Notifications
Clear all

TLS negotiation failed  

  RSS

(@t-sha)
New Member
Beigetreten: 4 Monaten zuvor
Beiträge: 2
9. Juli 2020 09:51  

Hallo zusammen, 

seit der Migration auf Exchange 2019 haben wir Probleme mit dem Senden von E-Mails an ein paar Domains (bisher sind uns 3 aufgefallen). Die E-Mails bleiben bis zu 24 Stunden in der Mailboxwarteschlange, können dann aber irgendwann zugestellt werden. Ich habe die Protokollierung auf dem Connector angeschalten, hier sind folgende Einträge bezüglich der 3 Domains zu finden.

mail3.**************.de sind wir. Habt ihr eine Idee? Danke schonmal :-) 

 

2020-07-07T08:08:12.194Z,Internet,08D81E******,2,**.**.**.**:44280,**.**.**.**:25,+,, 
2020-07-07T08:08:12.210Z,Internet,08D81E******,3,**.**.**.**:44280,**.**.**.**:25,<,220 mail5.*********.com ESMTP ready.,
2020-07-07T08:08:12.210Z,Internet,08D81E******,4,**.**.**.**:44280,**.**.**.**:25,>,EHLO mail3.********.de,
2020-07-07T08:08:12.224Z,Internet,08D81E******,5,**.**.**.**:44280,**.**.**.**:25,<,250 mail5.*********.com Hello mail3.*******.de [80.**********] SIZE 34603008 8BITMIME PIPELINING STARTTLS HELP,
2020-07-07T08:08:12.224Z,Internet,08D81E******,6,**.**.**.**:44280,**.**.**.**:25,>,STARTTLS,
2020-07-07T08:08:12.247Z,Internet,08D81E******,7,**.**.**.**:44280,**.**.**.**:25,<,220 TLS go ahead,
2020-07-07T08:08:12.247Z,Internet,08D81E******,8,**.**.**.**:44280,**.**.**.**:25,*," CN=mail3.***********.de, OU=COMODO SSL, OU=**************, OU=Domain Control Validated CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB ************** ****************** 2019-09-20T02:00:00.000Z 2020-10-19T01:59:59.000Z mail3.*************.de;www.mail3.*****************.de",Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2020-07-07T08:08:12.265Z,Internet,08D81E******,9,**.**.**.**:44280,**.**.**.**:25,*,,TLS negotiation failed with error IllegalMessage
2020-07-07T08:08:12.265Z,Internet,08D81E******,10,**.**.**.**:44280,**.**.**.**:25,-,,Local

2020-07-07T08:17:18.036Z,Internet,08D81E******,2,**.**.**.**:47782,**.**.**.**:25,+,,
2020-07-07T08:17:18.047Z,Internet,08D81E******,3,**.**.**.**:47782,**.**.**.**:25,<,220 mx1.**********.de,
2020-07-07T08:17:18.049Z,Internet,08D81E******,4,**.**.**.**:47782,**.**.**.**:25,>,EHLO mail3.***********.de,
2020-07-07T08:17:18.063Z,Internet,08D81E******,5,**.**.**.**:47782,**.**.**.**:25,<,"250 mx1.***********.de Hello mail3.***********.de [80.***********], pleased to meet you SIZE 100000000 STARTTLS PIPELINING 8BITMIME HELP",
2020-07-07T08:17:18.063Z,Internet,08D81E******,6,**.**.**.**:47782,**.**.**.**:25,>,STARTTLS,
2020-07-07T08:17:18.079Z,Internet,08D81E******,7,**.**.**.**:47782,**.**.**.**:25,<,220 Ready to start TLS,
2020-07-07T08:17:18.079Z,Internet,08D81E******,8,**.**.**.**:47782,**.**.**.**:25,*," CN=mail3.************.de, OU=COMODO SSL, OU=*************, OU=Domain Control Validated CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB ******************** *********************** 2019-09-20T02:00:00.000Z 2020-10-19T01:59:59.000Z mail3.***********.de;www.mail3.**************.de",Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2020-07-07T08:17:18.327Z,Internet,08D81E******,9,**.**.**.**:47782,**.**.**.**:25,*,,TLS negotiation failed with error BadBindings
2020-07-07T08:17:18.327Z,Internet,08D81E******,10,**.**.**.**:47782,**.**.**.**:25,-,,Local


