SMTP security - 'None' doesnt appear to work

[veehexx]

we're on 5.6.1 appliance which we updated from a previous version yesterday. Things working fine. We've also made changes to our SMTP service where we are migrating from Exch2013 to 2019. currently moving all SMTP connections to the new servers which requires a port change.

When we point nagios to the new 2019 servers, we're seeing "TLS negotiation failed with error AlgorithmMismatch" in the exchange logs. ok so for testing, in nagiosXI email settings we set Security to 'none', click update settings, and then 'send a test email'. Nagios fails and we're seeing the same TLS failure.

Looks like nagios is not honoring the 'none' setting.

We do appear to have an issue with the new exch2019 servers as well (AlgorithmMismatch on *some* devices) which i understand is out of scope for nagios support but if we point nagios to the exch2013 servers then TLS works. point to 2019 servers, and it'll fail.

manually using telnet to send email works without TLS, but when we send 'STARTTLS' command, the next 'MAIL FROM: ...' command will result in us being kicked from the session with the same AlgorithmMismatch error in exchange logs.

Is there anything i can do with Nagios to get things working or diagnose more?
SMTP certificate is a public globalsign one so should be working.

NagiosXI appliance and HPE MFP scanners both exhibit this issue. our Graylog (also a Linux OS) and various other SMTP services works fine with exch2019 with the same settings.

[benjaminsmith]

Hi @veehexx,

Is there anything i can do with Nagios to get things working or diagnose more?

We use the phpmailer library for SMTP. To help troubleshoot the connection issues, turn on the debug level to 4 in phpmailer and share a screen shot of the errors.

Also, enable logging of mail sent in the Nagios XI Email settings ( Admin > System Config > Email Settings).

See: PHPMailer - Troubleshooting Using Debug Logging

[veehexx]

using TLS:

2019-05-16 10:50:14 Connection: opening to ex1.DOMAIN.NET:25, timeout=300, options=array ()
2019-05-16 10:50:14 Connection: opened
2019-05-16 10:50:14 SMTP -> get_lines(): $data is ""
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "220 ex1.DOMAIN.NET Microsoft ESMTP MAIL Service ready at Thu, 16 May 2019 11:50:14 +0100"
2019-05-16 10:50:14 SERVER -> CLIENT: 220 ex1.DOMAIN.NET Microsoft ESMTP MAIL Service ready at Thu, 16 May 2019 11:50:14 +0100
2019-05-16 10:50:14 CLIENT -> SERVER: EHLO nagiosxi.DOMAIN.NET
2019-05-16 10:50:14 SMTP -> get_lines(): $data is ""
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-ex1.DOMAIN.NET Hello [10.227.243.160]"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-SIZE 37748736"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-PIPELINING"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-DSN"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-ENHANCEDSTATUSCODES"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-STARTTLS"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-X-ANONYMOUSTLS"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-AUTH NTLM"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-X-EXPS GSSAPI NTLM"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-8BITMIME"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM250-8BITMIME"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-BINARYMIME"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM250-8BITMIME250-BINARYMIME"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-CHUNKING"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM250-8BITMIME250-BINARYMIME250-CHUNKING"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250-SMTPUTF8"
2019-05-16 10:50:14 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM250-8BITMIME250-BINARYMIME250-CHUNKING250-SMTPUTF8"
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "250 XRDST"
2019-05-16 10:50:14 SERVER -> CLIENT: 250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM250-8BITMIME250-BINARYMIME250-CHUNKING250-SMTPUTF8250 XRDST
2019-05-16 10:50:14 CLIENT -> SERVER: STARTTLS
2019-05-16 10:50:14 SMTP -> get_lines(): $data is ""
2019-05-16 10:50:14 SMTP -> get_lines(): $str is "220 2.0.0 SMTP server ready"
2019-05-16 10:50:14 SERVER -> CLIENT: 220 2.0.0 SMTP server ready
SMTP Error: Could not connect to SMTP host.
2019-05-16 10:50:14 SMTP NOTICE: EOF caught while checking if connected
2019-05-16 10:50:14 Connection: closed
SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/ ... leshooting
Test Email Settings

A test email was sent to [email protected]
----
Mailer said: [05-16-2019 11:50:14] SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/ ... leshooting (method=smtp;host=ex1.DOMAIN.NET;port=25;security=tls), Referer: admin/testemail.php
An error occurred sending a test email!

