Email Security.cloud

 View Only
Back to discussions
Expand all | Collapse all

Sometimes no STARTTLS from mail1.bemta2?.messagelabs.com

  • 1.  Sometimes no STARTTLS from mail1.bemta2?.messagelabs.com

    Posted Jul 20, 2018 08:43 AM

    We receive approx. 15 k e-mails per day on our mailserver (Ubuntu 16.04, Postfix).with mandatory TLS encryption (smtpd_tls_security_level = encrypt). Mandatory TLS works great against spam.

    Our problem:

    mail1.bemta2?.messagelabs.com connects to our MX mailgw.gkd-el.de. Most times the mails can be transferred (142 last week). But a few times the messagelabs.com-server connects and after 5 seconds it disconnects without sending everything (5 times last week).

    Jul  9 12:48:52 mailgw postfix/smtpd[8133]: connect from mail1.bemta24.messagelabs.com[67.219.250.4]
    Jul  9 12:48:57 mailgw postfix/smtpd[8133]: disconnect from mail1.bemta24.messagelabs.com[67.219.250.4] ehlo=1 mail=0/1 quit=1 commands=2/3

    Jul 10 10:30:56 mailgw postfix/smtpd[6396]: connect from mail1.bemta25.messagelabs.com[195.245.230.66]
    Jul 10 10:31:01 mailgw postfix/smtpd[6396]: disconnect from mail1.bemta25.messagelabs.com[195.245.230.66] ehlo=1 mail=0/1 quit=1 commands=2/3

    Jul 10 16:28:11 mailgw postfix/smtpd[14337]: connect from mail1.bemta25.messagelabs.com[195.245.230.4]
    Jul 10 16:28:16 mailgw postfix/smtpd[14337]: disconnect from mail1.bemta25.messagelabs.com[195.245.230.4] ehlo=1 mail=0/1 quit=1 commands=2/3

    Jul 11 09:29:12 mailgw postfix/smtpd[32442]: connect from mail1.bemta23.messagelabs.com[67.219.246.1]
    Jul 11 09:29:17 mailgw postfix/smtpd[32442]: disconnect from mail1.bemta23.messagelabs.com[67.219.246.1] ehlo=1 mail=0/1 quit=1 commands=2/3

    Jul 11 14:24:41 mailgw postfix/smtpd[16417]: connect from mail1.bemta25.messagelabs.com[195.245.230.131]
    Jul 11 14:24:46 mailgw postfix/smtpd[16417]: disconnect from mail1.bemta25.messagelabs.com[195.245.230.131] ehlo=1 mail=0/1 quit=1 commands=2/3

    Other mailservers with STARTTLS can send 100 % of their mails; without STARTTLS they disconnect in 0 - 1 seconds and can't send anything. Only the servers from messagelabs.com disconnect after 5 seconds.

    As a workaround we blocked the messagelabs.com IP-ranges (https://support.symantec.com/en_US/article.INFO4532.html) on our primary MX mailgw.gkd-el.de and installed a secondary MX filter.gkd-el.de, only visible for the messagelabs.com IP-ranges and some ohter (ssl-tools.com, checktls.com, ...).

    Why do not use the messagelabs.com-mailservers STARTTLS sometimes? A problem at messagelabs.com?

     

    Regards

    Karl



  • 2.  RE: Sometimes no STARTTLS from mail1.bemta2?.messagelabs.com

    Posted Jul 24, 2018 08:55 AM

    The firewall-rules to deny the Symantec IP-ranges were deleted today, because there was no reaction from the side of Symantec. Now we have two MX-Server:

     

    mailgw.gkd-el.de   Mandatory TLS

    filter.gkd-el.de       Opportunistic TLS