Support queries shared: MDaemon SSL errors – Windows XP and Server 2003

It’s a bit of a niche technical one this but as I’ve had several reports of it recently I wanted to share this one with you in case it helps.

If you’re an MDaemon customer you may have started to see the following errors in the SMTP (Out) logs when trying to send email to some specific external hosts…

“SSL negotiation failed*,*error code 0x80090326”

What this boils down to is an issue where MDaemon and the remote SMTP server cannot find a common set of SSL ciphers that they both have available to use.

Why would this start to happen on my server?

Due to the higher security of the AES cipher, some email servers are now starting to only accept SSL sessions using it, and therefore only advertise those ciphers at the start of an SSL session.

MDaemon uses the Microsoft Schannel library for its SSL/TLS support and so can only use the SSL Ciphers provided by that library. Microsoft added support for AES ciphers in Windows Vista but earlier Windows Operating systems like Windows XP and Server 2003 do not include them.

Microsoft have created a hotfix that adds AES Cipher support which has been confirmed to fix the issue specifically for Server 2003. 

Unfortunately no equivalent fix exists for Windows XP or SBS 2003  

Due to the end of life of XP and Exchange 2003 (included in SBS 2003) I think it is very unlikely there will be one in the future.

Workaround

For the unsupported Windows operating systems the work around is to not use SSL Negotiation for the specific domains that fail.

This can be done buy first finding the recipients domain MX Records and discovering any valid mail hosts that may be used for there domain.

The easiest way we have found to do find these  is by using the excellent MXToolbox website

Simply enter the domain of the recipient and make a note of any MX record ‘Hostnames’ that are returned. for example…

We have noticed that a large majority of the examples we have seen are all using the ‘1&1’ mail servers, while this is very common they are not the only examples we have seen so you may still need to look for other examples and add them as well.

Once you know the mail hostnames these can be added to the MDaemon SSL White list which can be found under…

Security -> Security Settings -> SSL & TLS -> STARTTLS White List.

You can see in this example I have added the two 1&1 mail hosts.

Any new SMTP Sessions to those specific hosts will now not use SSL and so should not trigger the error.

Its worth noting that this error should not happen on Windows Vista or newer Operating systems, unless the AES ciphers have been turned off in the registry, which is possible but unlikely.
Subscribe to blog highlights mail

4 thoughts on “Support queries shared: MDaemon SSL errors – Windows XP and Server 2003

  1. Why on earth would anyone not accept email using RC4 or DES and then go ahead and accept the same email over an insecure connection without STARTTLS? What is good for web servers is not good for mail servers!

Let us know what you think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s