Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 4 subscribers
  • Views 2941 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM SMTP TLS1.2 enabled - SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol - No NDR to sender

DPotenberg

Hi all,

as i can't barely find any information on this:

We have set TLS v1.2 as the minimum requirement for SMTP communications (Email Protection -> SMTP - Advanced - TLS Settings). After having a look at the logfiles, there are many connections that have been refused due to this setting (SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol), which is generally ok for security purposes. But there are also some client, that are obviously still using older protocols, so those Emails are also refused. We have assumed that anyone in this case would get an NDR but this does not seem to be the case (in our configuration?). We are aware that we can exclude those client domains but first of all you (and the client)  have to know about it without digging in the logs. This is the case we have now: Client mail got lost without knowing about it on both sides.

So the question is: is this the standard behavior or is there a way to enforce NDR?  

System: UTM 9.705-3 / Exchange 2019

Kind regards

Dennis



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to FormerMember

    Hi Harsh,

    thanks for that.

    Dennis

  • FormerMember
    0 FormerMember in reply to DPotenberg

    Hi ,

    Did you configure any policy to drop the connection with legacy TLS? By selecting TLS version v1.2 from the SMTP > Advanced > TLS settings will drop the first connection from the sender server if it's using legacy TLS, but then it’ll fallback to plaintext, and you should see the second connection with no TLS in the logs. 

    However, if there's a policy to drop the connection with legacy TLS or not, UTM won't send NDR. Normally the connecting server sends the NDR for the connection level drops. 

    Thanks,

  • 0 in reply to FormerMember

    Hi Harsh,

    which policy do you mean and where can it be configured to drop legacy TLS? I just had a look at the configuration in general and i only found IPS and advanced thread protection where i can configure "drop". All of them are activated.

    Dennis

Unfiltered HTML