None security:

2019-05-16 10:51:28 Connection: opening to ex1.DOMAIN.NET:25, timeout=300, options=array ()
2019-05-16 10:51:28 Connection: opened
2019-05-16 10:51:28 SMTP -> get_lines(): $data is ""
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "220 ex1.DOMAIN.NET Microsoft ESMTP MAIL Service ready at Thu, 16 May 2019 11:51:28 +0100"
2019-05-16 10:51:28 SERVER -> CLIENT: 220 ex1.DOMAIN.NET Microsoft ESMTP MAIL Service ready at Thu, 16 May 2019 11:51:28 +0100
2019-05-16 10:51:28 CLIENT -> SERVER: EHLO nagiosxi.DOMAIN.NET
2019-05-16 10:51:28 SMTP -> get_lines(): $data is ""
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-ex1.DOMAIN.NET Hello [10.227.243.160]"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-SIZE 37748736"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-PIPELINING"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-DSN"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-ENHANCEDSTATUSCODES"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-STARTTLS"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-X-ANONYMOUSTLS"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-AUTH NTLM"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-X-EXPS GSSAPI NTLM"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-8BITMIME"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM250-8BITMIME"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-BINARYMIME"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM250-8BITMIME250-BINARYMIME"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-CHUNKING"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM250-8BITMIME250-BINARYMIME250-CHUNKING"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250-SMTPUTF8"
2019-05-16 10:51:28 SMTP -> get_lines(): $data is "250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM250-8BITMIME250-BINARYMIME250-CHUNKING250-SMTPUTF8"
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "250 XRDST"
2019-05-16 10:51:28 SERVER -> CLIENT: 250-ex1.DOMAIN.NET Hello [10.227.243.160]250-SIZE 37748736250-PIPELINING250-DSN250-ENHANCEDSTATUSCODES250-STARTTLS250-X-ANONYMOUSTLS250-AUTH NTLM250-X-EXPS GSSAPI NTLM250-8BITMIME250-BINARYMIME250-CHUNKING250-SMTPUTF8250 XRDST
2019-05-16 10:51:28 CLIENT -> SERVER: STARTTLS
2019-05-16 10:51:28 SMTP -> get_lines(): $data is ""
2019-05-16 10:51:28 SMTP -> get_lines(): $str is "220 2.0.0 SMTP server ready"
2019-05-16 10:51:28 SERVER -> CLIENT: 220 2.0.0 SMTP server ready
SMTP Error: Could not connect to SMTP host.
2019-05-16 10:51:28 SMTP NOTICE: EOF caught while checking if connected
2019-05-16 10:51:28 Connection: closed
SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/ ... leshooting
Test Email Settings

A test email was sent to [email protected]
----
Mailer said: [05-16-2019 11:51:28] SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/ ... leshooting (method=smtp;host=ex1.DOMAIN.NET;port=25;security=none), Referer: admin/testemail.php
An error occurred sending a test email!

and the exchange transport log from smtp session the 2nd quote above:

2019-05-16T10:51:28.196Z,EX1\Default Frontend EX1 (:25),08D6D928B20DB4C3,0,EXTERNAL_IP:25,10.227.243.160:43574,+,,
2019-05-16T10:51:28.196Z,EX1\Default Frontend EX1 (:25),08D6D928B20DB4C3,1,EXTERNAL_IP:25,10.227.243.160:43574,>,"220 ex1.DOMAIN.net Microsoft ESMTP MAIL Service ready at Thu, 16 May 2019 11:51:28 +0100",
2019-05-16T10:51:28.197Z,EX1\Default Frontend EX1 (:25),08D6D928B20DB4C3,2,EXTERNAL_IP:25,10.227.243.160:43574,<,EHLO nagiosxi.DOMAIN.net,
2019-05-16T10:51:28.197Z,EX1\Default Frontend EX1 (:25),08D6D928B20DB4C3,3,EXTERNAL_IP:25,10.227.243.160:43574,>,250 ex1.DOMAIN.net Hello [10.227.243.160] SIZE 37748736 PIPELINING DSN ENHANCEDSTATUSCODES STARTTLS X-ANONYMOUSTLS AUTH NTLM X-EXPS GSSAPI NTLM 8BITMIME BINARYMIME CHUNKING SMTPUTF8 XRDST,
2019-05-16T10:51:28.198Z,EX1\Default Frontend EX1 (:25),08D6D928B20DB4C3,4,EXTERNAL_IP:25,10.227.243.160:43574,<,STARTTLS,
2019-05-16T10:51:28.198Z,EX1\Default Frontend EX1 (:25),08D6D928B20DB4C3,5,EXTERNAL_IP:25,10.227.243.160:43574,>,220 2.0.0 SMTP server ready,
2019-05-16T10:51:28.199Z,EX1\Default Frontend EX1 (:25),08D6D928B20DB4C3,6,EXTERNAL_IP:25,10.227.243.160:43574,*," CN=*.DOMAIN.net, O=..., OU=..., L=..., S=..., C=GB CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign nv-sa, C=BE 769C76E665DD554279C2A0CF 319012571280C81CB5FB1A3476B1A994356BA62B 2017-04-24T09:37:06.000Z 2019-08-25T13:31:04.000Z *.DOMAIN.net;autodiscover.DOMAIN.net;mail.DOMAIN.net;owa.DOMAIN.net;DOMAIN.net",Sending certificate Subject Issuer name Serial number Thumbprint Not before Not after Subject alternate names
2019-05-16T10:51:28.200Z,EX1\Default Frontend EX1 (:25),08D6D928B20DB4C3,7,EXTERNAL_IP:25,10.227.243.160:43574,*,,TLS negotiation failed with error AlgorithmMismatch
2019-05-16T10:51:28.200Z,EX1\Default Frontend EX1 (:25),08D6D928B20DB4C3,8,EXTERNAL_IP:25,10.227.243.160:43574,-,,Local

