Upgrade SMTP Server on Ubuntu Linux 18.04 to support TLS 1.2

Nico Nico Pizza

6/22/24, 8:43 AM

Client has an intranet hosted with Apache on Ubuntu 18.04.

When I update an employees information through it, an email is sent, but it fails showing the following error:

(SMTP Error: 421 4.7.66 TLS 1.0 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls.)

It also shows some CakePHP errors, not sure if they could be related.

This makes me think it does nothing to do with the server since the site is hosted in a Linux machine and I'm being redirected to a Microsoft page, but I could be wrong. Therefore, what does it mean by client? The Windows devices I'm using to access the page should already be configured to be able to use TLS 1.2. Does it mean the Office 365 account that sends the email?

I don't have access to the Office 365 portal so I'd have to contact the client to try out possible solutions if that's the case.

Things I've tried:

Only having TLS 1.2 enabled in inetcpl.cpl in the Windows PC accessing the page.
Defining SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 in /etc/apache2/mods-enabled/ssl.conf in the server.

201

1 + 2

ubuntu

ssl

smtp

apache2

office365

Steffen Ullrich

6/22/24, 8:56 AM

This is your server trying to deliver a mail to a Microsoft server - likely because the recipient is using Microsoft 365 for their mails or Exchange Online. The problem is that the mail client (CakePHP) does not speak TLS 1.2. This has nothing to do with the configuration of the web server you are showing - which is relevant for communication with a web client (browser only). It is a problem of the CakePHP backend/code you use to deliver the mails.

Nico Nico Pizza

6/27/24, 7:30 AM

@SteffenUllrich I'm gessing this error is now appearing because Office 365 started enforcing TLS 1.2? If so, I can try unchecking the TLS option from the account that sends the emails on the Office 365 panel.

Score:2

Server

symcbean

6/22/24, 12:57 PM

(this started off as a comment but was getting a bit long)

Why are you talking about upgrading your server? The error message clearly states the issue is with your SMTP CLIENT. The error message you have posted here even tells you that the SMTP client is part of cake. However according to the official documentation ( https://book.cakephp.org/4/en/core-libraries/email.html#configuring-transports ) there is no way to change the TLS version Cake uses.

IMHO this is a significant oversight on the part of the Cake developers and should be reported as a bug, not a feature request.

Note that Cake doesn't actually implement the SSL/TLS encryption - that is handled by OpenSSL - but currently you need to go through Cake to use this.

yourcode -> cake -> openssl -> internet -> SMTP server

Meanwhile, either you need to write your own transport mechanism from scratch, use a different mail sending library or use a SMTP relay.

+ 1

Steffen Ullrich

6/27/24, 8:13 AM

'" there is no way to change the TLS version Cake uses. .... IMHO this is a significant oversight on the part of the Cake developers and should be reported as a bug, "* - I agree that the code is broken but not in this way. You cannot specify a specific TLS version with the browser either. The way TLS works is to use the best version both client and server support. The problem seems to be instead that CakePHP at least in older versions uses STREAM_CRYPTO_METHOD_TLS_CLIENT which seems to mean TLS 1.0 only :(

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Upgrade SMTP Server on Ubuntu Linux 18.04 to support TLS 1.2

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.