Link to home
Start Free TrialLog in
Avatar of Red_Nine
Red_NineFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Incoming TLS problems

I've got a bit of an odd problem with TLS email.

It works from some senders, but not others.

From one of the senders that's not working, I get EHLO, STARTTLS, STARTTLS, MAIL, RCPT then QUIT. No DATA. It just quits out.

The only NDR I've had sent to me showed a 4.4.2 error from Postfix. "Lost connection while sending MAIL FROM".  

Other servers use TLS with no issues, and a check of the received mail's headers shows that the session was over a secure channel, so TLS is presumably working correctly there. Outbound TLS seems unaffected (We have two SMTP connectors on each server - one with specified domains that supports TLS and one without for the rest.)

My workaround has been to disable TLS every few hours for a short while to let retried mails in without TLS - this is definitely NOT a preferred solution! :)

The thing that's odd - it's affecting two SMTP servers (both Exchange 2003) in different offices. I could accept one server having a bad day or two, but two at the same time?

And it was working normally until recently! :s

The certificates have been renewed (they weren't too far away from expiry anyway) and CheckTLS,com and MXToolbox,com don't flag any problems when TLS is enabled. They didn't show any problems beforehand, either. There have been no significant changes to either SMTP server. Certainly nothing that would affect SMTP and TLS.

Diagnostics Logging for Exchange Transport is on maximum, but gives me nothing about these problems.

Has anyone seen a similar problem to this? Is it possible it's an ISP issue? The one thing both servers have in common is they're both on the same ISP.

Any help or insight would be welcome.

Thanks.
ASKER CERTIFIED SOLUTION
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Red_Nine

ASKER

Not really what I wanted to hear, but thanks for your input.

The problem occurs with AV and the various layers of anti-spam turned off (in some cases with the SMTP sinks removed, too). :s

On the firewall, the first thing I suspected was ESMTP inspection, but the Cisco bods assure me this is not the case. If it was on, why would only some TLS mail be stopped and not all of it?

For "never very good" Exchange 2003 has done just fine for the 6+ years I've been using TLS on it. :)  I planned on retiring both boxes this year anyway, but unless the ISP come back with an admission of buggering up a router or two and a promise to fix them, it looks like it's sleeves up and Edge Server install time a bit earlier.

"It also doesn't help that each MTA developer has a different interpretation of the RFCs"

Standards; there's either too bloody many of them, or if there's only one, no two organisations actually follow it the same way.
Avatar of CubeOver
CubeOver

The certificates that you renewed - are they rooting in the same anchor (root CA) as before, with the same thumbprint?
Only logging on the sender side could help you further diagnose the issue.
It might be a case that your new certs are signed by a different root CA that is not trusted by some senders.
The certs are from the same CA, with the same Root and Chain certs. I've checked the current chain and root certs against what I have installed and they're the same. The certificate console doesn't report any problems. The external test for TLS confidence at CheckTLS.com doesn't return any problems.

"renewed" is probably the wrong term - "revoked and started again from scratch with new requests" is more accurate.

I might try a whole new cert from another CA. Any recommendations?

"Only logging on the sender side could help you further diagnose the issue."

I've requested help from our ISP in case it's a transport thing (the problem seems to be regional with France and Germany affected most) and also from the ISP of the main offender. But as I'm not a customer of theirs, they're not really being helpful; if I call them, they just go down the first-line cheat sheet for client issues. An email has requested an escalation to the backroom boys and some log excerpts, but I'm not holding my breath. (And I did provide them with an alternate email address!! :) )

The thing that makes me weep - the emails from Experts Exchange telling me of replies...

...are TLS encrypted. "over TLS secured channel with Microsoft SMTPSVC". :s
Mail from the affected senders started coming in correctly after deploying an Edge Transport Server.

However, one of the affected senders has confirmed a known issue at their end, so it's not all Exchange 2003's fault.