View previous topic :: View next topic |
Author |
Message |
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
[OffTopic] Mail problem from CCS? |
Posted: Tue Nov 02, 2021 1:12 pm |
|
|
Mail problem from CCS?
Anyone having random problem receiving some mail from CCS?
CCS sometime use old protocol like TLS1.0 & TLS1.1 and SSLv2 and SSLv3. Today most mail-servers will reject tease for security.
https://www.tbs-certificates.co.uk/FAQ/en/protocoles-obsoletes.html
1) Anyone having random problem receiving mail from CCS?
2) Anyone having a header from there mail received from CCS?
The log entry when CCS was rejected look like this (They use SSLv2 or SSLv3 not secure and rejected):
SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
When there are no problem there header look like this (xxx is where i have removed information): Received: from [192.168.100.xxx] (helo=MARK) by xxx.ccsinfo.com with esmtp
Last edited by hmmpic on Wed Nov 03, 2021 12:47 am; edited 1 time in total |
|
|
temtronic
Joined: 01 Jul 2010 Posts: 9226 Location: Greensville,Ontario
|
|
Posted: Tue Nov 02, 2021 1:44 pm |
|
|
No problems for me, just got one the other day.
I use Mozilla Thunderbird as my email program, WIN7ultimate. |
|
|
Ttelmah
Joined: 11 Mar 2010 Posts: 19515
|
|
Posted: Tue Nov 02, 2021 11:50 pm |
|
|
'Most servers', most certainly do not reject SS (as a generic term)..
You can usually tell you server to reject unvalidated SSL connections,
but this is a setting that you can adjust.
SSL as a term, usually generically includes all the updated layers below
this.
TLS1.0, definitely would be a problem. Things are moving now to TLS1.3,
and if the mail comes in through an Office365 based portal, these won't
accept TLS1.0 (or 1.1) transactions now.
So the SSL error might be an error that the protocol 'below' this is one
that is not supported. Though your error message seems to suggest
that the older SSL protocol is what is being used.
Who are you talking to at CCS?. The programmers and people there all
seem to use their own mail clients. Sounds as if you may be talking to
somebody who has not updated their settings.
Must admit if they are using a main server that still validates using one of
original SSL protocols, that is 'scarey'...
Thinking about it most of the servers use Unix based code, and this would
be updated as standard. The lower SSL layers were deprecated years
ago. Now the server at your end, and the server at CCS, will use the
'highest' protocol that both support, and is supported all the way between
them. Wonder if you are routing through some intermediate that is
blocking the higher protocols?.
Had no problems 'generically' with stuff from CCS. |
|
|
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
|
Posted: Wed Nov 03, 2021 3:40 am |
|
|
Problem is random, some mail are sent without encryption these mail are received ok, but some are sent with old SSLv2 or SSLv3 and they fail.
I have informed CCS about there mail server and old protocol, but no reply...
In Denmark most mail servers only accept no encryption or use TLS1.2 and some also support TLS1.3. Problem is when someone use old mail servers there worked some years back, and is not updated for years...
All this because the pointer bug in 5.105:-) |
|
|
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
|
Posted: Wed Nov 03, 2021 5:00 am |
|
|
When mail are received the header named Received have "esmtp" can you maybe check some mail from CCS and see if you have some encryption esmtps in the Received line...
The Received must be read from the button and up. Find some where you see a CCS public ip address like 98.100.x.x
This is one mail from ebay:
mxphxxxx.ebay.com ([66.211.xxx.xxx]:51459)
by serverxxx.xxx.dk with esmtps (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
This is from CCS:
Received: from xxxx.ccsinfo.com ([98.100.xxx.xxx]:35753)
by serverxx.xxx.dk with esmtp |
|
|
Ttelmah
Joined: 11 Mar 2010 Posts: 19515
|
|
Posted: Wed Nov 03, 2021 7:38 am |
|
|
I'd actually suspect it is one of the international gateway systems that is
not accepting the higher level security. Would explain the randomness.
If it was CCS's server, it'd happen all the time. What is happening is
that when the negotiation takes place between the mail at your end
and the CCS server if it happens to go through a gateway that refuses
the higher security, then both ends turn down to a lower level....
I had this years ago, and used to force a default global router to be used. |
|
|
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
|
Posted: Fri Nov 12, 2021 4:33 am |
|
|
This explain a lot: (version=TLS1 cipher=AES128-SHA bits=128/128 )
Received : from mail2.ccsinfo.com (mail2.ccsinfo.com. [98.100.152.38]) by mx.google.com with ESMTPS for xxx@gmail.com (version=TLS1 cipher=AES128-SHA bits=128/128 );
So many years ago this was used, totally old (1999).
https://endoflife.software/protocols/encryption/tls
About one month ago CCS was sending with ESMTP. But now they use ESMTPS with (version=TLS1 cipher=AES128-SHA bits=128/128).
