Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3851
Views
0
Helpful
4
Replies

Encryption too weak...

spepin001
Level 1
Level 1

‎10-11-2017 05:03 AM - edited ‎03-08-2019 07:26 PM

Hi,

 

Since few days, one of our partner couldn't send us any mail.

Senders use to receive back this erreor : Remote Server returned '< #5.7.0 SMTP; 503 5.7.0 encryption too weak 0 less than 128>'

I checked my settings in my Ironport server, but I didn't find what it's wrong. I tried to insert them into a Mail flow policy to force TLS, but nothing changed.

I ran tail command on the CLI, I can see their SMTP opening a session, but closing it immediatly. I imagine when they try to open TLS channel, they fail and close it !

At this point, I don't know it the issue is in my side or my partner side...

 

Does someone has already got this sort of issue ?

 

Thanks for your back.

 

Sylvain

Labels:
0 Helpful
4 Replies 4

Ken Stieers
VIP
VIP

‎10-11-2017 08:14 AM

You need to change your cipher string.

Under System Administration/SSL Configuration, you should try something like this:



MEDIUM:HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:@STRENGTH



This means include the "Medium strength ciphers, the High strength ciphers, NOT the Null, NOT the MD5, NOT the DSS, NOT the "Export" strength ciphers, then Sort them by strength



Reference here: https://www.openssl.org/docs/man1.1.0/apps/ciphers.html





Your side and their side will work down your respective lists until you find one that matches...




0 Helpful

spepin001
Level 1
Level 1
In response to Ken Stieers

‎10-11-2017 08:30 AM

Thanks Ken,

 

When I enter in SSLConfig, for the outbound, the prompt asks me to select SSL Method :

1. TLS v1.0
2. TLS v1.1
3. TLS v1.2
4. SSL v2
5. SSL v3

By default, #5 looks to be active option ? must I select another method ?

 

As I could see, the cypher phrase enable at this moment is : [RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT]

Does it look u correct ?

I'm completly newby about TLS & Cypher, to be honest I'm afraid to change this settings, I'm not sure to be able to back to right settings if I'd break what it is working fine for the most of case, excepting one...

 

I thank u

Sylvain

0 Helpful

Ken Stieers
VIP
VIP
In response to spepin001

‎10-11-2017 08:37 AM

To be more secure, but still be able to get mail out, uncheck 4 and 5...

SSL2 and 3 are broken badly.



And your cipher string is very week too...

I would go with the one I posted earlier... the RC4s are pretty weak too.



At the VERY VERY least, add :@STRENGTH to the end of your string so that the stronger ciphers get tried first.




0 Helpful

spepin001
Level 1
Level 1
In response to Ken Stieers

‎10-12-2017 02:02 AM

I applied your advices, I'm monitoring that and with my external partnet, we'll make some tests, to validate it's ok.....or not !

 

Thanks

0 Helpful
Customers Also Viewed These Support Documents