Cannot send mail to certain recipients. SMTP STARTTLS failure (8922)

1 Likes

Symptoms

Cannot mail certain recipients. The sender sees this in the GW Client:

 

 

 

The reason given for the delay: 420 TCP write error

 

 

 

The following is shown in the GWIA log:

 

 

 

07:11:54 2323 DMN: MSG 2815270 Attempting to connect to mail12.surftown.se 07:11:54 2323 DMN: MSG 2815270 Connected to [212.97.132.52] (mail12.surftown.se) 07:11:54 2323 DMN: MSG 2815270 SMTP STARTTLS failure (8922) 07:11:55 2323 DMN: MSG 2815270 SMTP session ended: [212.97.132.52] (mail12.surftown.se)

 

 

 

 

Diagnosis

The best way to troubleshoot this would be to get a packet trace. On the GWIA server:

 

 

 

tcpdump -i any -s 0 -w /root/surftown.cap host 212.97.132.52

 

 

 

This will capture data just for that ip. Note that you cannot filter on a single IP if the recipient has multiple ones.

Open the packet trace in Wireshark. Look at the client and server hellos:

Client Hello. That is you:

clipboard_image_0.png

You are indicating that you support TLS up to 1.2. Ideally the receiving mailserver should use that version, but instead:
 
clipboard_image_2.png
Here the receiving mailserver uses TLS 1.0 and that protocol is regarded as unsecure and was deprecated in June 2018. GW 18.2 will not talk to him.

Solution

Ask the admin of the receiving mailserver to upgrade to a supported version of SSL

Labels:

How To-Best Practice
Comment List
Anonymous
Parents
  • Massimo,

    Laura turned this over to me.  In checking with engineering, as they are the ones that made the decision, here is what I have gotten back.

    We discussed the fact that GWIA does not fallback to unencrypted transfer.  We did not want to ever use TLS 1.0 without the admin explicitly "dumbing down" their system.  The fallback to unencrypted transfer could be argued, but we never recommend allowing unencrypted.

    So if you still believe that GWIA should fallback, please enter an enhancement request and let Mike decide if this is a decision he wants to reverse.

    Pam

Comment
  • Massimo,

    Laura turned this over to me.  In checking with engineering, as they are the ones that made the decision, here is what I have gotten back.

    We discussed the fact that GWIA does not fallback to unencrypted transfer.  We did not want to ever use TLS 1.0 without the admin explicitly "dumbing down" their system.  The fallback to unencrypted transfer could be argued, but we never recommend allowing unencrypted.

    So if you still believe that GWIA should fallback, please enter an enhancement request and let Mike decide if this is a decision he wants to reverse.

    Pam

Children
No Data
Related Discussions
Recommended