2020-07-07T08:27:01.076Z,Internet,08D81E******,2,**.**.**.**:51551,**.**.**.**:25,+,,
2020-07-07T08:27:01.102Z,Internet,08D81E******,3,**.**.**.**:51551,**.**.**.**:25,<,220 mail.*************.de ESMTP ready.,
2020-07-07T08:27:01.102Z,Internet,08D81E******,4,**.**.**.**:51551,**.**.**.**:25,>,EHLO mail3.*************.de,
2020-07-07T08:27:01.127Z,Internet,08D81E******,5,**.**.**.**:51551,**.**.**.**:25,<,250 mail.*************.de Hello mail3.************.de [80.**************] SIZE 16777216 8BITMIME PIPELINING AUTH PLAIN LOGIN STARTTLS HELP,
2020-07-07T08:27:01.127Z,Internet,08D81E******,6,**.**.**.**:51551,**.**.**.**:25,>,STARTTLS,
2020-07-07T08:27:01.155Z,Internet,08D81E******,7,**.**.**.**:51551,**.**.**.**:25,<,220 TLS go ahead,
2020-07-07T08:27:01.155Z,Internet,08D81E******,8,**.**.**.**:51551,**.**.**.**:25,*," CN=mail3.************.de, OU=COMODO SSL, OU=****************, OU=Domain Control Validated CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater Manchester, C=GB ********************** ******************** 2019-09-20T02:00:00.000Z 2020-10-19T01:59:59.000Z mail3.***************.de;www.mail3.***************.de",Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2020-07-07T08:27:01.184Z,Internet,08D81E******,9,**.**.**.**:51551,**.**.**.**:25,*,,TLS negotiation failed with error IllegalMessage
2020-07-07T08:27:01.184Z,Internet,08D81E******,10,**.**.**.**:51551,**.**.**.**,-,,Local

Zitat
Monthy
(@monthy)
Trusted Member
Beigetreten: 1 Jahr zuvor
Beiträge: 96
15. Juli 2020 09:03  

Hi, sieht aus, als verwendest du ein Wildcard für SMTP.

Versuch für den SMTP Stack mal kein Wildcard Zert zu nutzen, sondern ein SAN oder eben ein einfaches Zert für den FQDN. Mir scheint, als haben manche der Empfänger ein Problem damit.

 

Gruß,
Monthy

Ich komme aus einer Zeit, in der aus einer Cloud noch Regen kam!


AntwortZitat
(@t-sha)
New Member
Beigetreten: 4 Monaten zuvor
Beiträge: 2
23. Juli 2020 10:08  

Hi Monthy, vielen Dank für die Antwort. 

Wir verwenden ein einfaches Zertifikat für den FQDN mail3.***********.de 

Der Gegenüber hat nun auch sein Protokoll ausgewertet und hat folgenden Fehler bei sich im Protokoll: 

2020-07-15 08:02:18 TLS error on connection from mail3.************.de [80.***.***.***]:51192 (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher

Wir haben einen Exchange 2019 CU6 im Einsatz, dieser versendet mit den Standardeinstellungen doch nicht mehr mit SSL3 sondern TLS 1.2 oder bin ich hier falsch informiert?

 

Danke und Grüße 

Tim


AntwortZitat
(@stefan-eppendorf)
Trusted Member
Beigetreten: 1 Jahr zuvor
Beiträge: 50
22. September 2020 16:12  

Hallo Tim,

ich habe genau den selben Fehler mit bisher zwei verschiedenen Domains. Hier ist mein Log:

#Software: Microsoft Exchange Server
#Version: 15.0.0.0
#Log-type: SMTP Send Protocol Log
#Date: 2020-09-22T13:22:51.714Z
#Fields: date-time,connector-id,session-id,sequence-number,local-endpoint,remote-endpoint,event,data,context

