CommunigatePro 5.4 TLS Failure
Failed to accept a secure connection
In Stalker Software's CommunigatePro Email server version 5.4, certain remote email servers will disconnect after requesting a secure TLS connection. Resilient servers (bloomberg.net) will retry without the secure connection. Non-resilient servers (schwab.com) will not; they will keep retrying to establish a secure connection. The SMTPI log will show:
- STARTTLS
- please start a TLS connection
- failed to accept a secure connection for 'silveradosw.com'. Error Code=connection closed by peer
The problem is that the CommunigatePro server version 5.4 does not advertise support for certain TLS extensions which certain older OpenSSL libraries require. The TLS negotiation fails, and the remote server disconnects
To fix the problem (Windows):
- Click Start => Settings => Control Panel. Double-click on Administrative Tools, then Services.
- Double-click on the CommunigatePro Messaging Server.
- If it's running, click Stop to stop the server.
- In the Startup Parameters text box, enter: --TLSServerHelloExtensions NO
- The above parameter is case-sensitive.
- Click Start to start the server, then click OK.
To verify that the server started with the extra parameters, look in the CommunigatePro log. You should see:
SYSTEM start options: "--Base" "C:\\CommuniGate Files" "--TLSServerHelloExtensions" "NO"
Windows 2000 Service Startup Parameters
In Windows 2000, the startup parameters may not "stick" in the service dialog box. To verify that they are there, you can look in the Registry. For the above example, the Registry key is:
HKEY_LOCAL_MACHINE :: SOFTWARE :: Stalker :: CommunigatePro
Parameters: REG_MULTI_SZ:--TLSServerHelloExtensions NO