ideally we want to be using TLS. We haven't changed the Exch2019 TLS1.2 config and ciphers so should be fresh install state for that. From what i've discovered online the 'AlgorithmMismatch' is down to incorrect ciphers where Nagios does not have an applicable one with exch2019. I'm not 100% on that yet but the signs are leading me toward that path

[ssax]

manually using telnet to send email works without TLS, but when we send 'STARTTLS' command, the next 'MAIL FROM: ...' command will result in us being kicked from the session with the same AlgorithmMismatch error in exchange logs

That's really the only thing that needs to be said to point us in the right direction, this is likely one of two things in my opinion:

1. Exchange 2019 has newer encryption algs/ciphers and the current packages that you are using on your Linux box don't support the new encryption standards, that's why you experience the same thing with both telnet AND phpmailer.

Even the version of PHP, openssl, and PHPMailer would likely need to support it.

You'd need to figure out what the encryption protocols are set to (I'd enable logging on the exchange server on for the connection to debug ssl/encryption exchange logs, look in the exchange logs and see what it says).

2. You have an IPS/Firewall or another blocking/threat prevention security device that is interrupting the communication as it's negotiating everything it can to try to connect (one of them may be picked up as a threat and blocked by the network or host level IPS software (if you have any installed in the path or on either system) - I've seen that before personally occur with NRPE when it used to allow weak ciphers.

3. Are you sure the old server's certificate and the new server's certificate are signed by the same CA? If it's a local CA (internal to your company) it may need to be looked into, especially the CA certificate's encryption algorithm, I remember finding out that there is a newer alternative signature format that MS allows you to select that while it's more secure WILL NOT work with openldap (at least a couple years ago it didn't support RSAPSS2 alt sig format and they needed to regen the CA's signing cert in the old format), I haven't seen that any other time in 3ish years here.

Do this as well:

Code: Select all

# yum install tcpdump < run this if you need to
tcpdump -s 0 -i eth0 -w /tmp/xiex19dump.pcap

Then test again both ways, with telnet AND testing with XI but first, then after you're done testing, hit CTRL-C on the tcpdump and send us the resulting /tmp/xiex19dump.pcap file.

Let us know the exact address of the Exchange 2019 server and the XI server as well if it hasn't been included yet.

Let us know the results.

[veehexx]

1. Exchange 2019 has newer encryption algs/ciphers and the current packages that you are using on your Linux box don't support the new encryption standards, that's why you experience the same thing with both telnet AND phpmailer.

Even the version of PHP, openssl, and PHPMailer would likely need to support it.

You'd need to figure out what the encryption protocols are set to (I'd enable logging on the exchange server on for the connection to debug ssl/encryption exchange logs, look in the exchange logs and see what it says).

I havent found a way to discover the protocols via exchange logs yet. Reddit Exchange subforum suggests tcpdump to discover this info. SSLLabs.com is showing TLS1.2 only, with the following 4 ciphers for the exch2019 server. :

Code: Select all

# TLS 1.2 (suites in server-preferred order) 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

Exch2013 servers show the following:

Code: Select all

# TLS 1.2 (suites in server-preferred order) 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
# TLS 1.1 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013
TLS_RSA_WITH_AES_256_CBC_SHA (0x35
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
# TLS 1.0 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)

2. You have an IPS/Firewall or another blocking/threat prevention security device that is interrupting the communication as it's negotiating everything it can to try to connect (one of them may be picked up as a threat and blocked by the network or host level IPS software (if you have any installed in the path or on either system) - I've seen that before personally occur with NRPE when it used to allow weak ciphers.

no IPS system, and firewall only restricts IP and/or Ports.

