none
Mail app TLS comunication with Server 2008 R2 (with installed Exchange 2010)

    Question

  • My question is about a mismatch in the encryption algorithm of a communication between Mail App on Windows 10 Edu. and Client-configured Receive connector of Exchange 2010 on Server 2008 R2 - which leads to impossibility to send mail from the integrated in Win 10 Mail app.


    Configuration :

    1)Mail app:  User account(Exchange mailbox - AD integrated) configured for "Internet mail" with IMAP(receive) and SMTP(send) - incoming and outgoing servers are the same -  set to my server host + required ports. 

    2)Exchange 2010:  Client receive connector configured on (port 587) with TLS and Exchange Users.

    3)Server 2008 R2:  Schannel - supports only  TLS1.0/TLS1.1 and TLS1.2 ; support of SSL3.0/SSL2.0 and SSL1.0 is disabled.

    Ciphers - supports only 3DES and AES ; support of DES / RC2 and RC4 is disabled.

    Log on server :

    TETRA-SERVER\Client TETRA-SERVER,0,local(IP):587,remote(IP):59755,+,,
    TETRA-SERVER\Client TETRA-SERVER,1,local(IP):587,remote(IP):59755,*,None,Set Session Permissions
    TETRA-SERVER\Client TETRA-SERVER,2,local(IP):587,remote(IP):59755,>,"220 tetra-server.mydomainname.net Microsoft ESMTP MAIL Service ready at Tue, 19 Dec 2017 14:12:27 +0200",
    TETRA-SERVER\Client TETRA-SERVER,3,local(IP):587,remote(IP):59755,<,EHLO [IPv6:::ffff:192.168.0.13],
    TETRA-SERVER\Client TETRA-SERVER,4,local(IP):587,remote(IP):59755,>,250-tetra-server.mydomainname.net Hello [remote(IP)],
    TETRA-SERVER\Client TETRA-SERVER,5,local(IP):587,remote(IP):59755,>,250-SIZE 104857600,
    TETRA-SERVER\Client TETRA-SERVER,6,local(IP):587,remote(IP):59755,>,250-PIPELINING,
    TETRA-SERVER\Client TETRA-SERVER,7,local(IP):587,remote(IP):59755,>,250-DSN,
    TETRA-SERVER\Client TETRA-SERVER,8,local(IP):587,remote(IP):59755,>,250-ENHANCEDSTATUSCODES,
    TETRA-SERVER\Client TETRA-SERVER,9,local(IP):587,remote(IP):59755,>,250-STARTTLS,
    TETRA-SERVER\Client TETRA-SERVER,10,local(IP):587,remote(IP):59755,>,250-X-ANONYMOUSTLS,
    TETRA-SERVER\Client TETRA-SERVER,11,local(IP):587,remote(IP):59755,>,250-AUTH GSSAPI NTLM,
    TETRA-SERVER\Client TETRA-SERVER,12,local(IP):587,remote(IP):59755,>,250-X-EXPS GSSAPI NTLM,
    TETRA-SERVER\Client TETRA-SERVER,13,local(IP):587,remote(IP):59755,>,250-8BITMIME,
    TETRA-SERVER\Client TETRA-SERVER,14,local(IP):587,remote(IP):59755,>,250-BINARYMIME,
    TETRA-SERVER\Client TETRA-SERVER,15,local(IP):587,remote(IP):59755,>,250-CHUNKING,
    TETRA-SERVER\Client TETRA-SERVER,16,local(IP):587,remote(IP):59755,>,250-XEXCH50,
    TETRA-SERVER\Client TETRA-SERVER,17,local(IP):587,remote(IP):59755,>,250-XRDST,
    TETRA-SERVER\Client TETRA-SERVER,18,local(IP):587,remote(IP):59755,>,250 XSHADOW,
    TETRA-SERVER\Client TETRA-SERVER,19,local(IP):587,remote(IP):59755,<,STARTTLS,
    TETRA-SERVER\Client TETRA-SERVER,20,local(IP):587,remote(IP):59755,>,220 2.0.0 SMTP server ready,
    TETRA-SERVER\Client TETRA-SERVER,21,local(IP):587,remote(IP):59755,*,,Sending certificate
    TETRA-SERVER\Client TETRA-SERVER,22,local(IP):587,remote(IP):59755,*,"CN=mydomainname.net, OU=Headquarter, O=mydomainname, L=City, S=City, C=CNTR",Certificate subject
    TETRA-SERVER\Client TETRA-SERVER,23,local(IP):587,remote(IP):59755,*,"CN=mydomainname Corp. Root Trust CA, DC=mydomainname, DC=net",Certificate issuer name
    TETRA-SERVER\Client TETRA-SERVER,24,local(IP):587,remote(IP):59755,*,618E55FE000100000046,Certificate serial number
