Exchange Server 2003 and RC4 cipher

This is way over my head. I have a feeling I need to add some other cipher to our Exchange Server 2003 because this customer implemented something called ProofPoint in their mail system. This is the email their support staff sent to us. Can someone translate in to English:

Current status: When connecting to the MX record (hostname and IP address) for yourcompany.com, I'm still only seeing the RC4-MD5 Cipher being offered in the TLS Handshake. No other Ciphers (of higher strength) are being supported currently when connecting to their domain.
Next steps: Reach back out to the Admins at Yourcompany.com to ensure that they've re-keyed the SSL certificate for a higher cipher AND have applied this new certificate to their SMTP Server and services.
     Action plan: TBD
     Owner: Gordon at Physicians Health Plan of Northern Indiana.
Next update: Within two business days of your next reply.

I see your text messages in the logs and I'm still showing Input/Output error messages when connecting to the host and attempting to establish TLS. As the RC4 cipher has been disabled, we cannot use this cipher for negotiating TLS.

Per your recent update, you spoke with the admins who mentioned they had re-keyed the SSL Certificates, but it was unclear if they've actually updated the certificate for their SMTP Server or services on their end. When I'm connecting directly to their MX record on Port 25 (SMTP), only the RC4 cipher is offered during the negotiation. When trying to manually override this option and using a stronger, supported cipher, the connection fails since the receiving server cannot negotiate with a higher cipher (AES128-SHA).

I would ask that you reconnect with the System Admins at yourcompany and confirm that they've re-keyed their SSL certificate, added the certificate to their SMTP Server (or MX hosts) and have assigned the certificate to the SMTP Services for such hosts so connecting hosts can establish a cipher that is greater than the non-supported RC4 cipher that is currently being offered
LVL 15
LockDown32OwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Amit KumarCommented:
You are using Exchange 2003 with Windows Server 2003, by default weak ciphers are enabled on Windows Server 2003. Now-a-days people are migrated to new Exchange version, but not sure why you are still on Exchange 2003. FYI Exchange 2003 support MS has been ended in Year 2014.

There is workaround but not sure it will work for you or not as after restrict ciphers what will happen to Exchange service I am not much sure.

IIS Crypto is a tool build by some techies to restrict weak ciphers on OS level so therefore your web services will stop using weak ciphers. article for this. this tool will help you to restrict ciphers but you might need to install one more hotfix from MX to support these ciphers. Please install it first.

This article will help you to understand applying certificates on Exchange services.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.