TLS failing on email from Outlook

  • 7024569
  • 17-Apr-2020
  • 24-Mar-2021

Environment

.
GWAVA (Secure Messaging Gateway) 7

Situation

Getting an error of "TLS negotiation failed" on email from outlook.com or outlook.de. TLS works fine on email from other domains.

Resolution

The SSL cipher list is a default list and can be changed to meet certain needs. If TLS is failing on messages from Outlook, change the cipher list. See below:

Note: This configuration is compatible with a number of very old clients, and should be used only as a last resort. Take a hard look at your infrastructure needs before using this configuration; it is intended for special use cases only. If possible, use this configuration only for endpoints that require it, segregating it from other traffic.
1) Login to SMG System Admin. UI

2) Under Module Management | Interfaces | SMTP Interface Manager | SMTP Interface | SSL | SSL cipher list, save a copy of what is listed in this field currently in case it is needed to revert back, then replace it with the following:

ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA

3) Save changes.

Messages from outlook should now use TLS successfully.

Note: Default cipher list: EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4

The cipher string configured in the admin will replace the default string. The entire string is passed as is to the openSSL layer. Per the openSSL documentation.

The order of the ciphers specified in the string is the order that openSSL will try the ciphers when negotiating a connection.

To ensure you're using the strongest ciphers possible, these should placed in the string ahead of any allowed weak ciphers.