    TETRA-SERVER\Client TETRA-SERVER,25,local(IP):587,remote(IP):59755,*,B1F253220F9591E89C96979B1EBAB2C0D5ABC3FD,Certificate thumbprint
    TETRA-SERVER\Client TETRA-SERVER,26,local(IP):587,remote(IP):59755,*,mydomainname.net;www.mydomainname.net;tetra-server.mydomainname.net,Certificate alternate names
    TETRA-SERVER\Client TETRA-SERVER,27,local(IP):587,remote(IP):59755,*,,"TLS protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 384 bits"
    TETRA-SERVER\Client TETRA-SERVER,28,local(IP):587,remote(IP):59755,-,,Remote
    TETRA-SERVER\Client TETRA-SERVER,0,local(IP):587,remote(IP):59756,+,,
    TETRA-SERVER\Client TETRA-SERVER,1,local(IP):587,remote(IP):59756,*,None,Set Session Permissions
    TETRA-SERVER\Client TETRA-SERVER,2,local(IP):587,remote(IP):59756,>,"220 tetra-server.mydomainname.net Microsoft ESMTP MAIL Service ready at Tue, 19 Dec 2017 14:12:27 +0200",
    TETRA-SERVER\Client TETRA-SERVER,3,local(IP):587,remote(IP):59756,<,EHLO [IPv6:::ffff:192.168.0.13],
    TETRA-SERVER\Client TETRA-SERVER,4,local(IP):587,remote(IP):59756,>,250-tetra-server.mydomainname.net Hello [remote(IP)],
    TETRA-SERVER\Client TETRA-SERVER,5,local(IP):587,remote(IP):59756,>,250-SIZE 104857600,
    TETRA-SERVER\Client TETRA-SERVER,6,local(IP):587,remote(IP):59756,>,250-PIPELINING,
    TETRA-SERVER\Client TETRA-SERVER,7,local(IP):587,remote(IP):59756,>,250-DSN,
    TETRA-SERVER\Client TETRA-SERVER,8,local(IP):587,remote(IP):59756,>,250-ENHANCEDSTATUSCODES,
    TETRA-SERVER\Client TETRA-SERVER,9,local(IP):587,remote(IP):59756,>,250-STARTTLS,
    TETRA-SERVER\Client TETRA-SERVER,10,local(IP):587,remote(IP):59756,>,250-X-ANONYMOUSTLS,
    TETRA-SERVER\Client TETRA-SERVER,11,local(IP):587,remote(IP):59756,>,250-AUTH GSSAPI NTLM,
    TETRA-SERVER\Client TETRA-SERVER,12,local(IP):587,remote(IP):59756,>,250-X-EXPS GSSAPI NTLM,
    TETRA-SERVER\Client TETRA-SERVER,13,local(IP):587,remote(IP):59756,>,250-8BITMIME,
    TETRA-SERVER\Client TETRA-SERVER,14,local(IP):587,remote(IP):59756,>,250-BINARYMIME,
    TETRA-SERVER\Client TETRA-SERVER,15,local(IP):587,remote(IP):59756,>,250-CHUNKING,
    TETRA-SERVER\Client TETRA-SERVER,16,local(IP):587,remote(IP):59756,>,250-XEXCH50,
    TETRA-SERVER\Client TETRA-SERVER,17,local(IP):587,remote(IP):59756,>,250-XRDST,
    TETRA-SERVER\Client TETRA-SERVER,18,local(IP):587,remote(IP):59756,>,250 XSHADOW,
    TETRA-SERVER\Client TETRA-SERVER,19,local(IP):587,remote(IP):59756,<,STARTTLS,
    TETRA-SERVER\Client TETRA-SERVER,20,local(IP):587,remote(IP):59756,>,220 2.0.0 SMTP server ready,
    TETRA-SERVER\Client TETRA-SERVER,21,local(IP):587,remote(IP):59756,*,,Sending certificate
    TETRA-SERVER\Client TETRA-SERVER,22,local(IP):587,remote(IP):59756,*,"CN=mydomainname.net, OU=Headquarter, O=mydomainname, L=City, S=City, C=CNTR",Certificate subject
    TETRA-SERVER\Client TETRA-SERVER,23,local(IP):587,remote(IP):59756,*,"CN=mydomainname Corp. Root Trust CA, DC=mydomainname, DC=net",Certificate issuer name
    TETRA-SERVER\Client TETRA-SERVER,24,local(IP):587,remote(IP):59756,*,618E55FE000100000046,Certificate serial number
    TETRA-SERVER\Client TETRA-SERVER,25,local(IP):587,remote(IP):59756,*,B1F253220F9591E89C96979B1EBAB2C0D5ABC3FD,Certificate thumbprint
    TETRA-SERVER\Client TETRA-SERVER,26,local(IP):587,remote(IP):59756,*,mydomainname.net;www.mydomainname.net;tetra-server.mydomainname.net,Certificate alternate names
    TETRA-SERVER\Client TETRA-SERVER,27,local(IP):587,remote(IP):59756,*,,TLS negotiation failed with error AlgorithmMismatch
    TETRA-SERVER\Client TETRA-SERVER,28,local(IP):587,remote(IP):59756,-,,Local