Nachricht 1

2020-09-22T13:22:50.233Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,0,,**********:25,*,SendRoutingHeaders,Set Session Permissions
2020-09-22T13:22:50.233Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,1,,**********:25,*,,attempting to connect
2020-09-22T13:22:50.254Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,2,192.168.16.100:12639,**********:25,+,,
2020-09-22T13:22:52.448Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,3,192.168.16.100:12639,**********:25,<,220 root01.**********.eu ESMTP,
2020-09-22T13:22:52.448Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,4,192.168.16.100:12639,**********:25,>,EHLO access.**********.de,
2020-09-22T13:22:52.499Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,5,192.168.16.100:12639,**********:25,<,250 root01.**********.eu AUTH=LOGIN CRAM-MD5 PLAIN AUTH LOGIN CRAM-MD5 PLAIN STARTTLS PIPELINING 8BITMIME,
2020-09-22T13:22:52.499Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,6,192.168.16.100:12639,**********:25,>,STARTTLS,
2020-09-22T13:22:52.519Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,7,192.168.16.100:12639,**********:25,<,220 Proceed.,
2020-09-22T13:22:52.526Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,8,192.168.16.100:12639,**********:25,*, CN=access.**********.de CN=access.**********.de 5CC567377BF2D5AE4EF9D33354281013 1B6DAEE420DBA654EBA08457E63BF1048756C5BB 2020-08-26T16:19:31.000Z 2025-08-26T16:19:31.000Z access.**********.de;outlook.**********.de;AutoDiscover.access.**********.de;AutoDiscover.**********.com;AutoDiscover.access.**********.com;AutoDiscover.**********.local;AutoDiscover.**********.de;**********.com;access.**********.com;**********.local;**********.de;ex-srv.**********.local;ex-srv,Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2020-09-22T13:22:53.020Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,9,192.168.16.100:12639,**********:25,*,,TLS negotiation failed with error IllegalMessage
2020-09-22T13:22:53.021Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2C,10,192.168.16.100:12639,**********:25,-,,Local

Nachricht 2

2020-09-22T13:22:53.021Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2E,0,,[**********]:25,*,SendRoutingHeaders,Set Session Permissions
2020-09-22T13:22:53.021Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2E,1,,[**********]:25,*,,attempting to connect
2020-09-22T13:22:53.021Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C2E,2,,[**********]:25,*,,"Failed to connect. Winsock error code: 10051, Win32 error code: 10051, Destination domain: **********.de, Error Message: Ein Socketvorgang bezog sich auf ein nicht verfügbares Netzwerk [**********]:25."
2020-09-22T13:23:22.073Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,0,,**********:25,*,SendRoutingHeaders,Set Session Permissions
2020-09-22T13:23:22.073Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,1,,**********:25,*,,attempting to connect
2020-09-22T13:23:22.094Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,2,192.168.16.100:12795,**********:25,+,,
2020-09-22T13:23:24.628Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,3,192.168.16.100:12795,**********:25,<,220 mx.**********.de ESMTP ready.,
2020-09-22T13:23:24.628Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,4,192.168.16.100:12795,**********:25,>,EHLO access.**********.de,
2020-09-22T13:23:24.650Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,5,192.168.16.100:12795,**********:25,<,250 mx.**********.de Hello access.**********.de [**********] SIZE 52428800 8BITMIME PIPELINING STARTTLS HELP,
2020-09-22T13:23:24.650Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,6,192.168.16.100:12795,**********:25,>,STARTTLS,
2020-09-22T13:23:24.678Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,7,192.168.16.100:12795,**********:25,<,220 TLS go ahead,
2020-09-22T13:23:24.678Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,8,192.168.16.100:12795,**********:25,*, CN=access.**********.de CN=access.**********.de 5CC567377BF2D5AE4EF9D33354281013 1B6DAEE420DBA654EBA08457E63BF1048756C5BB 2020-08-26T16:19:31.000Z 2025-08-26T16:19:31.000Z access.**********.de;outlook.**********.de;AutoDiscover.access.**********.de;AutoDiscover.**********.com;AutoDiscover.access.**********.com;AutoDiscover.**********.local;AutoDiscover.**********.de;**********.com;access.**********.com;**********.local;**********.de;ex-srv.**********.local;ex-srv,Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2020-09-22T13:23:24.701Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,9,192.168.16.100:12795,**********:25,*,,TLS negotiation failed with error IllegalMessage
2020-09-22T13:23:24.701Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,10,192.168.16.100:12795,**********:25,-,,Local

