DCE email via office 365 using TLS1.2

This comment was originally posted on DCIM Support by Garry Priestland on 2018-10-09

Those settings seem to relate only to how the DCE server itself is accessed and not how the email is sent from  the server.

We disabled all but TLS1.2 on the settings you show in the image...

(CID:134681347)

This comment was originally posted on DCIM Support by Steven Marchetti on 2018-10-09

Thanks, That's what I 1/2 expected but just to be clear, you changed those settings and it's still trying to reach out via email with 1.0? Do you have packet captures or logs showing this so I can properly escalate to engineering?

(CID:134681370)

This comment was originally posted on DCIM Support by Garry Priestland on 2018-10-09

Exactly that.  I will ask the IT chap for the information that shows it is TLS1.0 tomorrow.

(CID:134681377)

This comment was originally posted on DCIM Support by Garry Priestland on 2018-10-11

The MS 365 Admin centre shows the following...

I also have a slight more detailed log for 2 more emails but would rather not put them on a public forum.

Regards

(CID:134682296)

This comment was originally posted on DCIM Support by Steven Marchetti on 2018-10-11

Thanks Garry,

I'd already sent this to engineering but glad to get your screenshot...I attached it to the issue that I raised.

Problem I see is that since we can apparently not change it using the functionality that I mentioned (I assume you changed that setting before sending that e-mail) it will likely require an update of some sort. Assuming they take action, I can't promise this will be done by December. This could cause issues for you and the rest of the customers that use the SSL functionality in e-mail. I've raised that point to engineering as well.

Thanks,

Steve.

(CID:134682424)

This comment was originally posted on DCIM Support by Garry Priestland on 2018-10-11

OK thanks for the response.

(CID:134682621)

This comment was originally posted on DCIM Support by Joshua Ellis on 2018-10-11

Hello Garry,  is the customers server configured to require 1.2 as of now, or does the server still allow for 1.0?  Our understanding is that DCE should negotiate the protocol, so if the server is only allowing 1.2 then DCE should use 1.2, if 1.0 is allowed then DCE would use 1.0.  We're going to try and test this ourselves to confirm but would be interested to know if the customers SMTP server currently allows for TLS 1.0, which may be why DCE is sending using 1.0.

(CID:134682658)

This comment was originally posted on DCIM Support by Joshua Ellis on 2018-10-24

Hello Garry,  could you confirm if the customers email server is set for TLS 1.2 and DCE is still trying 1.0 but then not trying 1.1 or 1.2?  Our understanding is that DCE should work at 1.0 but if blocked will try 1.1, if blocked will try 1.2.  Please confirm if this is the case. 

(CID:134688990)

This comment was originally posted on DCIM Support by Garry Priestland on 2018-10-25

Hi - the email service is provided by Microsoft (Office 365) and is currently supporting TLS1.0.  MS advised that at the end of this month TLS1.0/1.1 will not be supported any more.

We don't seem to be able to choose to use TLS1.2 by default so cannot test the theory you propose.  I was trying to make sure that we don't have multiple customers who have email that does not work at the end of the month, but I don't have the resources to test it.

Based on what you are saying it should not be a problem.

I hope not...

(CID:134689335)

This comment was originally posted on DCIM Support by Joshua Ellis on 2018-10-25

Hello Garry,  correct, we believe that this should not be a problem but were hoping you could confirm this. We were trying to confirm this internally but wanted to see if actual external customers could confirm as well, since field data would be very helpful in this case.

Thanks.

(CID:134689593)

This comment was originally posted on DCIM Support by Steven Marchetti on 2018-11-28

Hi Garry,

Are you OK with Josh's comments? Is it working OK for you?

Steve

(CID:137105215)