It's only a matter of time before others experience the same problem. CCS wont listen at all about this. |
|
|
jeremiah
Joined: 20 Jul 2010 Posts: 1349
|
|
Posted: Fri Nov 12, 2021 3:53 pm |
|
|
hmmpic wrote: | This explain a lot: (version=TLS1 cipher=AES128-SHA bits=128/128 )
Received : from mail2.ccsinfo.com (mail2.ccsinfo.com. [98.100.152.38]) by mx.google.com with ESMTPS for xxx@gmail.com (version=TLS1 cipher=AES128-SHA bits=128/128 );
So many years ago this was used, totally old (1999).
https://endoflife.software/protocols/encryption/tls
About one month ago CCS was sending with ESMTP. But now they use ESMTPS with (version=TLS1 cipher=AES128-SHA bits=128/128).
It's only a matter of time before others experience the same problem. CCS won't listen at all about this. |
Did you call them and chat with them about it? |
|
|
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
|
Posted: Sat Nov 13, 2021 4:28 am |
|
|
YES they are informed about the issue! But they don't care |
|
|
Ttelmah
Joined: 11 Mar 2010 Posts: 19515
|
|
Posted: Sat Nov 13, 2021 7:38 am |
|
|
As I have already pointed out, I don't think the issue is with them.
Key to understand is that when you talk to eBay, they have a server
close to where you are. However when you talk to CCS, you are going
through one or more international gateway servers.
Now when such a mail connection is established, the servers at each end
say what security they support, and the link propagates through each
gateway, with it either accepting or rejecting the particular security levels.
The link gets established with the highest security _that is supported by
every link in the connection_. It only takes one of the gateway servers
to be rejecting a higher level for the security to turn down.
Now the reason I don't think the issue is with CCS, is I have emails back
from May, that are using a higher security level than you are showing.
I think the issue is with the gateways being used. The reason it has
switched up a month ago, may well be that there was an update to
one of the gateways.
I have seen exactly this with a gateway in the Azores that was used
for a lot of the UK links a while back. |
|
|
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
|
Posted: Sat Nov 13, 2021 8:56 am |
|
|
hmmm, when i see this:
Received : from mail2.ccsinfo.com (mail2.ccsinfo.com. [98.100.152.38]) by mx.google.com with ESMTPS for xxx@gmail.com (version=TLS1 cipher=AES128-SHA bits=128/128 );
Is is because the sender use TLS1...
I have mail years back from CCS and all sent as ESMTP. About 14 days back they start to be rejected by our hosted mailserver, this is when they use ESMTPS and TLS1.
To do a long story short, in DK a lot of hosts only support TLS1.2, and up. That's the case.
If you have any mail received from CCS showing they use any security please post the "Received" line. |
|
|
newguy
Joined: 24 Jun 2004 Posts: 1908
|
|
Posted: Sat Nov 13, 2021 9:50 am |
|
|
Code: | Received: from ...
(...:...:...:...::...) by ...
(...:...:....:...::...) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) |
This is from an email I received from CCS back in mid September. |
|
|
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
|
Posted: Sat Nov 13, 2021 10:16 am |
|
|
Sorry but the line you show can be a wrong one. You need to understand the header "Received". Please find the one in most top there have CCS public IP and display and show it all.
What i see is:
The Exim used by CCS is so old. Exim 4.69 is from late 2007.
CCS to their outgoing SMTP server:
Received: from [192.168.100.111] (helo=MARK) by mail2.ccsinfo.com with esmtp (Exim 4.69) (envelope-from <support@ccsinfo.com>)
Google receive is from (CCS) outgoing SMTP server:
Received: from mail2.ccsinfo.com (mail2.ccsinfo.com. [98.100.152.38]) by mx.google.com with ESMTPS for <xxx@gmail.com> (version=TLS1 cipher=AES128-SHA bits=128/128);
Our mail server receiver the mail from google as it is forwarded from my account at google til my local mail....:
Received: from mail-io1-f51.google.com ([209.85.166.51]:38699) by server.xxx.dk with esmtps (TLS1.2) tls TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256)
As you see Google and CCS's deal with the low TLS1, maybe because CCS won't accept any higher. |
|
|
jeremiah
Joined: 20 Jul 2010 Posts: 1349
|
|
Posted: Sat Nov 13, 2021 9:25 pm |
|
|
hmmpic wrote: | YES they are informed about the issue! But they don't care |
They said they refuse to fix it or that they didn't believe it was a problem? or some other response? I'm curious what their thinking is. |
|
|
hmmpic
Joined: 09 Mar 2010 Posts: 314 Location: Denmark
|
|
Posted: Sun Nov 14, 2021 10:10 am |
|
|
Sent 3 nice mail no response at all. And they have my Gmail addr😉 Really think they won't do anything before they have bigger problems🤔
Maybe someone can post some correct Received line, just to compare... |
|
|
|