Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Outlook 2003 fails to use SSL

8 views
Skip to first unread message

Alan W. Rateliff II

unread,
Jul 8, 2004, 4:27:09 AM7/8/04
to
I found a response to the message
c54b1044.04032...@posting.google.com "Outlook
2003 fails to use SSL". I, too, am having similar issues
with two different Outlook 2003 clients (two different
computers, both running Windows XP Pro) trying to send
mail through Sendmail 8.13.0 with OpenSSL 0.9.7d. I have
included a relevant excerpt from my OPMLog.log.

2004.07.08 04:02:07 <<<< Logging Started (level is
LTF_TRACE) >>>>
2004.07.08 04:02:07 al...@rateliff.net: Synch operation
started (flags = 00000001)
2004.07.08 04:02:07 al...@rateliff.net: UploadItems: 1
messages to send
2004.07.08 04:02:07 SMTP (secure.rateliff.net): Begin
execution
2004.07.08 04:02:07 SMTP (secure.rateliff.net): Port: 925,
Secure: SSL, SPA: no
2004.07.08 04:02:07 SMTP (secure.rateliff.net): Finding
host
2004.07.08 04:02:07 SMTP (secure.rateliff.net): Securing
connection
2004.07.08 04:02:12 SMTP (secure.rateliff.net):
Disconnected from host
2004.07.08 04:03:12 SMTP (secure.rateliff.net): End
execution
2004.07.08 04:03:12 al...@rateliff.net: ReportStatus:
RSF_COMPLETED, hr = 0x800ccc7d
2004.07.08 04:03:12 al...@rateliff.net: Synch operation
completed

Note that the port is 925, however this fails on ports 465
and 25 as well on BOTH clients.

Considering my network structure, this might at first
glance appear to be the MTU issue with the LinkSys routers
referenced in another KBA. However, I have determined
that the problem exists behind several different routers
with varying MTU settings, on both cable and ADSL
connections. In recent testing, the computer was unable
to send when connected DIRECTLY to the Internet on the
same network as the server.

Build information on one of the problem clients:
11.5608.5703

I noticed when looking at the "About Outlook" window that
it shows a cipher strength of 128 bits. My SSL
certificate is 256 bits. I'm not familiar enough with the
inner workings of SSL encrypted email to determine if this
is a potential problem.

--
Alan W. Rateliff, II

neo [mvp outlook]

unread,
Jul 8, 2004, 8:39:28 AM7/8/04
to
Does Sendmail/OpenSSL support the TLS command set?

"Alan W. Rateliff II" <li...@rateliff.net> wrote in message
news:28c0901c464c5$5c640450$a501...@phx.gbl...

Alan W. Rateliff II

unread,
Jul 8, 2004, 10:46:41 AM7/8/04
to

>-----Original Message-----
>Does Sendmail/OpenSSL support the TLS command set?

Yes:

220 mx1.rateliff.net ESMTP Sendmail 8.13.0/8.13.0; Thu, 8
Jul 2004 10:44:55 -0400 (EDT); Message delivery to this
system implies acceptance of policies at
http://info.rateliff.net/mailpolicy.php
ehlo dsl
250-mx1.rateliff.net Hello [REMOVED], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 15728640
250-DSN
250-AUTH LOGIN
250-STARTTLS
250-DELIVERBY
250 HELP

neo [mvp outlook]

unread,
Jul 8, 2004, 1:59:17 PM7/8/04
to
I don't think Outlook is going to play well when moving outside port 25.
(Still testing and checking with someone in Microsoft.)

Outside of that, I did find one post last year that a configuration change
would need to be made to Sendmail and recompile in order to support Outlook
when moving outside of port 25.

"Alan W. Rateliff II" <li...@rateliff.net> wrote in message

news:29b6101c464fa$618f2830$a301...@phx.gbl...

Alan W. Rateliff III

unread,
Jul 9, 2004, 2:33:48 AM7/9/04
to

>-----Original Message-----
>I don't think Outlook is going to play well when moving
outside port 25.
>(Still testing and checking with someone in Microsoft.)

I have also heard that Outlook doesn't like STARTTLS on
anything but port 25. Outlook Express didn't (seem) to
have that limitation, and I don't recall running into this
problem with Outlook until fairly recently.

>Outside of that, I did find one post last year that a
configuration change
>would need to be made to Sendmail and recompile in order
to support Outlook
>when moving outside of port 25.

I have seen some sites which indicate that a DAEMON_OPTION
setting of M=s on port 465 (smtps) would create a daemon
which begins SSL immediately. (I've tried this to no
avail, and from the Sendmail op guide it appears that
the "s" switch simply _offers_ STARTTLS on that daemon,
versus "S" which suppresses STARTTLS.) I have't found
anything outside of that, so I would appreciate and
information you turn up.

I'm going to wind up posting to the sendmail group as well
to see what I can turn up there. I was hoping the fix was
with Outlook, forcing it to play nice on other ports than
25 ;)

Alan W. Rateliff II

unread,
Jul 9, 2004, 3:01:41 AM7/9/04
to
>>Outside of that, I did find one post last year that a
>configuration change
>>would need to be made to Sendmail and recompile in order
>to support Outlook
>>when moving outside of port 25.
>
>I have seen some sites which indicate that a
DAEMON_OPTION
>setting of M=s on port 465 (smtps) would create a daemon
>which begins SSL immediately. (I've tried this to no
>avail, and from the Sendmail op guide it appears that
>the "s" switch simply _offers_ STARTTLS on that daemon,
>versus "S" which suppresses STARTTLS.) I have't found
>anything outside of that, so I would appreciate and
>information you turn up.

Found in comp.mail.sendmail, posted by Ken Murchison, with
Message-ID: <cmu-nntpd-14391-1063971985-
0...@eagle.oceana.com> (groups.google.com keyword search
of "outlook sendmail starttls"):

** BEGIN QUOTE **

Rabellino Sergio wrote:
> FiLH wrote:
>
>>
>> Always dealing with Outlook problems I have now the
following problem
>> I have configured sendmail so that it asks for auth but
only after
>> starttls has been issued. The configuration works fine
with Mozilla.
>>
>> When I try with outlook express of course it does not
work.
>> I have setup the account so that it does not use secure
password, but
>> needs authentication, and in the advanced tab I check
use SSL.
>>
>> When I look at the tcp session it seems that outlook
directly starts
>> sending encrypted data.
>> Is there a point that I am missing somewhere ?
>>
>> f.g.
>>
>>
>>
> There are some tricks to get outlook work with SSL
enabled.
>
> I've installed an MSA port on port 587, with auth only
enabled. Then
> installed an SSL wrapper on port 465 that talks directly
SSL, without
> STARTTLS features, like sslwrap or ssltunnel.

FYI, Sendmail can do this for you, using a feature that I
added back in
8.10 (IIRC). Recompile Sendmail using -D_FFR_SMTP_SSL and
then add
something like this to sendmail.mc:

DAEMON_OPTIONS(`Port=465, Name=SSA, M=Es')dnl # SSL MSA

The 's' flag tells it to start SSL immediately.

** END QUOTE **

I have done this by adding the -D_FFR_SMTP_SSL switch to
my devtools/Site/siteconfig.m4 file, which now contains:

APPENDDEF(`confENVDEF', `-DSASL -DSTARTTLS -
DHASURANDOMDEV -D_FFR_SMTP_SSL')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl -lssl -lcrypto')
APPENDDEF(`conf_sendmail_INCDIRS',`-
I/usr/local/ssl/include')
APPENDDEF(`conf_sendmail_LIBDIRS',`-L/usr/local/ssl/lib')

(-lsasl is there for AUTH transport)


Added this line to my sendmail.mc file:

DAEMON_OPTIONS(`port=465, Name=MTASSL, M=aEs')dnl


(a=require AUTH, E=disable ETRN, s=start SSL)

et voila! So far over a dozen test messages have gone
through without a problem. I will monitor this thread for
another couple of days. Thanks for the nudge!

neo [mvp outlook]

unread,
Jul 9, 2004, 9:25:26 AM7/9/04
to
Unfortunately there is no fix and MS staff are somewhat confused because
Outlook is supposed to fall back to TLS when the SSL bind fails. Of course
Outlook 2003 never falls back. In any event, I'm happy to read that you
where able to get around this by addressing it from the server side.

"Alan W. Rateliff III" <li...@rateliff.net> wrote in message
news:2a2f401c4657e$b12d7ed0$a301...@phx.gbl...

Alan W. Rateliff II

unread,
Jul 9, 2004, 12:43:16 PM7/9/04
to

>-----Original Message-----
>Unfortunately there is no fix and MS staff are somewhat
confused because
>Outlook is supposed to fall back to TLS when the SSL bind
fails. Of course
>Outlook 2003 never falls back. In any event, I'm happy
to read that you
>where able to get around this by addressing it from the
server side.
>

And it will confuse them even more to know that maybe 1 in
every 30 attempts the mail actually _did_ go through via
STARTTLS. That's what was happening with me, and why I
spent so much time investigating MTU and routing issues.

Does MS actually monitor these groups?

neo [mvp outlook]

unread,
Jul 9, 2004, 1:29:20 PM7/9/04
to
They do and I'm trying to work with the PSS lead over the Outlook MVPs to
see if this issue has been reported since as you say, it works on the rare
occasion. what gets me is the "test" button works. let outlook run and it
fails most of the time, but when it decides to fall back, it works until
Outlook is restarted. :/

/neo

ps - above applies of course to anything not on port 25. port 25 works
perfect every time when dealing with TLS. personally i think we are dealing
with legacy code that was written to support ssmtp (port 465) and the
internal logic is, if not on port 25 do the SSL bind and that be it. FWIW,
Outlook Express also appears to be bitten by the same logic. Therefore the
problem might be deeper than just OE/Outlook, but somewhere in the core of
operating system itself.

"Alan W. Rateliff II" <li...@rateliff.net> wrote in message
news:2a0be01c465d3$d577ce80$a401...@phx.gbl...

0 new messages