Back to Community Threads
1
Can't receive from Gmail users
Problem reported by David Short - 11/27/2024 at 8:11 AM
Submitted
When emails are sent from Gmail and/or Google hosted email servers, there is a new error that is appearing: 


We have not made any changes and the troubleshooting I did from my web searches resulted in unchecking TLS 1.0 as a protocol.  This started on Monday and I'm at a standstill with progressing on this.
TLS and SSL and related certificates seem to check out fine.

Any guidance would be greatly appreciated!

11 Replies

Reply to Thread
1
Tony Scholz Replied
11/27/2024 at 8:24 AM
Employee Post
Hello, 

I would recommend running IIS Crypto for best practices on your server to disable the old and outdated ciphers and TLS/SSL protocols. 


There is a best practice button or a PCI template you can use. You will also want to make sure that port 25 on your server has an SSL assigned to it. (Settings -> general -> bindings -> ports [tab]) in the web mail interface. 

Thank you
~Tony
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
1
Brian Bjerring-Jensen Replied
11/27/2024 at 8:28 AM
What build??
1
Brian Bjerring-Jensen Replied
11/27/2024 at 8:31 AM
1
David Short Replied
11/27/2024 at 9:23 AM
SmarterMail Enterprise 100.0.7879.30160 (Jul 28, 2021) is the build. I am open to changing/updating of course.

Tony, thanks for the IIS Crypto suggestion. I ran through a previous thread and followed the instructions to lock down the server itself with the proper supported protocols.  I have checked the SSL Labs site and everything is coming back letter B, because TLS 1.0 is supported on the server.  I have checked the default for the SmarterMail protocols and have verified certificates for domain and mail server, as well as verifying the PTR records.

Brian, thanks for the suggestion. I read that thread and it was very interesting!
0
David Short Replied
11/27/2024 at 9:30 AM
Additional:
0
David Short Replied
11/27/2024 at 9:34 AM
Just found this in the logs...


[2024.11.27] 08:47:50.162 [209.85.167.46][64824418] Country code: US
[2024.11.27] 08:47:50.287 [209.85.167.46][64824418] cmd: EHLO mail-lf1-f46.google.com
[2024.11.27] 08:47:50.287 [209.85.167.46][64824418] rsp: 250-mail.answercentrela.com Hello [209.85.167.46]250-SIZE 699050666250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2024.11.27] 08:47:50.412 [209.85.167.46][64824418] cmd: STARTTLS
[2024.11.27] 08:47:50.412 [209.85.167.46][64824418] rsp: 220 Start TLS negotiation
[2024.11.27] 08:47:50.537 [209.85.167.46][64824418] rsp: 554 Security failure
[2024.11.27] 08:47:50.537 [209.85.167.46][64824418] Exception negotiating TLS session: System.NotSupportedException: The server mode SSL must use a certificate with the associated private key.
[2024.11.27]    at System.Net.Security.SecureChannel.AcquireServerCredentials(Byte[]& thumbPrint)
[2024.11.27]    at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
[2024.11.27]    at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
[2024.11.27]    at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
[2024.11.27]    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
[2024.11.27]    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
[2024.11.27]    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
[2024.11.27]    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
[2024.11.27]    at MailService.TcpServerLib.Common.PooledTcpItem.ConvertToSSL(db_system_binding_port setting, Log log, String sessionId)
0
David Short Replied
11/27/2024 at 10:04 AM
Marked As Resolution
Well, after seeing the log entries, I re-exported the server certificate and private key (I think this is the issue) to a PFX certificate instead of a CER certificate. I rebound the TLS protocol to this PFX file and the issue has been resolved.  Thanks so much for you guys who jumped in so quickly.

While you're here, do you think it's a good idea to upgrade the SmarterMail version to the latest release or?
0
Tony Scholz Replied
11/27/2024 at 10:31 AM
Employee Post
Glad you were able to get it working, In the newer builds we force you to use a PFX but in the older ones you could choose not to. Have a great day!
Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com
0
Brian Bjerring-Jensen Replied
11/27/2024 at 11:29 AM

Despite this it fails after TLS negotiation.
0
David Short Replied
11/27/2024 at 11:49 AM
Brian are you having trouble with this still?
1
Brian Bjerring-Jensen Replied
11/27/2024 at 12:00 PM
Just solved it. I didnt update our TLSA record when I renewed our certificate. AS soon as I did that, mails started flowing from Microsoft.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Email Migration Options to SmarterMail from an External MTA.SmarterMail > Installation and Configuration
EAS Accounts and the Gmail App on iOSSmarterMail > Desktop and Mobile Synchronization
Slow Send and Receive with Outlook 2010 and IMAPSmarterMail > Troubleshooting
Upgrading SmarterMail (Domain Conversion)SmarterMail > Installation and Configuration
Move SmarterMail from Hosted to Self-InstalledSmarterMail > Installation and Configuration