Welcome to the mailbox.org user forum!
 

TLS encryption disabled, but emails still fail to send due to lack of recipient TLS support

4782205 shared this problem 2 years ago
Published

Hello


I have had an email fail to send with the following error:


  1. Diagnostic-Code: X-Postfix; TLS is required, but was not offered by host

I have verified that encrypted sending option is disabled and I am not using my @secure.mailbox.org address, but to no avail


77e5493f87e29f60f66b47ca56174b17


Please advise

Comments (3)

photo
1

Please can you write to the suppport (support@mailbox.org) giving the e-mailaddress of the receiver and the exact time and date of your attempt.

Maybe it belongs to configuration issues on the receivers side.

photo
1

I have sent a support email separately. I have also verified that the recipient server does NOT support TLS and requested they address this

photo
1

Very comprehensive response from Mailbox support - very informative so I post a slightly edited version below:


The server did not send the email because of a rule, that forbids it to reduce the security level that was reached once during the last successfull connection. It keeps the mail server from performing a 'downgrade', which means that the email will be transmitted unencrypted. This rule is necessary for the enforcement of encryption when we announce an encrypted transmission.


In your case, that is caused by a previous successful connection when a secure ssl encrypted could be established.


The decision, what kind of parameters are considered safe when using email is made by the IETF and is updated from time to time. In the meantime since the mentioned secure connection, a parameter that was used before ('cipher'), was now declared 'unsafe'. We have removed this Parameter from our configuration while the receiving host still uses it (they might have a good reason that we do not know). Because of this, the connection was considered 'unsafe'.


I have deleted the information in the database about the old secure connection, so the emails that you send to this domain can be received unencrypted without further notice. This also means, that all emails sent from us to this domain may remain unencrypted, until the receiving mail server is configured safe again.


Just for your information:

Connection to mail.sahd.ax 24th of May, 00:14:32 encrypted using TLSv1 using cipher AES256-SHA (256/256 bits)


IETF statement to Internet Best Practice:

https://tools.ietf.org/html/rfc7525