Messaging Gateway

 View Only

  • 1.  SMG 10.6-5 TLS-Problem

    Posted Jan 12, 2016 06:53 AM

    We upgraded SMG (on ESX) to newest version 10.6-5 and now we have problems receiving TLS mails from a few customers. They receive a TLS-Handshake error.

    We have TLS active in MSG since two years (with disabled SSLv3), all worked fine until we did the upgrade. Now we noticed, that the problem coheres with the "Disable SSL v3" setting in SMG. When we deactivate this setting (so enabling SSL v3) the problem is solved. But this is not an acceptable solution.

    You can reproduce this behavior by testing your own SMG 10.6-5 with the TLS test on https://de.ssl-tools.net/mailservers. Whe SSL v3 is disabled, you will get an handshake error and the test fails. When SSL v3 is enabled, the test result is ok, but you will receive a warning, that weak protokoll SSL v3 is active... Great!

    Any ideas or same problem somwhere? Thanks...



  • 2.  RE: SMG 10.6-5 TLS-Problem

    Posted Jan 13, 2016 04:03 AM

    Hi,

    Have you seen https://support.symantec.com/en_US/article.TECH233869.html ?

    Thats based on incidents i had to open after upgading our CC and scanners.

    Currently activated ciphers are documented at https://support.symantec.com/en_US/article.TECH156249.html or take a look at /data/mta/etc/ecelerity.conf

    But the bad news, this file is not editable by customers ...

    Only solution is wait on an upcoming update.

     

    Thomas



  • 3.  RE: SMG 10.6-5 TLS-Problem

    Posted Jan 13, 2016 04:55 AM

    Just forgot:

    This issue is manly cased by microsoft admins who do not know how to configure cipers on w2k8 and w2k12 - by default the ciphers got updated in october 2015 (https://technet.microsoft.com/library/security/3042058).

    Ok, Symantec should just enable the customer to edit their cipher list.

    It's that simple!

    Thomas



  • 4.  RE: SMG 10.6-5 TLS-Problem

    Posted Jan 13, 2016 05:00 AM

    Hi Thomas,

    Thank you, I've seen the article, but I thought this only affects outgoing STARTTLS requests. Therefore, I have enabled TLS 1.2 on my Exchange server to aviod delivery problems from SMG to exchange...

    Ok, I will wait for next update and hope for an early solution!



  • 5.  RE: SMG 10.6-5 TLS-Problem

    Posted Jan 13, 2016 05:08 AM

    Overlapping posts :)



  • 6.  RE: SMG 10.6-5 TLS-Problem

    Posted Jan 13, 2016 07:39 AM

    Hi,

    The cipher-suites, the list of ciphers which can be used is presented by the client, in either case the server sending a mail.

    In case of outbound (shorted to relevant): SMG sends ehlo, receives 250 ..., SMG sends STARTTLS, receives 220 OK, SMG sends "Client Hello" including minimum encrytion version and cipher suites. After that the receiving server is sending a ip packet with the selected the cipher suite and a packet with the certificate (should include the chain).

    In case of inbound: Server somewhere in the internet (Iserver later on) is sending a mail, recipient is hosted behind SMG. Iserver sends ehlo, SMG sends 250, Iserver sends STARTTLS, SMG sends 220 OK, Iserver sends "Client Hello" including cipher suites. SMG picks one of the offered (first match between offered and local allowed, prio by number offered) and sends installed public key of the certificate.

    As you can see the activated ciphers on SMG apply to in- and outbound.

     

    Thomas



  • 7.  RE: SMG 10.6-5 TLS-Problem
    Best Answer

    Posted Jan 21, 2016 05:41 AM

    Hi,

    all my TLS-problems are solved with version 10.6.0-7!

    Thanks to all members and Symantec.