exchange TLS INSECURE

I'm working on an issue I have with a vendor. They are unable to communicate with our exchange server.  The following message was sent to us.


"A Purchase Order sent to this email address has failed because a “secure delivery could not be established.
If it is a valid email address, please make sure that your company white lists all emails from the @domaint.com domain so Purchase Orders can flow without failures.  Also, please make sure that your email can handle TLS encrypted emails.  Our ordering system utilizes TLS encryption. "

I went to ssllabs.com with the following results

 ________________________________________
 https://www.ssllabs.com

Configuration

Protocols
TLS 1.3      No
TLS 1.2      Yes
TLS 1.1      Yes
TLS 1.0      Yes
SSL 3      No
SSL 2      No
For TLS 1.3 tests, we currently support draft version 28.



Certificate #1: RSA 2048 bits (SHA1withRSA)

Server Key and Certificate #1
Subject      remote.domain.com
Fingerprint SHA256: 242108f159834deXX
Pin SHA256: gJb0SUQGT9xdgAUkLtUabTUHxx
Common names      remote.domain.com
Alternative names      remote.domain.com exchange.domain.local AutoDiscover.domain.local AutoDiscover.domain.com mge.local domain.com
Serial Number      505976e8d2dacd9445086axxx
Valid from      Thu, 09 Jul 2015 21:01:06 UTC
Valid until      Thu, 09 Jul 2020 21:01:06 UTC (expires in 1 year and 10 months)
Key      RSA 2048 bits (e 65537)
Weak key (Debian)      No
Issuer      remote.domain.com   Self-signed
Signature algorithm      SHA1withRSA   INSECURE
Extended Validation      No
Certificate Transparency      No
OCSP Must Staple      No
Revocation information      None
DNS CAA      No (more info)
Trusted      No   NOT TRUSTED
Mozilla  Apple  Android  Java  Windows

___________________________________________________

Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp384r1 (eq. 7680 bits RSA)   FS      256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp384r1 (eq. 7680 bits RSA)   FS      128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp384r1 (eq. 7680 bits RSA)   FS      256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   ECDH secp256r1 (eq. 3072 bits RSA)   FS      128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK      256
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)   WEAK      112
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK      128
TLS_RSA_WITH_RC4_128_SHA (0x5)   INSECURE      128
TLS_RSA_WITH_RC4_128_MD5 (0x4)   INSECURE
jcl64213Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jose Gabriel Ortega CastroCEO Faru Bonon IT - EE Solution ExpertCommented:
I would make sure to make it work all behind TLS 1.2 by running the script:

https://gallery.technet.microsoft.com/scriptcenter/Solve-SWEET32-Birthday-d2df9cf1

The script is used to solve Sweet32 and TLS1.0 Problem for PCI Compliance.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jcl64213Author Commented:
Having a really hard time running that script
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Disabling TLS 1.0 + TLS 1.1 in your SSL config file is usually sufficient to clear this error... as...

TLS 1.0 + TLS 1.1 are both deprecated by most companies... because both protocol levels have security problems...
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

btanExec ConsultantCommented:
If Windows, can disable TLS1.0 but sometime it may also requires modifying your webserver  affected application component

At OS level, via this registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\TLS 1.0\Server

More details: How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services
https://support.microsoft.com/en-us/kb/187498#LetMeFixItMyselfAlways

Can try out IISCRYPTO tool to do the job in addition to other tweaks like favoring Forward Secrecy (ECHDE) ciphers.
https://www.nartac.com/Products/IISCrypto/
Sunil ChauhanLead AdministratorCommented:
before you jump to running this script, I would like to know a few things.....

  1. what email gateway you are using??
  2. did you analyze the NDR they received?
  3. did you check the rejection logs from your email gateway ???

Note: Any External application will not hit your exchange server directly, you suppose to have an email gateway like Microsoft Edge server, Cisco IronPort, Proofpoint etc, and by default most email gateway uses the Opportunistic TLS, you can also enforce the TLS from your gateway settings as well for the specific domain.
btanExec ConsultantCommented:
Also in support to TLS 1.2 - if that is the basis for your partner's exchange connection

>>Exchange Server 2016
Install Cumulative Update (CU) 8 in production for TLS 1.2 support and be ready to upgrade to CU9 after its release if you need to disable TLS 1.0 and TLS 1.1.
Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).

>>Exchange Server 2013
Install CU19 in production for TLS 1.2 support and be ready to upgrade to CU20 after its release if you need to disable TLS 1.0 and TLS 1.1.
Install the newest version of .NET and associated patches supported by your CU (currently 4.7.1).

>>Exchange Server 2010
Install SP3 RU19 in production today for TLS 1.2 support and be ready to upgrade to SP3 RU20 in production after its release if you need to disable TLS 1.0 and TLS 1.1.
Install the latest version of .NET 3.5.1 and patches.
https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/

Many protocols used in Exchange Server are HTTP based, and therefore traverse the IIS processes on the Exchange server. MAPI/HTTP, Outlook Anywhere, Exchange Web Services, Exchange ActiveSync, REST, OWA & EAC, Offline Address Book downloads, and Autodiscover are examples of HTTP based protocols used by Exchange Server.

SMTP Logs in Exchange 2010 through Exchange 2016 will contain the encryption protocol and other encryption related information used during the exchange of email between two systems.

When the server is the SMTP receiving system, the following strings exist in the log depending on the version of TLS used.

TLS protocol SP_PROT_TLS1_0_SERVER
TLS protocol SP_PROT_TLS1_1_SERVER
TLS protocol SP_PROT_TLS1_2_SERVER

When the server is the SMTP sending system, the following strings exist in the log depending on the version of TLS used.

TLS protocol SP_PROT-TLS1_0_CLIENT
TLS protocol SP_PROT-TLS1_1_CLIENT
TLS protocol SP_PROT-TLS1_2_CLIENT
Deploy the latest releases for Exchange 2010, Exchange 2013, and Exchange 2016 released in March 2018. These releases are the first to support turning off TLS 1.0 and TLS 1.1.

https://blogs.technet.microsoft.com/exchange/2018/05/23/exchange-server-tls-guidance-part-3-turning-off-tls-1-01-1/
Jose Gabriel Ortega CastroCEO Faru Bonon IT - EE Solution ExpertCommented:
Omg why?

Open a Powershell Console as administrator
like this:
https://www.youtube.com/watch?v=tY29YFgxo1k

Then go to the Script download (for example Download on your Download Folder within your profile)
Set-ExecutionPolicy Unrestricted #Then accepting the mesage by pressing Y and enter)
cd $env:userprofile\Download
#And just the script
.\Solve-Sweet32.ps1
#Optional set back the policy
Set-ExecutionPolicy RemoteSigned #Then accepting the mesage by pressing Y and enter)

Open in new window


and that's it.
btanExec ConsultantCommented:
For author advice
btanExec ConsultantCommented:
No further input received. for consideration
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.