies

Reply to Thread
0
Kyle Kerst Replied
12/28/2023 at 3:15 PM
Employee Post
Hi John! This setting was moved into the domain level with the implementation of SSL/SNI support from within SmarterMail. You'll find it in the domain's settings on the Options page in the Security card now. We also identified an issue with this bypass setting that will be resolved in our upcoming release so keep an eye out for that!
Kyle Kerst System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com
0
John Quest Replied
12/28/2023 at 3:36 PM
Thanks, but sort of.

OK, so I found the setting and it was disabled. So if it is disabled, why is SmarterMail attempting to send with STARTTLS>
0
John Quest Replied
12/28/2023 at 3:37 PM
AND is on a gateway implementation.
0
John Quest Replied
12/28/2023 at 4:16 PM
OK, interesting observation. I had emails backing up in the the "waiting to deliver" so I did some testing. This is what I found:

If "Enable TLS if supported by the remote server" is NOT ENABLED, attempting to send to an email server that has a certificate problem FAILS no matter what the SMTP OUT protocol setting "Bypass certificate validation checks" is set to. 

HOWEVER, If "Enable TLS if supported by the remote server' IS ENABLED, then IF "Bypass certificate validation checks" is sent to ENABLED, then if the remote server does not have a valid certificate such as expired, then the email delivery continues per the bypass setting.
0
Ron Raley Replied
12/28/2023 at 8:02 PM
We learned today that TLS 1.3 is not supported by Windows Server 2019.  The OS downgrades the connection to TLS 1.2.
0
echoDreamz Replied
12/29/2023 at 2:10 AM
Only Server 2022 and higher supports TLS 1.3 as you’ve found out.
0
Ron Raley Replied
12/29/2023 at 1:40 PM
With .NET 8 for SmarterMail plus TLS 1.3, I would think it is wise for us to migrate to Windows Server 2022.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Manually Securing SmarterMail Using Let's Encrypt and Certify the WebSmarterMail > Installation and Configuration
Configure Outlook 2007 IMAP or POP AccountSmarterMail > Desktop and Mobile Synchronization
Configure Outlook 2010 IMAP or POP AccountSmarterMail > Desktop and Mobile Synchronization