Not receiving emails from VA.gov - TLS & AES ciphers? 1

[tunten35]

Hi,
I'm running Exchange Server 2003 on Windows 2003 R2 Enterprise with all patches with a current Thawte SSL certificate installed on my Default SMTP Virtual Server. We've been unable to receive emails from VA.gov addresses for the past 2 months. VA.gov users receive an NDR:

5.0.0 smtp; 5.4.7 - Delivery expired (message too old) [Outbound_Profile] "(336130315, 'error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number')" (delivery attempts: 52)

Based on my SMTP logs, I've found that they send email out using TLS, and using SSLScan, I found that they support the following ciphers:

Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA

Prefered Server Cipher(s):
TLSv1 256 bits AES256-SHA

Our server supports these ciphers:
Supported Server Cipher(s):
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5

Prefered Server Cipher(s):
TLSv1 128 bits RC4-MD5

Although we both support 3DES, I also installed hotfix kb948963 that adds AES128-SHA and AES256-SHA, and then rebooted the server. After doing so, my supported ciphers change to:

Supported Server Cipher(s):
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5

Prefered Server Cipher(s):
TLSv1 128 bits AES128-SHA

However, I still can't receive email from them, and I also stop receiving emails from other mail servers. I ran a Basic Receiver Test on checktls.com and found that it failed with error:
checktls cannot proof e-mail address (reason: mail from rejected)
The cipher used was AES128-SHA

After disabling AES128 and AES256 via the registry, I re-ran the Basic Receiver Test, and then all tests passed. The cipher used was RC4-MD5.

I'm stumped, and would appreciate any new ideas.
Thank you.

 

[cshughes]

Interesting - EXACTLY the same problem at our end too - mail to the VA worked fine and then stopped working. Now I've added the AES ciphers and I have some mail problems. Very strange. Did you find out any more?

 

[tunten35]

I couldn't get the AES or 3DES ciphers to work with our Exchange 2003 environment, so I ended up removing the SSL certificate altogether from our default SMTP virtual server. After that inbound emails started flowing from VA.gov addresses again.

Good luck!

 

[cshughes]

Same here - although that upset all of the people using SSL over SMTP to secure their email sending to our server. I added a second virtual server on a custom port with SSL enabled to make those people happy.

Interestingly enough, even with AES on, I could still get some messages - for some reason gmail messages wouldn't come through, but messages from facebook would come through.

Another thought: I did read somewhere that some govt organizations (notably DoD) will only accept a cert with a chain of trust from certain providers - verisign being one, digi-cert being another. I wonder if there might be a similar issue, although the error messages don't indicate this. Our cert was from starfield/godaddy. CheckTLS was happy with it, but perhaps va.gov is not?

 

[tunten35]

Yup, I too created separate secure SMTP VS's with custom ports for our users.

I read on some forum that Exchange 2003's implementation of 3DES was flawed. I would guess that AES was never supported, and MS never bothered to issue a fix. Link

Haven't thought of using another CA.

We're looking at moving to MS's Office 365 cloud solution soon so I won't have to deal with these issues anymore.

 

[ShackDaddy]

You'll have a new raft of issues.

Dave Shackelford
ThirdTier.net
TrainSignal.com