« IBM and Apple focus on the Enterprise | Main| Have you been targeted by Fraud emails? »

Poodle + Domino SSL = Mail Problems

Tags:
0
If  you use Domino today, you effectively cannot use SSL for email (SMTP) until the promised IBM fix is available. Here is why: The fix vendors applied that patched the POODLE vulnerability broke communications with Domino servers that use SSL. These patched servers will start a secure (SSL) SMTP session but will not fall back to plain text. This means messages queued up in mail.box for sending outbound, or mail queued up at the sender that will not be received by you.


The best non-technical explanation that I can give is that the STARTTLS command that the two SMTP servers use to negotiate a secure connections cannot agree on a protocol and the negotiation fails, so the message transfer fails.


Vendors like ProofPoint (pphosted.com) would not fall back to plain text no matter what my Domino settings were. And I tried 10 different combinations. Once a session started with SSL, Domino offers (before the promised fix) no acceptable fallback path, so the session ends without a successful mail transfer.


The only option that works before the IBM fix is released is to disable SSL for Inbound and Outbound messages.

In summary, messages transfers that start out as plain text will be transferred. Messages that start out as secure will not be transferred.

This is suboptimal (like having a leg cut off is suboptimal) but messages will flow.





Tip:  We like to use this service called http://www.kloth.net/services/dig.php to check MX records for problems with message transfer:

A picture named M2




Comments

Gravatar Image1 - I received an email that asked about using this in notes.ini: RouterFallbackNonTLS=1 does that allow smtp traffic with the servers you are having a problem with? My response was that I was hopeful that this would work, but for some reason, the ProofPoint servers would not fall back. I tried this several times in several combinations. My only conclusion is that once TLS (SSL) starts, it will could not find an acceptable fallback protocol....

Post A Comment

:-D:-o:-p:-x:-(:-):-\:angry::cool::cry::emb::grin::huh::laugh::lips::rolleyes:;-)

Lotusphere

LinkedIn

View Frank Paolino's profile on LinkedIn

Tags

Frank Paolino