Crazy Domains SMTP SSL Negotiation Fail

0

I'm in a bit of cat and mouse scenario regarding SMTP not working on certain software at multiple sites on multiple computers, Email provider says software and software says email provider issue.

What I've tested.

  • Routing SMTP traffic through a different ISP interface at each site which results in the same outcome.
  • Used the full smtp server cp-wc67.per01.ds.network and the IP of that server as the sending server with no luck
  • Ive got a power shell script to test SMTP which works at every site with no issue using the same credentials and servers

The software company i know uses TLS V1 unless the libraries are available for SSL in which case it will use SSL.

This is the error from the third party vendor

Am i correct in saying if the mail server responds with a TLS go ahead than the mail server is working correctly and its the software companies problem?

This is the UPDATED Wire Shark extract,

SQLTemp

Posted 2020-01-07T08:26:21.593

Reputation: 1 473

TLSv1 can potentially downgrade to SSLv3. Your extract doesn't show an actual error happening. What it does show is that there is a SSL session trying to be started after the SMTP session has been established. Depending on the software an explicit SSL connection can be helpful. Though, as the software sends STARTTLS itself it should be capable of doing so. – Seth – 2020-01-07T08:33:50.590

Please show a Wireshark capture of the whole TCP connection. Trying to filter via smtp will discard all SSL/TLS negotiation packets (since they are, after all, not SMTP). – user1686 – 2020-01-07T08:57:07.060

@user1686 can do, do you need any wireshark tabs open? – SQLTemp – 2020-01-07T10:18:46.143

There are a lot of online testers that allow to check the SSL/TLS availability and potential errors on SMTP servers. Have you checked what result you get using those test tools for the used SMTP server? If some of them shows errors you have something the Email provider to confront with. – Robert – 2020-01-07T12:41:28.547

@SQLTemp: The "Client Hello" and the following "Alert" might give hints regarding the problem. (It's most commonly a mismatch between what the client can offer, and what the server requires. For example, client lacking TLSv1.2 support...) – user1686 – 2020-01-07T14:52:00.180

Answers

2

The server you access supports TLS 1.2:

$ openssl s_client -connect 103.226.222.98:587 -starttls smtp
...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

It does not support anything less though, i.e. no TLS 1.0

$ openssl s_client -connect 103.226.222.98:587 -starttls smtp -tls1
...
... sslv3 alert handshake failure: ... SSL alert number 40
...
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000

According to the image you show from Wireshark your mail client connects with TLSv1, i.e. TLS 1.0. Since it does not connect with TLS 1.2 it will fail. This means you need to fix your (unknown) mail client or get another one with support for TLS 1.2.

Steffen Ullrich

Posted 2020-01-07T08:26:21.593

Reputation: 3 897

Or if the mail client uses SSL/TLS implementation from Windows (schannel) you may need to configure/update your Windows version to allow TLS1.2. – Robert – 2020-01-08T13:48:35.633

Asked: 2020-01-07T08:26:21.593

Viewed: 76 times

Active: 2020-01-07T22:02:44.887