Re: TLS none

ccna_security · ‎12-24-2019

Dear all. I have configured esa to use TLS preferred. when gmail sends me email I can see TLS successfully established. but when I send email to some domain it is written as successfully accepted TLS protocol TLSv1 cipher AES128-SHA None. What is the meaning of None? I looked at TLS Connection status, observed that TLS connection with that domain was 100 percent successful.(for outgoing). I don't understand the log successfully accepted TLS protocol TLSv1 cipher AES128-SHA None.

Incoming connection (ICID 2335715) has sender_group: RELAYLIST, sender_ip: 1.1.1.1 and sbrs: not enabled

Protocol SMTP interface Internal (IP 2.2.2.2) on incoming connection (ICID 2335715) from sender IP 1.1.1.1. Reverse DNS host None verified no.

(ICID 2335715) RELAY sender group RELAYLIST match 1.1.1.1 SBRS not enabled sender IP 1.1.1.1 country not enabled

Message 2120596 Sender Domain: test.com

Start message 2120596 on incoming connection (ICID 2335715).

Message 2120596 enqueued on incoming connection (ICID 2335715) from test@test.com

Message 2120596 direction: outgoing

Message 2120596 on incoming connection (ICID 2335715) added recipient (example@example.com).

Message 2120596 contains message ID header '<1b0c87a2-f4be-4904-@test.com>'.

Message 2120596 original subject on injection: ***test

Message 2120596 (1315684 bytes) from test@test.com ready.

Message 2120596 has sender_group: RELAYLIST, sender_ip: 1.1.1.1 and sbrs: None

Message 2120596 matched per-recipient policy DEFAULT for outbound mail policies.

Message 2120596 scanned by Anti-Virus engine Sophos. Interim verdict: CLEAN

Message 2120596 scanned by Anti-Virus engine. Final verdict: Negative

Message 2120596 is not signed. No domain key profile matches test@test.com

Message 2120596 successfully signed. DKIM DOMAINKEY matched test@test.com

Message 2120596 queued for delivery.

SMTP delivery connection (DCID 1128369) opened from Cisco IronPort interface 10.10.10.10 to IP address 5.5.5.5 on port 25.

Delivery connection (DCID 1128369) successfully accepted TLS protocol TLSv1 cipher AES128-SHA None.

(DCID 1128369) Delivery started for message 2120596 to example@example.com

(DCID 1128369) Message 2120596 bounce verification rewriting sender test@test.com to Unknown.

(DCID 189753) Message 2120596 to test@test.com delayed. Reason: 4.1.0 - Unknown address error 0 []

Message 2120596 to test@test.com pending until Wed Dec 25 04:27:48 2019 as per bounce profile Default.

marc.luescherFRE · ‎12-25-2019

Hi there,

I just checked our mail logs and while we have many log entries none of them show "None" as resut code.

Thu Sep 26 11:42:49 2019 Info: DCID 36957373 TLS success protocol TLSv1 cipher AES128-SHA
Thu Sep 26 13:44:26 2019 Info: DCID 36963274 TLS success protocol TLSv1 cipher AES128-SHA
Thu Sep 26 14:34:13 2019 Info: DCID 36965606 TLS success protocol TLSv1 cipher AES128-SHA
Fri Sep 27 10:31:18 2019 Info: DCID 36988190 TLS success protocol TLSv1 cipher AES128-SHA

I think the best way forward would be if you could post the smtp conversation log entry for this mail exchange either here or via a private message so I can help you.

-Marc

ppreenja · ‎12-28-2019

Hi Ccns90,

Could you please share the SSL settings configured for Inbound and Outbound Connection on your ESA?

System Administration-->SSL Configuration --> Inbound/Outbound SMTP

Cheers,
Pratham

ccna_security · ‎12-28-2019

Hello Pratham

Thanks for your reply. please see SSL configuration you asked

ppreenja · ‎12-29-2019

Hi ,

Thank you for sharing the details. However, I'm unable to see the complete details of SSL Ciphers to use option in the given screenshot. Could you please share the same as well?

Cheers,
Pratham

ccna_security · ‎12-29-2019

Dear Pratham please see below

this is for outbound ssl conf

SSL Cipher(s) to use:

ECDH+aRSA:ECDH+ECDSA:DHE+DSS+AES:AES128:AES256:!SRP:!AESGCM+DH+aRSA:!AESGCM+RSA:!aNULL:!eNULL:-IDEA:-aNULL:-EXPORT

Paul Thomas Cyblue · ‎01-02-2020

Use www.checktls.com/TestReceiver
enter email address for destination domain
select CertDetail

What appears in the brackets as below ?
Certificate 1 of 3 in chain: Cert VALIDATED: ok
Cert Hostname VERIFIED ( ... )

Rather than None - you can get things like subjectAltName:dNSName=<hostname>

ccna_security · ‎01-06-2020

HEllo PAul really sorry for late reply

I entered our company's domain and the result shown below

MX Server	Pref	Answer	Connect	HELO	TLS	Cert	Secure	From
mail.mycompany.com [x.x.x.x.x.x]	5	OK (157ms)	OK (2,718ms)	OK (156ms)	OK (153ms)	OK (395ms)	OK (155ms)	OK (154ms)
Average		100%	100%	100%	100%	100%	100%	100%

Please let me tell you the issue once more. When for example gmail send us email there is no any problem with regart to TLS. it shows successfully. But when we send email from our domain to gmail TLS also shows successful but in the end of TLS informational message "None" is shown

Paul Thomas Cyblue · ‎01-07-2020

As you are sending the email, you should enter the destination domain in checktls.com
Going back to the start, there is no problem here, just understanding the additional information printed in the TLS output line.

What I find strange is that I see subjectAltName:dNSName=<hostname> even though that domain is not using any TLS Verify option.
I don't see anything for gmail.com ( but could be version issue )

Probably best to ask TAC for a clear definition of what goes in there, if this is related to the Destination Controls
No Verify
Verify
Verify Hosted Domain
and noting that even when I'm using No Verify, I still see output for a couple of domains out of 1000's - you will probably find something similar.

Gmail inbound
Incoming connection (ICID 123456) successfully accepted TLS protocol TLSv1.2 cipher AES128-GCM-SHA256.
Gmail Outbound
Delivery connection (DCID 123456) successfully accepted TLS protocol TLSv1.2 cipher AES128-GCM-SHA256 .

ccna_security · ‎01-08-2020

Thank you so much Paul. I will open the case.