Solved

Incoming TLS problems

Posted on 2014-02-28
5
725 Views
Last Modified: 2014-03-05
I've got a bit of an odd problem with TLS email.

It works from some senders, but not others.

From one of the senders that's not working, I get EHLO, STARTTLS, STARTTLS, MAIL, RCPT then QUIT. No DATA. It just quits out.

The only NDR I've had sent to me showed a 4.4.2 error from Postfix. "Lost connection while sending MAIL FROM".  

Other servers use TLS with no issues, and a check of the received mail's headers shows that the session was over a secure channel, so TLS is presumably working correctly there. Outbound TLS seems unaffected (We have two SMTP connectors on each server - one with specified domains that supports TLS and one without for the rest.)

My workaround has been to disable TLS every few hours for a short while to let retried mails in without TLS - this is definitely NOT a preferred solution! :)

The thing that's odd - it's affecting two SMTP servers (both Exchange 2003) in different offices. I could accept one server having a bad day or two, but two at the same time?

And it was working normally until recently! :s

The certificates have been renewed (they weren't too far away from expiry anyway) and CheckTLS,com and MXToolbox,com don't flag any problems when TLS is enabled. They didn't show any problems beforehand, either. There have been no significant changes to either SMTP server. Certainly nothing that would affect SMTP and TLS.

Diagnostics Logging for Exchange Transport is on maximum, but gives me nothing about these problems.

Has anyone seen a similar problem to this? Is it possible it's an ISP issue? The one thing both servers have in common is they're both on the same ISP.

Any help or insight would be welcome.

Thanks.
0
Comment
Question by:Red_Nine
  • 3
5 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 39897316
TLS on Exchange 2003 was never very good, the problems you are seeing are not unusual.
Therefore an upgrade of Exchange would be your best option - it is a lot more reliable in the later versions of Exchange.

I have also seen problems with TLS caused by AV software, anti-spam and firewalls. It also doesn't help that each MTA developer has a different interpretation of the RFCs so SMTP is different on every server. The world has moved on and Exchange 2003 is based on technology that is over 12 years old, anything more modern will struggle to communicate.

Not the answer you are looking for, I know, but sometimes an upgrade is the only thing you can do. Exchange 2003 is EOL and well past its sell by date.

Simon.
0
 
LVL 1

Author Comment

by:Red_Nine
ID: 39897380
Not really what I wanted to hear, but thanks for your input.

The problem occurs with AV and the various layers of anti-spam turned off (in some cases with the SMTP sinks removed, too). :s

On the firewall, the first thing I suspected was ESMTP inspection, but the Cisco bods assure me this is not the case. If it was on, why would only some TLS mail be stopped and not all of it?

For "never very good" Exchange 2003 has done just fine for the 6+ years I've been using TLS on it. :)  I planned on retiring both boxes this year anyway, but unless the ISP come back with an admission of buggering up a router or two and a promise to fix them, it looks like it's sleeves up and Edge Server install time a bit earlier.

"It also doesn't help that each MTA developer has a different interpretation of the RFCs"

Standards; there's either too bloody many of them, or if there's only one, no two organisations actually follow it the same way.
0
 
LVL 2

Expert Comment

by:CubeOver
ID: 39899177
The certificates that you renewed - are they rooting in the same anchor (root CA) as before, with the same thumbprint?
Only logging on the sender side could help you further diagnose the issue.
It might be a case that your new certs are signed by a different root CA that is not trusted by some senders.
0
 
LVL 1

Author Comment

by:Red_Nine
ID: 39899252
The certs are from the same CA, with the same Root and Chain certs. I've checked the current chain and root certs against what I have installed and they're the same. The certificate console doesn't report any problems. The external test for TLS confidence at CheckTLS.com doesn't return any problems.

"renewed" is probably the wrong term - "revoked and started again from scratch with new requests" is more accurate.

I might try a whole new cert from another CA. Any recommendations?

"Only logging on the sender side could help you further diagnose the issue."

I've requested help from our ISP in case it's a transport thing (the problem seems to be regional with France and Germany affected most) and also from the ISP of the main offender. But as I'm not a customer of theirs, they're not really being helpful; if I call them, they just go down the first-line cheat sheet for client issues. An email has requested an escalation to the backroom boys and some log excerpts, but I'm not holding my breath. (And I did provide them with an alternate email address!! :) )

The thing that makes me weep - the emails from Experts Exchange telling me of replies...

...are TLS encrypted. "over TLS secured channel with Microsoft SMTPSVC". :s
0
 
LVL 1

Author Closing Comment

by:Red_Nine
ID: 39908572
Mail from the affected senders started coming in correctly after deploying an Edge Transport Server.

However, one of the affected senders has confirmed a known issue at their end, so it's not all Exchange 2003's fault.
0

Featured Post

Swamped with email signature updates?

Have you been given a load of changes to make to your users’ email signatures? Having to manually implement multiple signatures for every department? Let Exclaimer save you from being swamped with email signature updates!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now