    This log keeps repeating on the server and the outgoing mail is stuck in the outbox in the Mail app.

    I want to say that in Windows 7 with the Outlook application I did not have this problem (Schannel and Ciphers same config. on server).

    How can I configure the Mail app in Win 10 to use TLS1.0/1.1 or 1.2 for outgoing communication , because obviously currently supports only SSL which I disabled on my server.


    Tuesday, December 19, 2017 3:19 PM

All replies

  • Hi ,

    Since this issue is more related to exchange, I will move this thread into exchange forum so that you would get more efficient support.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 20, 2017 7:57 AM
  • Hi,

    We could disable the “Require SSL for incoming email” setting under advanced account settings, it will skip the SSL behavior and Mail app will instead negotiate TLS directly. But it may be unsafe to do that. So is it possible to enable SSL from server side?

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Thursday, December 21, 2017 8:33 AM
    Moderator
  • Hi

    The problem is not with the incoming mail (IMAP) connection - The Mail app synchronizes with the Exchange (for the incoming mail) without any problem.

    The problem is in the communication with the Exchange SMTP Receive connector -  for outgoing mail.

    I tested the scenario to disable the option "Require SSL for outgoing email" - the result is that the Mail app sends the outgoing message but without issuing "STARTTLS" command (it does not  initiate any encryption for the communication ) - and because my "Client" receive connector is configured to communicate on port 587 only with TLS  it responds :  530 5.7.0 Must issue a STARTTLS command first

    And by the way - I enabled SSL3.0  Schannel on the server to test and the result is actually very much the same - except that the encryption negotiation downgrades to SSL3.0 with success this time (no message : TLS negotiation failed with error AlgorithmMismatch) but again the communication stops there and nothing else 

    So any clue ... ???

