Hi Lukas, thanks for your analysis. I'll have to think about it a bit. I guess TLS 1.3 won't come in the near future as MS seemed to have it implemented for all protocols but SMTP which is absolutely "logical" - NOT. 😉
regards Norbert -----Ursprüngliche Nachricht----- Von: Lukas Tribus <[email protected]> Gesendet: Donnerstag, 23. Oktober 2025 13:28 An: Fehlauer, Norbert <[email protected]> Cc: mailop <[email protected]> Betreff: Re: [mailop] Changes at Cisco ESA for outbound TLS ciphers? On Thu, 23 Oct 2025 at 12:07, Fehlauer, Norbert via mailop <[email protected]> wrote: > > Hi, > > just after writing this question it came to my mind, that it might be our ECC > certificate. You do not support TLSv1.3, just TLSv1.2. You only have an ECC certificate, not an RSA certificate. Therefore, you only support TLSv1.2 with just the following 4 ciphers: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 This is because in TLSv1.2 a ECC certificate restricts the available ciphers to ECDSA ciphers. This is a pretty limited configuration, it's not a surprise you have some compatibility issues. You should upgrade to support TLSv1.3 as well as TLSv1.2 and downgrade from ECC to RSA 2048 bit certificate for compatibility in the TLSv1.2 space. If we take a look what Office 365 supports, first of all they support TLSv1.3 and only use RSA certificates. The supported TLSv1.2 ciphers are: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA I know this kind of argument is frowned upon, but you can have the luxury of not having to troubleshoot TLS problems on your email setup at all if you just make sure you support the same ciphers than Gmail and O365. You can use testssl.sh for example to troubleshoot this. Lukas
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
