ABach Frequent Contributor.
Frequent Contributor.
1787 views

GWIA unable to send TLS Encrypted mail

Hi all,
This is for one of my customers I support.

Their v2014 R2 GWIA has: Agent Settings, SMTP, SSL [Enabled] but all mail from them comes (TLS Not Encrypted). Does not matter who the recipient is (other GW, GMAIL, Rogers/Yahoo all tested)
If we put SSL as (Required) then no mail goes out!

We started with a self-signed cert, then let GWAdmin Console generate one, and at the advice of MF Support purchased a REAL certificate and nothing improves.

Normally the Generate Certificate button in GWAdmin console is all that's needed to get this going, but no luck.

This weekend, we patched everything in sight and are now at: OES 2015 SP1, SLES 11.4, GW 14.2.2, still no luck.

The GWIA logs just show:
Connected To server: [recipient server IP]
Transferred

It is missing the happy line: "SMTP upgraded to a secure connection"

This is my first of dozen(s) of GWIA's I've worked with where I can't get TLS to work.

Any ideas?

Does anyone think it could be SSL issues on the SLES box?
Eg. Broken OpenSSL
(in which case, be aware that this is clustered and we *have* tried moving the GWIA resource to another identically built and patched NODE with no change).
Labels (1)
0 Likes
10 Replies
Knowledge Partner
Knowledge Partner

Re: GWIA unable to send TLS Encrypted mail

abach wrote:

> The GWIA logs just show:
> Connected To server: [recipient server IP]
> Transferred
>
> It is *missing *the happy line: "SMTP upgraded to a secure connection"
>
> This is my first of dozen(s) of GWIA's I've worked with where I can't
> get TLS to work.
>
> Any ideas?


Try to set the GWIA logging to "verbose" or even "diagnostic" and then
check the log for additional information. If necessary, you can use
Wireshark to capture packets and see exactly what is happening on the
wire.

While the sending SMTP server can offer a secure connection, it's up to
the receiving SMTP server to request it.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
ABach Frequent Contributor.
Frequent Contributor.

Re: GWIA unable to send TLS Encrypted mail

Verbose and Diagnostic logs didn't show anything when we tried last week.

Packet capture may be our only hope unless something else turns up. Support said they had no issues (!) when they recreated our system.

Andreas
0 Likes
Knowledge Partner
Knowledge Partner

Re: GWIA unable to send TLS Encrypted mail

abach wrote:

> Normally the Generate Certificate button in GWAdmin console is all
> that's needed to get this going, but no luck.


At this point, maybe it's time to start checking some things we just
take for granted like:
- Do the links in the GWIA configuration actually point to the cert/key
files?
- Are the cert/key files in the correct format?
- Are the file permissions correct to allow GWIA access to them?

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Highlighted
ABach Frequent Contributor.
Frequent Contributor.

Re: GWIA unable to send TLS Encrypted mail

All good points Kevin

I should have mentioned that in Agent Settings, HTTP, I turned on SSL (ENABLED).
When I browse to GWIA:9850 it presents the right and happy certificate in my web browser.

Andreas
0 Likes
Knowledge Partner
Knowledge Partner

Re: GWIA unable to send TLS Encrypted mail

Am 15.05.2017 um 23:06 schrieb abach:
>
> Hi all,
> This is for one of my customers I support.
>
> Their v2014 R2 GWIA has: Agent Settings, SMTP, SSL [Enabled] but all
> mail from them comes (TLS Not Encrypted). Does not matter who the
> recipient is (other GW, GMAIL, Rogers/Yahoo all tested)
> If we put SSL as (Required) then no mail goes out!



Telnet to that GWIA on port 25, and type "EHLO test.com".

Does the GWIA replay (among others) with "250 STARTTLS"?

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
ABach Frequent Contributor.
Frequent Contributor.

Re: GWIA unable to send TLS Encrypted mail

Inbound to the GWIA works. There is 250 STARTTLS in the handshake. 🙂

However, when going out we just discovered things are amiss.

When we telnet on port 25 FROM the GWIA box to an outside host instead of:
220 host.example.com GroupWise Internet Agent 14.2.2 Copyright (c) 1993-2017 Micro Focus All rights reserved. Ready

We get:
220 **********************************************

WTF!??

Then on EHLO example.com we see:
250 XXXXXXXA

Again, Whaaaat??

Mail is not set to go via a relay host, so it looks like something in their firewall or ISP is messing things up. A transparent SMTP proxy perhaps?
Calls are being made as I write! I will post here when the mystery is solved.

Andreas
0 Likes
Knowledge Partner
Knowledge Partner

Re: GWIA unable to send TLS Encrypted mail

Am 17.05.2017 um 17:14 schrieb abach:
>
> Inbound to the GWIA works. There is 250 STARTTLS in the handshake. 🙂
>
> However, when going out we just discovered things are amiss.
>
> When we telnet on port 25 FROM the GWIA box to an outside host instead
> of:
> 220 host.example.com GroupWise Internet Agent 14.2.2 Copyright (c)
> 1993-2017 Micro Focus All rights reserved. Ready
>
> We get:
> 220 **********************************************
>
> WTF!??
>
> Then on EHLO example.com we see:
> 250 XXXXXXXA
>
> Again, Whaaaat??
>
> Mail is not set to go via a relay host, so it looks like something in
> their firewall or ISP is messing things up. A transparent SMTP proxy
> perhaps?


That's certainly what it looks like.

> Calls are being made as I write! I will post here when the mystery is
> solved.


Please do!

CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
CU,
--
Massimo Rosen
Micro Focus Knowledge Partner
No emails please!
http://www.cfc-it.de
0 Likes
ABach Frequent Contributor.
Frequent Contributor.

Re: GWIA unable to send TLS Encrypted mail

IT'S NOW WORKING!

<Grrr>>
Their firewall had an enabled feature called: SMTP Inspection
Sort of like stateful firewall smtp rules

It turned off/corrupted lots of handshaking commands including TLS.

Here's a similar situation:
https://supportforums.cisco.com/discussion/11216731/asa-esmtp-inspection-stopping-outbound-mail

Right now we turned off SMTP inspection and everything works! It may be possible to turn it on again but with: "no inspect esmtp" as an option.

Thanks all for your patience and assistance.

Andreas
0 Likes
Knowledge Partner
Knowledge Partner

Re: GWIA unable to send TLS Encrypted mail

abach wrote:

> Their firewall had an enabled feature called: SMTP Inspection


I haven't heard of that one before.

It would seem that GWIA would never have seen the response to encrypt
the out bound stream and therefore *never* have sent encrypted email
unless the router configuration was changed some time after GroupWise
had been installed and running.

We appreciate your posting the resolution to your issue.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.
_____
Kevin Boyle - Knowledge Partner - Calgary, Alberta, Canada
Who are the Knowledge Partners?
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Knowledge Partner
Knowledge Partner

Re: GWIA unable to send TLS Encrypted mail

In article <abach.7ynq8o@no-mx.forums.microfocus.com>, Abach wrote:
> Their firewall had an enabled feature called: SMTP Inspection
> Sort of like stateful firewall smtp rules
>
> It turned off/corrupted lots of handshaking commands including TLS.
>
> Here's a similar situation:
> https://supportforums.cisco.com/discussion/11216731/asa-esmtp-inspection-stopping-

outbound-mail
>
> Right now we turned off SMTP inspection and everything works! It may be
> possible to turn it on again but with: "no inspect esmtp" as an option.


I've hit this before as well. Usually at the other end of the connection in the earlier
days(Postini era) of turning on TLS. You'd think this wouldn't be a problem anymore, that
it would be fixed on those firewalls. Perhaps worth finding out how current (or not) the
code is on that firewall.


Andy of
http://KonecnyConsulting.ca in Toronto
Knowledge Partner
http://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please show your
appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.