    Here is for reference  the server log (with SSL3.0  enabled on server):

    1,local (IP):587,remote (IP):63578,*,None,Set Session Permissions
    2,local (IP):587,remote (IP):63578,>,"220 tetra-server.mydomainname.net Microsoft ESMTP MAIL Service ready at Thu, 21 Dec 2017 14:01:17 +0200",
    3,local (IP):587,remote (IP):63578,<,EHLO [IPv6:::ffff:192.168.0.13],
    4,local (IP):587,remote (IP):63578,>,250-tetra-server.mydomainname.net Hello [remote (IP)],
    5,local (IP):587,remote (IP):63578,>,250-SIZE 104857600,
    6,local (IP):587,remote (IP):63578,>,250-PIPELINING,
    7,local (IP):587,remote (IP):63578,>,250-DSN,
    8,local (IP):587,remote (IP):63578,>,250-ENHANCEDSTATUSCODES,
    9,local (IP):587,remote (IP):63578,>,250-STARTTLS,
    10,local (IP):587,remote (IP):63578,>,250-X-ANONYMOUSTLS,
    11,local (IP):587,remote (IP):63578,>,250-AUTH GSSAPI NTLM,
    12,local (IP):587,remote (IP):63578,>,250-X-EXPS GSSAPI NTLM,
    13,local (IP):587,remote (IP):63578,>,250-8BITMIME,
    14,local (IP):587,remote (IP):63578,>,250-BINARYMIME,
    15,local (IP):587,remote (IP):63578,>,250-CHUNKING,
    16,local (IP):587,remote (IP):63578,>,250-XEXCH50,
    17,local (IP):587,remote (IP):63578,>,250-XRDST,
    18,local (IP):587,remote (IP):63578,>,250 XSHADOW,
    19,local (IP):587,remote (IP):63578,<,STARTTLS,
    20,local (IP):587,remote (IP):63578,>,220 2.0.0 SMTP server ready,
    21,local (IP):587,remote (IP):63578,*,,Sending certificate
    22,local (IP):587,remote (IP):63578,*,"CN=mydomainname.net, OU=Headquarter, O=mydomainname, L=City, S=City, C=CNTR",Certificate subject
    23,local (IP):587,remote (IP):63578,*,"CN=mydomainname Corp. Root Trust CA, DC=mydomainname, DC=net",Certificate issuer name
    24,local (IP):587,remote (IP):63578,*,618E55FE000100000046,Certificate serial number
    25,local (IP):587,remote (IP):63578,*,B1F253220F9591E89C96979B1EBAB2C0D5ABC3FD,Certificate thumbprint
    26,local (IP):587,remote (IP):63578,*,mydomainname.net;www.mydomainname.net;tetra-server.mydomainname.net,Certificate alternate names
    27,local (IP):587,remote (IP):63578,*,,"TLS protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 384 bits and key exchange algorithm CALG_ECDHE with strength 384 bits"
    28,local (IP):587,remote (IP):63578,-,,Remote
    0,local (IP):587,remote (IP):63579,+,,
    1,local (IP):587,remote (IP):63579,*,None,Set Session Permissions
    2,local (IP):587,remote (IP):63579,>,"220 tetra-server.mydomainname.net Microsoft ESMTP MAIL Service ready at Thu, 21 Dec 2017 14:01:17 +0200",
    3,local (IP):587,remote (IP):63579,<,EHLO [IPv6:::ffff:192.168.0.13],
    4,local (IP):587,remote (IP):63579,>,250-tetra-server.mydomainname.net Hello [remote (IP)],
    5,local (IP):587,remote (IP):63579,>,250-SIZE 104857600,
    6,local (IP):587,remote (IP):63579,>,250-PIPELINING,
    7,local (IP):587,remote (IP):63579,>,250-DSN,
    8,local (IP):587,remote (IP):63579,>,250-ENHANCEDSTATUSCODES,
    9,local (IP):587,remote (IP):63579,>,250-STARTTLS,
    10,local (IP):587,remote (IP):63579,>,250-X-ANONYMOUSTLS,
    11,local (IP):587,remote (IP):63579,>,250-AUTH GSSAPI NTLM,
    12,local (IP):587,remote (IP):63579,>,250-X-EXPS GSSAPI NTLM,
    13,local (IP):587,remote (IP):63579,>,250-8BITMIME,
    14,local (IP):587,remote (IP):63579,>,250-BINARYMIME,
    15,local (IP):587,remote (IP):63579,>,250-CHUNKING,
    16,local (IP):587,remote (IP):63579,>,250-XEXCH50,
    17,local (IP):587,remote (IP):63579,>,250-XRDST,
    18,local (IP):587,remote (IP):63579,>,250 XSHADOW,
    19,local (IP):587,remote (IP):63579,<,STARTTLS,
    20,local (IP):587,remote (IP):63579,>,220 2.0.0 SMTP server ready,
    21,local (IP):587,remote (IP):63579,*,,Sending certificate
    22,local (IP):587,remote (IP):63579,*,"CN=mydomainname.net, OU=Headquarter, O=mydomainname, L=City, S=City, C=CNTR",Certificate subject
    23,local (IP):587,remote (IP):63579,*,"CN=mydomainname Corp. Root Trust CA, DC=mydomainname, DC=net",Certificate issuer name
    24,local (IP):587,remote (IP):63579,*,618E55FE000100000046,Certificate serial number
    25,local (IP):587,remote (IP):63579,*,B1F253220F9591E89C96979B1EBAB2C0D5ABC3FD,Certificate thumbprint
    26,local (IP):587,remote (IP):63579,*,mydomainname.net;www.mydomainname.net;tetra-server.mydomainname.net,Certificate alternate names
    27,local (IP):587,remote (IP):63579,*,,"TLS protocol SP_PROT_SSL3_SERVER negotiation succeeded using bulk encryption algorithm CALG_3DES with strength 168 bits, MAC hash algorithm CALG_SHA1 with strength 160 bits and key exchange algorithm CALG_RSA_KEYX with strength 2048 bits"
    28,local (IP):587,remote (IP):63579,-,,Remote

