TLS fails on outgoing mail

I want to implement DKIM with the SMG. So I try to get the outbound mails to go through the SMG. But when I use do that I get a TLS error on the GWIA:

19:59:41 84FC DMN: MSG 3194551 Attempting to connect to <smg ip>
19:59:41 84FC DMN: MSG 3194551 Connected to [smg ip] (smg ip)
19:59:41 84FC DMN: MSG 3194551 SMTP STARTTLS failure (8922)
19:59:42 84FC DMN: MSG 3194551 Send Failure: 500 Command out of sequence

on the smg I see this:

STARTTLS
[139985231525632] 2019-11-14 20:00:01 (SMTP)<3545> [g->c] 220 Ready to start TLS
[139985231525632] 2019-11-14 20:00:01 (SMTP)<3545> TLS negotiation failed: SSL: (-1) accept fail protocol error : error:00000001:lib(0):func(0):reason(1) : undefined reason
[139985231525632] 2019-11-14 20:00:02 (SMTP)<3545> [c->g] EHLO mail.meerdaneen.nl
[139985231525632] 2019-11-14 20:00:02 (SMTP)<3545> [g->c] 500 Command out of sequence
[139985231525632] 2019-11-14 20:00:02 (SMTP)<3545> [c->g] HELO mail.meerdaneen.nl
[139985231525632] 2019-11-14 20:00:02 (SMTP)<3545> [g->c] 500 Command out of sequence
[139985231525632] 2019-11-14 20:00:02 (SMTP)<3545> [c->g] Receive Error: SOCKET: Peer disconnected during data receive
[139985231525632] 2019-11-14 20:00:02 (SMTP)<3545> Processing complete for connection from 10.0.0.211
[139985231525632] 2019-11-14 20:00:02 (SMTP)<3545> SMTP client connection finished processing (client count 0)

 

Can anyone help me with this? What can be the reason of this tls failure?

  • I have seen this with some mailers lately. For whatever reason do they fail the certificate check and you get:

    SMTP STARTTLS failure (8922)

    Thing is that some handle this in a sensible manner, ie:

    SMTP STARTTLS failure, continuing non encrypted

     Why they barf I do not know, but do you have a self-signed certificate?

  • Yes, I did not have an official certificate on both the GWIA and the SMG.

    I now have. Both on the GWIA, the HTTPS interface of the SMG and on the SSL settings of the SMG.

    The previous error has gone. But now I get on the GWIA this:

    15:51:05 FC66 MSG 3202762 Response: 250 Sender accepted
    15:51:05 FC66 MSG 3202762 Detected error on SMTP command
    15:51:05 FC66 MSG 3202762 Command: RCPT TO:<xxxxxx@gmail.com>
    15:51:05 FC66 MSG 3202762 Response: 450 Requested mail action not taken
    15:51:05 FC66 MSG 3202762 Command: DATA
    15:51:05 FC66 MSG 3202762 Response: 221 Service closing transmission channel
    15:51:05 FC66 MSG 3202762 Detected error on SMTP command
    15:51:05 FC66 MSG 3202762 Command: Data...
    15:51:05 FC66 MSG 3202762 Response: 450 Host down (gwavahost.mydomain.nl)

    -------------------------

    The SMG smtp interface says:

    [139804985509632] 2019-12-05 15:48:18 (SMTP)<15> [g->s] MAIL FROM:<xxxxxx@meerdaneen.nl>
    [139804985509632] 2019-12-05 15:48:18 (SMTP)<15> [s->g] 250 2.1.0 OK y12si8768989pfe.138 - gsmtp
    [139804985509632] 2019-12-05 15:48:18 (SMTP)<15> [g->s] RCPT TO:<xxxxxxx@gmail.com>
    [139804958209792] 2019-12-05 15:48:59 (SMTP)<16> [s->g] Receive Error: SOCKET: Connection timeout during read operation
    [139804958209792] 2019-12-05 15:48:59 (SRVS)<16> Computed SMTP host alt2.gmail-smtp-in.l.google.com
    [139804958209792] 2019-12-05 15:48:59 (SRVS)<16> Connecting to SMTP host at alt2.gmail-smtp-in.l.google.com
    [139804958209792] 2019-12-05 15:48:59 (SRVS)<16> Connection established with SMTP host alt2.gmail-smtp-in.l.google.com [108.177.97.26] [108.177.97.26] <fd:13>
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [s->g] 220 mx.google.com ESMTP z4si43908pjp.34 - gsmtp
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [g->s] EHLO mail.meerdaneen.nl
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [s->g] 250-mx.google.com at your service, [95.211.113.198]
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [s->g] 250-SIZE 157286400
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [s->g] 250-8BITMIME
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [s->g] 250-STARTTLS
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [s->g] 250-ENHANCEDSTATUSCODES
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [s->g] 250-PIPELINING
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [s->g] 250-CHUNKING
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [s->g] 250 SMTPUTF8
    [139804958209792] 2019-12-05 15:49:00 (SMTP)<16> [g->s] MAIL FROM:<xxxxxxx@meerdaneen.nl>
    [139804985509632] 2019-12-05 15:49:18 (SMTP)<15> [s->g] Receive Error: SOCKET: Connection timeout during read operation
    [139804985509632] 2019-12-05 15:49:18 (SMTP)<15> [g->c] 450 Requested mail action not taken

    I tried to raise the connection time-out on the SMG from 15 to 25. But no result....

  • If you entered  a TLS certificate at times it can get not accepted as the Cipherlist you are using is not mathing up/ accepted. You could try to use the cipherlist used in this TID for reference:

    https://support.microfocus.com/kb/doc.php?id=7024569

     

    Regards,

     

    Georg