This is way over my head. I have a feeling I need to add some other cipher to our Exchange Server 2003 because this customer implemented something called ProofPoint in their mail system. This is the email their support staff sent to us. Can someone translate in to English:
Current status: When connecting to the MX record (hostname and IP address) for yourcompany.com, I'm still only seeing the RC4-MD5 Cipher being offered in the TLS Handshake. No other Ciphers (of higher strength) are being supported currently when connecting to their domain.
Next steps: Reach back out to the Admins at Yourcompany.com to ensure that they've re-keyed the SSL certificate for a higher cipher AND have applied this new certificate to their SMTP Server and services.
Action plan: TBD
Owner: Gordon at Physicians Health Plan of Northern Indiana.
Next update: Within two business days of your next reply.
I see your text messages in the logs and I'm still showing Input/Output error messages when connecting to the host and attempting to establish TLS. As the RC4 cipher has been disabled, we cannot use this cipher for negotiating TLS.
Per your recent update, you spoke with the admins who mentioned they had re-keyed the SSL Certificates, but it was unclear if they've actually updated the certificate for their SMTP Server or services on their end. When I'm connecting directly to their MX record on Port 25 (SMTP), only the RC4 cipher is offered during the negotiation. When trying to manually override this option and using a stronger, supported cipher, the connection fails since the receiving server cannot negotiate with a higher cipher (AES128-SHA).
I would ask that you reconnect with the System Admins at yourcompany and confirm that they've re-keyed their SSL certificate, added the certificate to their SMTP Server (or MX hosts) and have assigned the certificate to the SMTP Services for such hosts so connecting hosts can establish a cipher that is greater than the non-supported RC4 cipher that is currently being offered