3. Are you sure the old server's certificate and the new server's certificate are signed by the same CA? If it's a local CA (internal to your company) it may need to be looked into, especially the CA certificate's encryption algorithm, I remember finding out that there is a newer alternative signature format that MS allows you to select that while it's more secure WILL NOT work with openldap (at least a couple years ago it didn't support RSAPSS2 alt sig format and they needed to regen the CA's signing cert in the old format), I haven't seen that any other time in 3ish years here.

Exact same certificate between servers - it's a wildcard one. I do know Globalsign are intending to sign new issues with a new intermediary cert later this month (https://support.globalsign.com/customer ... rtificates). We're currently using 'GlobalSign Organization Validation CA - SHA256 - G2' until August'19 when we'll need to renew.

Do this as well:

Code: Select all

# yum install tcpdump < run this if you need to
tcpdump -s 0 -i eth0 -w /tmp/xiex19dump.pcap

Then test again both ways, with telnet AND testing with XI but first, then after you're done testing, hit CTRL-C on the tcpdump and send us the resulting /tmp/xiex19dump.pcap file.

Let us know the exact address of the Exchange 2019 server and the XI server as well if it hasn't been included yet.

Let us know the results.

due to potential sensitive content of the tcpdump, i've PM'd you the details ssax along with IP's.
xiex19dump-nagios.pcap = test email from nagiosXI UI
xiex19dump-telnet.pcap = cmdline telnet on nagiosXI VM via ssh.

not sure if i mentioned it, but we're now on 5.6.2 and was upgraded shortly after my first post. todays tests ran on 5.6.2.

[veehexx]

looks like there are some hints in the exchange logs with protocol ciphers.

where nagios fails with 'AlgorithmMismatch', our barracuda spam filter suceeds with:

"TLS protocol SP_PROT_TLS1_2_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA_384 with strength 0 bits and key exchange algorithm CALG_ECDH_EPHEM with strength 384 bits"

looks like this would match what SSLLabs.com reports with the most preferred exch2019 TLS1.2 cipher of 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)'.

logs with nagios & exch2013:

"TLS protocol SP_PROT_TLS1_0_SERVER negotiation succeeded using bulk encryption algorithm CALG_AES_256 with strength 256 bits, MAC hash algorithm CALG_SHA1 with strength 160 bits and key exchange algorithm CALG_ECDHE with strength 384 bits"

so would match the 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)' TLS1.0 cipher?

[ssax]

Please send me the output of these commands, I want to see what versions of some packages you're using:

Code: Select all

rpm -qa > /tmp/RPMS
uname -a
cat /etc/*release

Additionally, try this from your XI server and send me the full output:

Code: Select all

yum install sslscan -y
sslscan --starttls-smtp your.smtp.mailserver:587

[veehexx]

Please send me the output of these commands, I want to see what versions of some packages you're using:

Code: Select all

rpm -qa > /tmp/RPMS
uname -a
cat /etc/*release

output as follows, first command output has been PM'd.

Code: Select all

# rpm -qa > /tmp/RPMS
# uname -a
Linux nagiosxi.DOMAIN.net 2.6.32-754.12.1.el6.x86_64 #1 SMP Tue Apr 9 14:52:26 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
# cat /etc/*release
CentOS release 6.10 (Final)
CentOS release 6.10 (Final)
CentOS release 6.10 (Final)

Additionally, try this from your XI server and send me the full output:

Code: Select all

yum install sslscan -y
sslscan --starttls-smtp your.smtp.mailserver:587

will PM with link for sslscan output. done one for both exch2013 and 2019....

[ssax]

Sorry, please run this command again and send me the resulting /tmp/RPMS text file:

Code: Select all

rpm -qa > /tmp/RPMS

Try these other commands and send me the full output:

Code: Select all

sslscan --starttls-smtp --no-failed --tls1 --renegotiate --verbose your.smtp.mailserver:587
sslscan --starttls-smtp --no-failed --tls1 --renegotiate --bugs --verbose your.smtp.mailserver:587
sslscan --starttls-smtp --no-failed --tls12 --renegotiate --verbose your.smtp.mailserver:587
sslscan --starttls-smtp --no-failed --tls12 --renegotiate --bugs --verbose your.smtp.mailserver:587

[ssax]

Please try running these as well and send me the full output:
- Change exXX.XXXX.XXX in both commands to your FQDN for your Exchange 2019 server

Code: Select all

openssl s_client -showcerts -tls1 -debug -msg -starttls "smtp" -tlsextdebug -connect exXX.XXXX.XXX:25
openssl s_client -showcerts -tls1_2 -debug -msg -starttls "smtp" -tlsextdebug -connect exXX.XXX.XXX:25