What do I do if there is no TLS handshake?

集文章的第6部分:仅仅因为你切cked a few boxes on your Microsoft Exchange Server does not mean that there is secure TLS encryption between your domain and another SMTP server that runs TLS. The golden rule that should guide the actions of any IT professional is testing. You must test your program and configuration before you turn it into production. Without a good test, you will create a disaster for yourself or even for the entire company.

TLS加密可能有几个问题所以问题是，您如何调试这些问题。

TLS协议是一种握手协议。这意味着在发送加密数据之前，使能为TLS的服务器将交换问候语并进行协商通信。如果握手失败，则加密的电子邮件将在没有加密的情况下发送，或者将卡在服务器队列中，发件人将收到以下消息：递送到以下收件人已延迟。如果这两个案例，您需要找出TLS握手发生的情况。

让我们来看看SMTP服务器之间如何建立TLS会话。TLS协议驻留在OSI模型的第七层上，与SMTP和Telnet协议相同的层。我将使用所有三种协议来说明如何建立握手。由于Telnet协议驻留在OSI模型的应用层上，因此它是管理员可用的最佳故障排除工具之一。为了使用Telnet会话成功验证，您的请求必须通过所有七层OSI模型。一旦使用SMTP端口25成功验证，您可以消除与硬件，网络路由，TCP和UDP相关的问题。你通过了所有的火戒指，你在顶部。所以，让我们telnet到SMTP服务器，看看发生了什么。

First you launch a command session on your workstation and type telnet 25. You should receive an SMTP banner that should look like this:

It basically informs you that the SMTP service is ready and waiting for your next command. The next request you will issue is EHLO and the server will respond with this acknowledgment:

EHLO 10.45.16.32

EHLO 10.45.16.32250- Hello [server IP address]

After you issue EHLO commend the server will respond with the list of supported ESMTP “keywords,” which are also called SMTP service extensions as seen below:

These are the commands that are available and can be executed on the SMTP server to which you just telnet it to. Please keep in mind that not all SMTP servers advertise these SMTP service extensions. Some may only list the server’s domain name, DNS, SIZE, and STARTTLS as seen on the example below. In this case you deal with either a proxy server or some form of secure e-mail gateway.

您可以通过阅读以下RFC文档来了解更多关于一些最常见的SMTP服务扩展名：

8bitmime 8位数据传输RFC 1652

ATRN Authenticated Turn RFC 2645

Auth经过身份验证的SMTP RFC 255

CHUNKING Chunking RFC 3030

DSN Delivery status notification RFC 1891

ETRN Extended Turn RFC 1985

HELP Supply helpful information RFC 821

流水线命令流水线RFC 2920

SIZE Message size declaration RFC 1870

STARTTLS Transport layer security RFC 3207

STARTTLS is the SMTP service that starts TLS negotiations between the SMTP servers. In order to start TLS negotiations you should type STARTTLS the servers exchange EHLO greetings. You will get a response: 220 2.0.0 SMTP server ready. This response along with the IP address of the SMTP server that you telnet into is logged into the SMTP logs which are on your Microsoft Server. This response indicates that the SMTP servers are ready to start TLS negotiations. Please keep in mind that it does not mean that these negotiations are successful. The server on the other side may reject the handshake for variety of reasons.

For example, you will encounter problems with the TLS handshake when you have two or more virtual SMTP servers on your Microsoft Exchange 2003 server. In this scenario, the TLS handshake will be negotiated between the default virtual SMTP server and the SMTP server to which you are trying to send TLS encrypted e-mail. If you create a dedicated virtual SMTP server for TLS encryption, it will send a STARTTLS request, but the answer could be returned to a default SMTP server which knows nothing of the request that was sent and the TLS handshake will be dropped and a message will be sent unencrypted.

这是这种情况的一个例子。您的域Test.com有两个虚拟SMTP服务器被称为默认测试，并且具有IP地址192.168.2.1另一个被称为secure-tls-test，并具有IP地址192.168.2.2。您尝试将加密的电子邮件发送到名为Remote-TLS-Server.com的远程SMTP服务器。TLS消息将从安全 - TLS-Test Virtual SMTP服务器发送。它将启动Remote-TLS-Server.com上的StartLS服务，从而将协商请求发送回基于MX记录的域的默认虚拟服务器。因此，如果您的域名测试的MX记录点为192.168.2.1，则TLS协商将失败，因为确认已发送到错误的服务器。它被发送到未启动TLS协商的服务器的IP地址。

最大的误解源是在具有多个SMTP虚拟服务器的邮箱服务器上，SMTP虚拟服务器具有一些用于通信和选择路由的内部机制。事实上，没有这样的机制。SMTP只是告诉Windows网络堆栈将SMTP带有套接字。它没有提供源IP地址要使用，因此，您会注意到Windows分配的源IP地址将基于Windows路由表，而不是考虑正在提供的SMTP虚拟服务器的IP信息。

The remote-tls-server.com will send the acknowledgment of the handshake to a virtual server that never sent a request in the first place. Once the handshake drops the TLS encryption is dropped as well and either it will be sent unencrypted or the receiving e-mail gateway will not accept it at all. In either case you have a big problem on your hands.

