TLS 1.0 vs 1.2 for Outgoing Mail

TLS 1.0 vs 1.2 for Outgoing Mail

Postby EKjellquist » Thu Aug 30, 2018 8:16 pm

Support,

Going along with the vast majority of other sites that are updating to TLS 1.2, I upped the 'Outgoing Mail' minimum version from TLS 1.0 to 1.2 as I figured that would be fine for us at this point given that 1.3 is on the horizon. What I found over the last 3-4 weeks is that for ALL TLS outgoing connections, every single one of them fails as 'Connection closed, failed to start TLS' and then sends after 'Reconnection accepted'. If I put it back to 1.0, TLS appears fine.

I've had the other services (e.g. SMTP, POP3, IMAP, Webmail, etc) all on TLS 1.2 for over a year now with no issues; Some of these outgoing mails are going to big names like Google, CheckTLS.com, Outlook.com, etc all places that absolutely can handle TLS 1.2, but for some reason, AMS' outgoing mail always fails the TLS handshake with the setting of 1.2 or 1.1.

We're still on version 4.2.4, and I've tried to move Outgoing Mail to TLS 1.1 or 1.2 previously with the same results. I would expect a VERY small minority of receiving servers to not accept TLS 1.1 or 1.2, so is this a known issue at all? I can send debug log info in a PM, I'm a bit loathe to post it here; essentially, the outgoing TLS 1.1 or 1.2 handshake fails 100% of the time (no matter who the recipient is) and AMS asks for a re-connection, again with STARTTLS, but receiving servers always ignore it and just receive it in plaintext. When Outgoing Mail is set to TLS 1.0, the handshake completes fine 100% of the time, and the email payload is verified with an encrypted connection.
EKjellquist
 
Posts: 95
Joined: Tue Sep 09, 2014 10:40 pm

Re: TLS 1.0 vs 1.2 for Outgoing Mail

Postby Code Crafters » Fri Aug 31, 2018 10:59 pm

We use TLS 1.2 for our outgoing mails but with a single relay and have no problems connecting so I don’t think it’s a bug with outgoing mails not being able to connect using TLS 1.2.

We have all our services set to TLS 1.2 except for SMTP which is set to TLS 1.0 for compatibility with older mail servers sending to us.

We'll run some tests against the hosts you've emailed us to see if we can connect with TLS 1.1 / 1.2 from Ability and from other sources too in case there is a bug stopping these connections rather than the hosts just not supporting the newer versions.
Code Crafters
 
Posts: 942
Joined: Mon Sep 10, 2007 2:35 pm


Return to General

Who is online

Users browsing this forum: Google [Bot] and 8 guests

cron