This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal


~Howard Cisnukonyader
Dec 21, 2014, 12:27 PM
1 Posts

Incoming SSMTP (TLS) Mails from PayPal and some other will not except

  • Category: Mail
  • Platform: Windows
  • Release: 9.0.1
  • Role: Administrator
  • Tags: TLS SSMTP Paypal incoming Mails
  • Replies: 2

HoHoHo... and Happy Christmas... (Or something like that!) :)


Hello all,
I have a small problem and I hope somebody can help me.

After migration to Domino 9.0.1 FP 2 HF 2 (391) (and also with HF1) I have the problem that some mails will not be accepted by the Domino Systems.
It seems that the Domino Server has a problem with TLS mails. From some Recipient we don´t get eMails (a good example is the Notification eMail from PayPal)

Telnet'ing into port 25 on the server, issuing the STARTTLS command, enabling certain SSL Debug options, etc. All of this is nice,
Also the test on http://www.checktls.com/perl/TestReceiver.pl?FULL looks good.

The debug Log shows me:

[109C:000C-BAD8] 20.12.2014 17:31:31,76 SMTP CITask StateMachine> Sent 106 bytes to 173.0.84.228
[109C:000C-174E0] 20.12.2014 17:31:31   SMTP Server: mx3.slc.paypal.com (173.0.84.228) connected
[109C:000C-BAD8] 20.12.2014 17:31:31,92 SMTP CITask StateMachine> Received 23 bytes from 173.0.84.228
[109C:000C-174E0] 20.12.2014 17:31:31,93 SMTP CITask StateMachine> Sent 111 bytes to 173.0.84.228
[109C:000C-174E0] 20.12.2014 17:31:32,09 SMTP CITask StateMachine> Received 8 bytes from 173.0.84.228
[109C:000C-BAD8] 20.12.2014 17:31:32,09 SMTP CITask StateMachine> Sent 24 bytes to 173.0.84.228
[109C:000C-BAD8] 20.12.2014 17:31:32,09 ReadKeyfile> Recovering password from stash file
[109C:000C-BAD8] 20.12.2014 17:31:32,09 ReadKeyfile> Password is xxx
[109C:000C-BAD8] 20.12.2014 17:31:32,09 ReadKeyfile> Reading keyfile C:\Daten\Domino\keyfile.kyr
[109C:000C-BAD8] 20.12.2014 17:31:32,09 ReadKeyfile> Looking for trusted roots
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Found trusted roots
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Exit status = 0
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Recovering password from stash file
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Password is xxx
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Reading keyfile C:\Daten\Domino\keyfile.kyr
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Looking for cert chain
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Got cert chain
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Exit status = 0
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Recovering password from stash file
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Password is xxx
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Reading keyfile C:\Daten\Domino\keyfile.kyr
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Looking for private key
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Decoding keys
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Keys decoded
[109C:000C-BAD8] 20.12.2014 17:31:32,11 ReadKeyfile> Exit status = 0
[109C:000C-BAD8] 20.12.2014 17:31:32   SMTP Server: mx3.slc.paypal.com (173.0.84.228) disconnected. 0 message[s] received

I try several thinks. But nothing Works.

The Domino 32 Bit Version is installed on a Windows 2008 R2 System.
Also TrendMicro ScanMail for Domino is installed with an exception on "paypal.com". No result.

Also is the Domino System´s configured to block eMails if the DNS is not valid. (But on this it seems that all this is okay)

I also tried the following entry´s in the notes.ini
SMTPNonStandardMIMETermination=1
SMTPNonStandardLineTermination=1
Because I found a similar entry in another forum. But also without any success.

It seems for me, that the connection is going good, but then... I don’t know... The sender server doesn’t not want any more to send eMails....

For a hint or something like that I would be very thankful
Thanks in advance!

~Alexis Quetjipyter
Dec 30, 2014, 6:04 PM
46 Posts
Same here

I'm having a similar issue but after upgrading FP2 IF3

 

This is the SMTP log from the mail server that can't reach ours

 

12:05:17.466 RX: <220 mail.xxxx.com ESMTP Service (IBM Domino Release 9.0.1FP2 HF590) ready at Tue, 23 Dec 2014 15:05:12 -0200>

12:05:17.466 TX: <EHLO mailrelay3.xxxx.com>

12:05:17.638 RX: <250-mail.xxxx.com Hello mailrelay3.xxxxx.com ([x.x.x.x]), pleased to meet you>

12:05:17.638 RX: <250-TLS>

12:05:17.638 RX: <250-HELP>

12:05:17.638 RX: <250-AUTH LOGIN>

12:05:17.638 RX: <250-STARTTLS>

12:05:17.638 RX: <250-SIZE>

12:05:17.638 RX: <250 PIPELINING>

12:05:17.638 TX: <STARTTLS>

12:05:17.825 RX: <220 Ready to start TLS>

12:05:17.997 Thread exiting for B5499a0c80000.000000000001.000a.mml after 4188 millisecs

12:05:17.997 Route xxxx.com (MX) - * temporarily unreachable will retry for xxxx@xxxx.com

 

So far, there's just this one case that can't reach our server

~Hank Cislulitoni
Dec 31, 2014, 12:35 AM
57 Posts
Re. Incoming SSMTP (TLS) Mails from PayPal and some other will not accept

See this thread, starting with the third post from "Ronald Hoppe".  Read the entire thing.  I believe this is what you're experiencing.

http://www-10.lotus.com/ldd/ndseforum.nsf/xpTopicThread.xsp?documentId=E614F339E975A7A485257D860064343A

If this is the same problem you are experiencing, then there might not be a solution right now.  I opened a PMR with IBM about it.  The conclusion was that this problem occurs when SMTP servers try to connect to Domino using SSLv2 handshake protocol. The latest version of Domino fix packs and interim patches removes all SSLv2 functionality, even though removing it from the handshake is NOT required by current RFC.  Only not negotiating actual connections via SSLv2 is prohibited.

IBM's position, as I understand it, is that it is the sender's mail server that needs to be updated to stop trying to do SSLv2 handshakes.  However, we are having problems with some sending organizations -- such as Twitter -- over which I have no influence.  Trying to get them to change is like trying to get the government to change.  I also have a couple of large clients who could no longer send us mail, and their attitude is that we're the problem because they don't have trouble sending to anybody else.

So, to "fix" the problem I had to disable inbound encryption for SMTP until, if ever, all sending organizations stop using SSLv2 handshakes.


This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal