search cancel

When does TLS apply for the emailgtw?

book

Article ID: 227333

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Our emailgtw probe 2.84 is using smtp.office365.com through a dedicated office connector.

However the 'InBound Messages Report' for that connector shows that in the last 7 days 100 messages using that connector did not use TLS.

Is that a case of MS reporting incorrectly?

The logs for emailgtw show a starttls and the smtp_auth completes but according to the 'InBound Messages Report' the connection is not TLS.

To make understanding things worse the SMTP auths clients reports shows 361 messages sent, 15% by TLS 1.0, 85% by TLS 1.2

We would like to know the process is for when the emailgtw does not or does use TLS, and if it is 1.0 or 1.2, when the probe is configured for TLS.

Environment

Release : 20.3

Component : UIM - EMAILGTW

Cause

https://techcommunity.microsoft.com/t5/exchange-team-blog/new-opt-in-endpoint-available-for-smtp-auth-clients-still/ba-p/2659652

New submission error speedbump to be introduced
We are fully aware that many customers will not have noticed the multiple Message Center posts and blog posts, and are not aware of clients or devices that are still using TLS1.0 to submit messages. With this in mind, starting in September 2021, we will reject a small percentage of connections that use TLS1.0 for SMTP AUTH. Clients should retry as with any other temporary errors that can occur during submission. Over time we will increase the percentage of rejected connections, causing delays in sending that more and more customers should notice. The error will be:

421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls.

Resolution

The probe uses the standard smtp lib which further uses smtp_authentication and will check the TLS higher version first which is TLS 1.2 and if it fails at the target server then the probe will use TLS 1.0. 

emailgtw 2.90 is available at support.nimsoft.com under the Beta section. 
Enable the probe to support the SMTP server using TLS 1.2. This support is added only in IM GUI as a beta release.

Additional Information

Log may have:

Oct 29 03:03:53:135 emailgtw: (mm_login) getting username and password for host [xx.xx.xx.xx]
Oct 29 03:03:53:135 emailgtw: (mm_login) no match: smtp.office365.com:587 != [xx.xx.x.1xxx] ([40)
Oct 29 03:03:53:135 emailgtw: mm_login - unable to match server names, using user defined for first server - [email protected]
Oct 29 03:03:53:135 emailgtw: <suppressed>
Oct 29 03:03:53:147 emailgtw: 334 UGF
Oct 29 03:03:53:147 emailgtw: <suppressed>
Oct 29 03:03:53:311 emailgtw: 421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls. 
Oct 29 03:03:53:311 emailgtw: %Retrying LOGIN authentication after 421 4.7.66 TLS 1.0 and 1.1 are not supported. Please upgrade/update your client 
Oct 29 03:03:53:311 emailgtw: AUTH LOGIN
Oct 29 03:03:53:311 emailgtw: [Winsock cleanup]
Oct 29 03:03:53:311 emailgtw: ?Can not authenticate to SMTP server: 421 SMTP connection broken (reply)
Oct 29 03:03:53:311 emailgtw: (send_it) smtp_auth failed