erneuter Zustellungsversuch von Nachricht 2

2020-09-22T13:23:24.702Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,0,,**********:25,*,SendRoutingHeaders,Set Session Permissions
2020-09-22T13:23:24.702Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,1,,**********:25,*,,attempting to connect
2020-09-22T13:23:24.723Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,2,192.168.16.100:12805,**********:25,+,,
2020-09-22T13:23:24.745Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,3,192.168.16.100:12805,**********:25,<,220 mx.**********.de ESMTP ready.,
2020-09-22T13:23:24.745Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,4,192.168.16.100:12805,**********:25,>,EHLO access.**********.de,
2020-09-22T13:23:24.766Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,5,192.168.16.100:12805,**********:25,<,250 mx.**********.de Hello access.**********.de [**********] SIZE 52428800 8BITMIME PIPELINING STARTTLS HELP,
2020-09-22T13:23:24.766Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,6,192.168.16.100:12805,**********:25,*,,sending message with RecordId 29076928593941 and InternetMessageId <d63de7cd-1cb2-4c03-892b-7d1a4adf9260@EX-SRV.**********.local>
2020-09-22T13:23:24.766Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,7,192.168.16.100:12805,**********:25,>,MAIL FROM:<> SIZE=36221,
2020-09-22T13:23:24.766Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,8,192.168.16.100:12805,**********:25,>,RCPT TO:<prvs=05340466bf=tobias.g**********@**********.de>,
2020-09-22T13:23:24.828Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,9,192.168.16.100:12805,**********:25,<,250 OK,
2020-09-22T13:23:24.828Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,10,192.168.16.100:12805,**********:25,<,250 Accepted,
2020-09-22T13:23:24.828Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,11,192.168.16.100:12805,**********:25,>,DATA,
2020-09-22T13:23:24.850Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,12,192.168.16.100:12805,**********:25,<,"354 Enter message, ending with ""."" on a line by itself",
2020-09-22T13:23:25.054Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,13,192.168.16.100:12805,**********:25,<,250 OK id=1kKiGS-0008WR-2i,
2020-09-22T13:23:25.056Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,14,192.168.16.100:12805,**********:25,>,QUIT,
2020-09-22T13:23:25.077Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,15,192.168.16.100:12805,**********:25,<,221 mx.**********.de closing connection,
2020-09-22T13:23:25.078Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,16,192.168.16.100:12805,**********:25,-,,Local

 

Was mir aufgefallen ist das bei jedem fehlgeschlagenen Zustellungsversuch STARTTLS benutzt wurde und dies fehlschlug.

2020-09-22T13:23:24.628Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,4,192.168.16.100:12795,**********:25,>,EHLO access.**********.de,
2020-09-22T13:23:24.650Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,5,192.168.16.100:12795,**********:25,<,250 mx.**********.de Hello access.**********.de [**********] SIZE 52428800 8BITMIME PIPELINING STARTTLS HELP,
2020-09-22T13:23:24.650Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,6,192.168.16.100:12795,**********:25,>,STARTTLS,
2020-09-22T13:23:24.678Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C31,7,192.168.16.100:12795,**********:25,<,220 TLS go ahead,

 

Bei dem Erfolgreichen Zustellungsversuch fehlt diese Zeile

 

2020-09-22T13:23:24.745Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,4,192.168.16.100:12805,**********:25,>,EHLO access.**********.de,
2020-09-22T13:23:24.766Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,5,192.168.16.100:12805,**********:25,<,250 mx.**********.de Hello access.**********.de [**********] SIZE 52428800 8BITMIME PIPELINING STARTTLS HELP,
2020-09-22T13:23:24.766Z,SMTP-EXCHANGE-SRV,08D84B66D62D0C32,6,192.168.16.100:12805,**********:25,*,,sending message with RecordId 29076928593941 and InternetMessageId <d63de7cd-1cb2-4c03-892b-7d1a4adf9260@EX-SRV.**********.local>

Gruß Stefan


AntwortZitat

Share: