TLS error on sophos appliance TLS1.3

get-help
1

Hi,

we’re running latest stable build of kumomta version kumod 2024.09.02-c5476b89 and have sometimes issues with a destination domain that works with a sophos cloud appliance:

destination domain is: verbraucherzentrale.nrw

which points to mx-01-eu-central-1.prod.hydra.sophos.com. and mx-02-eu-central-1.prod.hydra.sophos.com.

we get during transfer the following 550 error from their MTA:
XGEMAIL_0006 Command rejected : The rejection of the message occurred due to a mismatch in TLS versions between the configured TLS version is Preferred TLS 1.3 for the recipient: xxx@verbraucherzentrale.nrw and the sender: news.vzbv.de TLS version is not available

the funny thing is sometimes its working and sometimes not. there is no other email that got delivered to this destination domain by the same sending ip and there was not TLS error before to this domain, that it might explain that error.

the only setting that is “coded” in the shaping.toml is that i require TLS
[“verbraucherzentrale.nrw”]
enable_tls = “Required”

do you have any idea as this only random happens.

3

tls probe works during test without any issue (some openssl and rust tls)

4

Aah, a lovely intermittent issue.

5

If you examine the logs is it always the same remote host at Sophos?

6

It could be that they have one node that didn’t get updated to TLS 1.3 properly.

7

i dont know. does kumomta provide me this info in the logs? :grinning_face_with_smiling_eyes: i can grep one for sure

8

i tested tls probe some IPs

9

and it worked

10

maybe i missed one

11

let me quickly check it

12 
CONNECTED(00000003)
40D70262D27F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 225 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
15:28:33 root@mta01[PROD]:/opt/kumomta/sbin  openssl s_client -tls1_3 -connect 52.28.102.252:25
CONNECTED(00000003)
40A756B0807F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 225 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
13

not sure if this test is valid

14

both MX records point to those both IPs

15

Ok, but are the errors in the logs only for one of the IPs? Or does it occur across both?

16

they might have an LB with a broken node behind it

17

You have two practical options here really:

  1. Consider setting tls_prefer_openssl - KumoMTA Docs which gives you a different, more broadly compatible, cipher suite which might work better here.

  2. Relax from requiring TLS with this broken site.

18

as they only allow tls1.3 relax will not work :slightly_smiling_face: i had enable_tls OpportunisticInsecure in the beginning

19

i can give it a try with openssl

20

where does the error message that you shared come from? It doesn’t look like anything from kumomta

21

it looks to me like it might be some downstream service trying to relay somewhere else