Issue:
Servers are failing in TLS handshake for Outgoing SMTP. The following debug statements have been added.
DEBUG_SSL_ALL=3
SSL_TRACE_KEYFILEREAD=1
DEBUG_SLL_HANDSHAKE=2
The following is observed when the negotiation begins:
[1...0] 01/26/2024 05:40:32 PM [1...0] SMTPClient: SSL handshake error: 1C7Ah
[1...0] 01/26/2024 05:40:32 PM Router: No messages transferred to TARGETDOMAIN.COM (host MX1.TARGETDOMAIN.COM) via SMTP: SSL IO error. Remote session no longer responding.
According to the sending Domino server, it fails in TLS negotiation.
According to the receiving postfix server, it fails either in TLS negotiation, or fails at the end of the DATA section, where the Domino SMTPClient never hits the "." to commit the email.
We noticed the Domino server was using old TLS ciphers that were removed from the "best" list about 6 months ago.
We performed:
a. Admin client --> Configuration (tab) --> Server (left twistie) --> All Server Documents (view option)
b. Highlighted server document, clicked Edit Server button.
c. Remove the "deprecated" (less secure) ciphers:
Note:
The list is not visible when Internet Sites are in use. So you have to temporarily toggle and update list as below.
- Basics (tab) --> Load Internet configurations from Server\Internet Sites documents (field) from Enabled to Disabled.
- View (top menu) --> Refresh (or F9)
- Ports (tab) --> Internet Ports (sub-tab) --> Under the TLS settings (heading) --> TLS ciphers (field) --> Modify (button)
- - Uncheck any ciphers in the lower deprecated section. Click OK to save any changes in the dialog to the document.
- Basics (tab) --> Load Internet configurations from Server\Internet Sites documents (field) back to Enabled.
- View (top menu) --> Refresh (or F9)
- Click Save & Close button
d. In the Domino console.
> tell router update config
e. waited for mail to route again
Note:
This error was VERY similar to when the outgoing TLS Key file name is incorrect, in that both gave the SSL handshake error: 1C7Ah message.
The difference was the next line was different. This error is SSL IO reason.
The server document now has an Outgoing Keyring field on the Internet Ports tab of the server document. The field help says to make sure the kyr extension is added.
However, with later 12.0.x and the bypassing of the keyring kyr files w/Certificate Store (the ability to list the names by name), we can also use the same domain entry in CertStore.nsf, as well.
Server document --> Ports --> Internet Ports --> Outgoing TLS Key file name
previous page
|