[OffTopic] Mail problem from CCS?

[hmmpic]

Mail problem from CCS?

Anyone having random problem receiving some mail from CCS?
CCS sometime use old protocol like TLS1.0 & TLS1.1 and SSLv2 and SSLv3. Today most mail-servers will reject tease for security.
https://www.tbs-certificates.co.uk/FAQ/en/protocoles-obsoletes.html

1) Anyone having random problem receiving mail from CCS?

2) Anyone having a header from there mail received from CCS?

The log entry when CCS was rejected look like this (They use SSLv2 or SSLv3 not secure and rejected):
SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

When there are no problem there header look like this (xxx is where i have removed information): Received: from [192.168.100.xxx] (helo=MARK) by xxx.ccsinfo.com with esmtp

[temtronic]

No problems for me, just got one the other day.
I use Mozilla Thunderbird as my email program, WIN7ultimate.

[Ttelmah]

'Most servers', most certainly do not reject SS (as a generic term)..
You can usually tell you server to reject unvalidated SSL connections,
but this is a setting that you can adjust.
SSL as a term, usually generically includes all the updated layers below
this.
TLS1.0, definitely would be a problem. Things are moving now to TLS1.3,
and if the mail comes in through an Office365 based portal, these won't
accept TLS1.0 (or 1.1) transactions now.
So the SSL error might be an error that the protocol 'below' this is one
that is not supported. Though your error message seems to suggest
that the older SSL protocol is what is being used.
Who are you talking to at CCS?. The programmers and people there all
seem to use their own mail clients. Sounds as if you may be talking to
somebody who has not updated their settings.
Must admit if they are using a main server that still validates using one of
original SSL protocols, that is 'scarey'...
Thinking about it most of the servers use Unix based code, and this would
be updated as standard. The lower SSL layers were deprecated years
ago. Now the server at your end, and the server at CCS, will use the
'highest' protocol that both support, and is supported all the way between
them. Wonder if you are routing through some intermediate that is
blocking the higher protocols?.
Had no problems 'generically' with stuff from CCS.

[hmmpic]

Problem is random, some mail are sent without encryption these mail are received ok, but some are sent with old SSLv2 or SSLv3 and they fail.

I have informed CCS about there mail server and old protocol, but no reply...

In Denmark most mail servers only accept no encryption or use TLS1.2 and some also support TLS1.3. Problem is when someone use old mail servers there worked some years back, and is not updated for years...

All this because the pointer bug in 5.105:-)

[hmmpic]

When mail are received the header named Received have "esmtp" can you maybe check some mail from CCS and see if you have some encryption esmtps in the Received line...
The Received must be read from the button and up. Find some where you see a CCS public ip address like 98.100.x.x

This is one mail from ebay:
mxphxxxx.ebay.com ([66.211.xxx.xxx]:51459)
by serverxxx.xxx.dk with esmtps (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

This is from CCS:
Received: from xxxx.ccsinfo.com ([98.100.xxx.xxx]:35753)
by serverxx.xxx.dk with esmtp

[Ttelmah]

I'd actually suspect it is one of the international gateway systems that is
not accepting the higher level security. Would explain the randomness.
If it was CCS's server, it'd happen all the time. What is happening is
that when the negotiation takes place between the mail at your end
and the CCS server if it happens to go through a gateway that refuses
the higher security, then both ends turn down to a lower level....
I had this years ago, and used to force a default global router to be used.

[hmmpic]

This explain a lot: (version=TLS1 cipher=AES128-SHA bits=128/128 )
Received : from mail2.ccsinfo.com (mail2.ccsinfo.com. [98.100.152.38]) by mx.google.com with ESMTPS for xxx@gmail.com (version=TLS1 cipher=AES128-SHA bits=128/128 );

So many years ago this was used, totally old (1999).
https://endoflife.software/protocols/encryption/tls

About one month ago CCS was sending with ESMTP. But now they use ESMTPS with (version=TLS1 cipher=AES128-SHA bits=128/128).

It's only a matter of time before others experience the same problem. CCS wont listen at all about this.

[jeremiah]

[hmmpic]

YES they are informed about the issue! But they don't care

[Ttelmah]

As I have already pointed out, I don't think the issue is with them.
Key to understand is that when you talk to eBay, they have a server
close to where you are. However when you talk to CCS, you are going
through one or more international gateway servers.

Now when such a mail connection is established, the servers at each end
say what security they support, and the link propagates through each
gateway, with it either accepting or rejecting the particular security levels.
The link gets established with the highest security _that is supported by
every link in the connection_. It only takes one of the gateway servers
to be rejecting a higher level for the security to turn down.

Now the reason I don't think the issue is with CCS, is I have emails back
from May, that are using a higher security level than you are showing.
I think the issue is with the gateways being used. The reason it has
switched up a month ago, may well be that there was an update to
one of the gateways.

I have seen exactly this with a gateway in the Azores that was used
for a lot of the UK links a while back.

[hmmpic]

hmmm, when i see this:
Received : from mail2.ccsinfo.com (mail2.ccsinfo.com. [98.100.152.38]) by mx.google.com with ESMTPS for xxx@gmail.com (version=TLS1 cipher=AES128-SHA bits=128/128 );

Is is because the sender use TLS1...

I have mail years back from CCS and all sent as ESMTP. About 14 days back they start to be rejected by our hosted mailserver, this is when they use ESMTPS and TLS1.

To do a long story short, in DK a lot of hosts only support TLS1.2, and up. That's the case.

If you have any mail received from CCS showing they use any security please post the "Received" line.

[newguy]

[hmmpic]

Sorry but the line you show can be a wrong one. You need to understand the header "Received". Please find the one in most top there have CCS public IP and display and show it all.

What i see is:

The Exim used by CCS is so old. Exim 4.69 is from late 2007.

CCS to their outgoing SMTP server:
Received: from [192.168.100.111] (helo=MARK) by mail2.ccsinfo.com with esmtp (Exim 4.69) (envelope-from <support@ccsinfo.com>)

Google receive is from (CCS) outgoing SMTP server:
Received: from mail2.ccsinfo.com (mail2.ccsinfo.com. [98.100.152.38]) by mx.google.com with ESMTPS for <xxx@gmail.com> (version=TLS1 cipher=AES128-SHA bits=128/128);

Our mail server receiver the mail from google as it is forwarded from my account at google til my local mail....:
Received: from mail-io1-f51.google.com ([209.85.166.51]:38699) by server.xxx.dk with esmtps (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)

As you see Google and CCS's deal with the low TLS1, maybe because CCS won't accept any higher.

[jeremiah]

[hmmpic]

Sent 3 nice mail no response at all. And they have my Gmail addr😉 Really think they won't do anything before they have bigger problems🤔

Maybe someone can post some correct Received line, just to compare...