No TLS for Ironport Cloud?

Bob Fayne · ‎03-05-2014

We have been seeing some strange TLS errors for messages going to domains with MX Records in the *.iphmx.com domain recently. Whois says it belongs to "Cloud Email Security - Cisco Systems" so it would appear to be part of the Ironport Cloud Service. Some of the partner domains I ran tlsverify against came back with this:

Certificate verification failed: self signed certificate in certificate chain.

I decided to try and help out so I sent a note to the ARIN contacts for the IP network and then I got this in response:

Delivery is delayed to these recipients or distribution lists:

bit-bucket@printers.ironport.com

Subject: TLS errors for iphmx.com

This message has not yet been delivered. Microsoft Exchange will continue to try delivering the message on your behalf.

Nice. Makes me glad we stuck with physical appliances.

Anyhoo...has anyone else seen unusual TLS errors to MX Records in iphmx.com?

...Bit-Bucket Bob

David Miller · ‎03-06-2014

Not saying this is the answer, but when Cisco provision a cloud email security system for a customer they provide self signed certs for all SSL/TLS protected transactions including TLS. One of the actions the customer has to perform is to replace those self signed certs with CA signed certs (if they wish). It may be that the domains you are looking at are trials or POCs and they haven't got round to providing signed certs, or they may have decided not to have CA signed TLS certs. It is perfectly valid to use self-signed certs, with the risk that if the "other end" requires signed certs then emails will be bounced or sent over unencrypted channels, according to policy.

paulconsulting · ‎09-11-2015

Looking through communications records for the past twelve weeks, I found that a number of iphmx.com servers are communicating using the RC4 cipher. These emails might as well not even be encrypted.