O365 Outbound email issue

JaredBusch

I have email that refuses to send to a vendor I use.

I have TLS required on all outbound email. I have a couple of connectors allowing non-TLS to certain people.The recipient mail server accepts TLS according to MXToolbox.

The error message is UntrustedRoot

Reason: [{LED=450 4.4.317 Cannot connect to remote server [Message=UntrustedRoot] [LastAttemptedServerName=snowflakem-d.com] [LastAttemptedIP=66.96.140.92:25] [BN7NAM10FT007.eop-nam10.prod.protection.outlook.com]};{MSG=UntrustedRoot};{FQDN=snowflakem-d.com};{IP=66.96.140.92};{LRT=8/12/2020 8:55:47 PM}]. OutboundProxyTargetIP: 66.96.140.92. OutboundProxyTargetHostName: snowflakem-d.com

I made a connector to not require TLS and I also tried Require TLS but allow any cert (even self signed). But it still gives this error.

The MX Lookup says the IP belongs to the Endurance group which owns things like hostgator https://www.endurance.com/our-brands

JasGot

Take at look at the certs using this. The cert for your vendor, not you.

https://www.checktls.com/TestReceiver

See if it shows a hint.

Like a problem with the cert or their root or intermediate cert. Or even, the wrong cert.

JaredBusch

@JasGot said in O365 Outbound email issue:

Take at look at the certs using this. The cert for your vendor, not you.

https://www.checktls.com/TestReceiver

See if it shows a hint.

Like a problem with the cert or their root or intermediate cert. Or even, the wrong cert.

I had never heard of that site.. That is fucking awesome..

And proves there is a self signed cert. but that does not explain why MS still cares..

Dashrender

This is why, MS killed TLS v1. I think v1.1 was also killed.

Dashrender

https://blogs.perficient.com/2019/07/24/office-365-is-retiring-tls-1-0-and-1-1-why-you-should-care/

scottalanmiller

@JaredBusch we use it a lot, I seem to do SO many cert tasks these days, Ugh.

JaredBusch

@Dashrender said in O365 Outbound email issue:

This is why, MS killed TLS v1. I think v1.1 was also killed.

That is not the problem. TLSv1 for SMTP works fine.

Nothing that Microsoft has posted affects SMTP. it affects connectivity to Office 365 form your browsers and apps.

Dashrender

@scottalanmiller said in O365 Outbound email issue:

@JaredBusch we use it a lot, I seem to do SO many cert tasks these days, Ugh.

can you add the cert tag to this post?

Or do we need a new thread with just that site in the OP to tag?

JasGot

@JaredBusch said in O365 Outbound email issue:

I had never heard of that site.. That is fucking awesome..

Glad you like it! It helps identify SO MANY issues....

JaredBusch

For the record, even though I made the above connector and it failed to verify, I did save the connector. Apparently, that was enough as email is sending now.

Dashrender

@JaredBusch said in O365 Outbound email issue:

For the record, even though I made the above connector and it failed to verify, I did save the connector. Apparently, that was enough as email is sending now.

So which connector is solving this - the TLS regardless of cert condition, or the No-TLS

JaredBusch

@Dashrender said in O365 Outbound email issue:

@JaredBusch said in O365 Outbound email issue:

For the record, even though I made the above connector and it failed to verify, I did save the connector. Apparently, that was enough as email is sending now.

So which connector is solving this - the TLS regardless of cert condition, or the No-TLS

I only left the TLS regardless of cert, so it has to be that one.