    Thursday, December 21, 2017 12:16 PM
  • Hi,

    I know that your issue is that SMTP stopped working on port 587 with Win 10 Mail app. In order to isolate if this issue is related to Win 10 mail app. Could you please test if this issue persist with Outlook client?

    Please test with  servername.com:587:1 in Win 10 mail app.

    If the issue persist, please install the latest update for Windows and Exchange server, then you need to delete and re-add the accounts you have previously set up. Please test if it works.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped.
    If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Tuesday, December 26, 2017 9:14 AM
    Moderator
  • I don't have Outlook - don't have a license :) no 300 USD for license right now - may be after Christmas.

    I made the flowing tests:

    Test 1 :

    Changed the Exchange "Receive connector" to listen on port 465 - in the Mail app config. for outgoing server :  servername.domainname.tld:465:1

    result : worked for a day and stopped - again the communication stops after the TLS negotiation (no matter SSL3.0 enabled or disabled on server ) - currently not working !


    Test 2 :

    In Outlook Live(owa) I configured an SMTP account (only for sending mail) - outgoing server :  servername.domainname.tld:465:1 - 

    (Additionally) I Had to enable the "Basic authentication"(after TLS) in my "Receive connector" (currently listening on port 465)

    result: worked without any problem -  I can send emails(in TLS Schannel)with Outlook Live web client via my exchange SMTP configured account.

    So the problem is definitely in the Mail App or even in Windows 10 (I enabled firewall logging (verbose) - no log file is created at all)

    Any help will be appreciated - thank you 

    P.S. my server(Srv. 2008 R2) and my PC (Win 10 Edu.) are up to date !!!
    Tuesday, December 26, 2017 3:29 PM