Solved

Incoming TLS problems

Posted on 2014-02-28
5
718 Views
Last Modified: 2014-03-05
I've got a bit of an odd problem with TLS email.

It works from some senders, but not others.

From one of the senders that's not working, I get EHLO, STARTTLS, STARTTLS, MAIL, RCPT then QUIT. No DATA. It just quits out.

The only NDR I've had sent to me showed a 4.4.2 error from Postfix. "Lost connection while sending MAIL FROM".  

Other servers use TLS with no issues, and a check of the received mail's headers shows that the session was over a secure channel, so TLS is presumably working correctly there. Outbound TLS seems unaffected (We have two SMTP connectors on each server - one with specified domains that supports TLS and one without for the rest.)

My workaround has been to disable TLS every few hours for a short while to let retried mails in without TLS - this is definitely NOT a preferred solution! :)

The thing that's odd - it's affecting two SMTP servers (both Exchange 2003) in different offices. I could accept one server having a bad day or two, but two at the same time?

And it was working normally until recently! :s

The certificates have been renewed (they weren't too far away from expiry anyway) and CheckTLS,com and MXToolbox,com don't flag any problems when TLS is enabled. They didn't show any problems beforehand, either. There have been no significant changes to either SMTP server. Certainly nothing that would affect SMTP and TLS.

Diagnostics Logging for Exchange Transport is on maximum, but gives me nothing about these problems.

Has anyone seen a similar problem to this? Is it possible it's an ISP issue? The one thing both servers have in common is they're both on the same ISP.

Any help or insight would be welcome.

Thanks.
0
Comment
Question by:Red_Nine
  • 3
5 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39897316
TLS on Exchange 2003 was never very good, the problems you are seeing are not unusual.
Therefore an upgrade of Exchange would be your best option - it is a lot more reliable in the later versions of Exchange.

I have also seen problems with TLS caused by AV software, anti-spam and firewalls. It also doesn't help that each MTA developer has a different interpretation of the RFCs so SMTP is different on every server. The world has moved on and Exchange 2003 is based on technology that is over 12 years old, anything more modern will struggle to communicate.

Not the answer you are looking for, I know, but sometimes an upgrade is the only thing you can do. Exchange 2003 is EOL and well past its sell by date.

Simon.
0
 
LVL 1

Author Comment

by:Red_Nine
ID: 39897380
Not really what I wanted to hear, but thanks for your input.

The problem occurs with AV and the various layers of anti-spam turned off (in some cases with the SMTP sinks removed, too). :s

On the firewall, the first thing I suspected was ESMTP inspection, but the Cisco bods assure me this is not the case. If it was on, why would only some TLS mail be stopped and not all of it?

For "never very good" Exchange 2003 has done just fine for the 6+ years I've been using TLS on it. :)  I planned on retiring both boxes this year anyway, but unless the ISP come back with an admission of buggering up a router or two and a promise to fix them, it looks like it's sleeves up and Edge Server install time a bit earlier.

"It also doesn't help that each MTA developer has a different interpretation of the RFCs"

Standards; there's either too bloody many of them, or if there's only one, no two organisations actually follow it the same way.
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39899177
The certificates that you renewed - are they rooting in the same anchor (root CA) as before, with the same thumbprint?
Only logging on the sender side could help you further diagnose the issue.
It might be a case that your new certs are signed by a different root CA that is not trusted by some senders.
0
 
LVL 1

Author Comment

by:Red_Nine
ID: 39899252
The certs are from the same CA, with the same Root and Chain certs. I've checked the current chain and root certs against what I have installed and they're the same. The certificate console doesn't report any problems. The external test for TLS confidence at CheckTLS.com doesn't return any problems.

"renewed" is probably the wrong term - "revoked and started again from scratch with new requests" is more accurate.

I might try a whole new cert from another CA. Any recommendations?

"Only logging on the sender side could help you further diagnose the issue."

I've requested help from our ISP in case it's a transport thing (the problem seems to be regional with France and Germany affected most) and also from the ISP of the main offender. But as I'm not a customer of theirs, they're not really being helpful; if I call them, they just go down the first-line cheat sheet for client issues. An email has requested an escalation to the backroom boys and some log excerpts, but I'm not holding my breath. (And I did provide them with an alternate email address!! :) )

The thing that makes me weep - the emails from Experts Exchange telling me of replies...

...are TLS encrypted. "over TLS secured channel with Microsoft SMTPSVC". :s
0
 
LVL 1

Author Closing Comment

by:Red_Nine
ID: 39908572
Mail from the affected senders started coming in correctly after deploying an Edge Transport Server.

However, one of the affected senders has confirmed a known issue at their end, so it's not all Exchange 2003's fault.
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now