故障排除将是乏味的，在许多情况下，您可能面临从您尝试发送TLS加密电子邮件的域的电子邮件管理员的阻力。他们可能不想合作，因为他们没有时间，知识或因为组织内的内部政治。

With this in mind, you should know how you can resolve TLS-related issues using the tools and log files available to you on Microsoft Windows 2003 server. I already reviewed what information you can obtain from the e-mail header and how you can use the telnet protocol to debug issues with TLS. Now we will examine SMTP log files stored on the Microsoft Exchange server, Network Monitor and Message Tracking Center.

对于如何使用Telnet会话与SMTP服务器熟悉如何发送电子邮件的人，SMTP日志文件很容易阅读。日志将显示：

• The IP address of remote SMTP server or a gateway.
• The FQDN of your e-mail server.
• Time and date.
• All the acknowledgments and SMTP services used during the session.
• The e-mail addresses of the participants.
• Any encryption negotiations used.
• 队列状态。

The following is the example of the SMTP log:

208.64.168.14  -  outboundconnectionResponse [18/10 / 2006：09：43：46 -0600]“ - ？220 SMTP代理服务器已准备好SMTP”0 27

208.64.168.14 - OutboundConnectionCommand [18/Oct/2006:09:43:46 -0600] "EHLO -?exchange-1.Chi.my-test.com SMTP" 0 4

208.64.168.14 - OutboundConnectionResponse [18/Oct/2006:09:43:46 -0600] "- -?250-ESMTP Server Ready SMTP" 0 22

208.64.168.14 - OutboundConnectionCommand [18/Oct/2006:09:43:46 -0600] "STARTTLS - SMTP" 0 8

208.64.168.14 - OutboundConnectionResponse [18/Oct/2006:09:43:46 -0600] "- -?220 Server ready Ready to start TLS SMTP" 0 35

208.64.168.14 - OutboundConnectionCommand [18/Oct/2006:09:43:46 -0600] "EHLO -? exchange-1.Chi.my-test.com SMTP" 0 4

208.64.168.14 - OutboundConnectionResponse [18/Oct/2006:09:43:46 -0600] "- -?250-ESMTP Server Ready SMTP" 0 22

208.64.168.14 - OutboundConnectionCommand [18/Oct/2006:09:43:46 -0600] "MAIL -?FROM: SIZE=8453 SMTP" 0 4

208.64.168.14 - OutboundConnectionResponse [18/Oct/2006:09:43:46 -0600] "- -?250 +OK Sender OK SMTP" 0 17

208.64.168.14 - OutboundConnectionCommand [18/Oct/2006:09:43:46 -0600] "RCPT -?TO: SMTP" 0 4

208.64.168.14  -  outbounconnectionResponse [18/10 / 2006：09：43：46 -0600]“ - ？250 + OK收件人OK SMTP”0 20

208.64.168.14  -  OutboundConnectionCommand [18/01 / 2006：09：43：46 -0600]“Data  -  SMTP”0 4

208.64.168.14 - OutboundConnectionResponse [18/Oct/2006:09:43:46 -0600] "- -?354 Start mail input, end with "." SMTP" 0 52

208.64.168.14  -  outbounconnectionResponse [18/10 / 2006：09：43：47 -0600]“ - ？250 + OK排队送货。SMTP”0 36

208.64.168.14 - OutboundConnectionCommand [18/Oct/2006:09:43:47 -0600] "QUIT - SMTP" 0 4

208.64.168.14 - OutboundConnectionResponse [18/Oct/2006:09:43:47 -0600] "- -?221 Service closing transmission channel closing connection SMTP" 0 59

In this example you can clearly see that the SMTP server/gateway 208.68.168.14 received a command requesting to initiate TLS hand shake: 208.64.168.14 - OutboundConnectionCommand [18/Oct/2006:09:43:46 -0600] "STARTTLS - SMTP" 0 8 with the acknowledgment that it is ready to negotiate the encryption: 208.64.168.14 - OutboundConnectionResponse [18/Oct/2006:09:43:46 -0600] "- -?220 Server ready Ready to start TLS SMTP" 0 35. However, it does not show if this negotiation was successful. Therefore, relaying only on the SMTP log you may conclude that the e-mail was encrypted but in reality the negotiation failed and the message was sent in clear text. This log basically says the e-mail was successfully queued for delivery and there was an attempt to encrypt it.

Now let’s take a look at how you can use Network Monitor to verify that the e-mail you sent was indeed encrypted. The Network Monitor is a packet sniffer and it should be used carefully because it can put a heavy load on the server. You have to turn it on just before you send a test e-mail and turn it off just after you send it. Before you start capturing the packets, you must specify the interface you are interested in. It will be a NIC card associated with one of your Virtual SMTP Servers. You also should set appropriate buffer. Both settings can be found under Capture on the tool bar. The Buffer Size set to 300MB should be more than enough for your test.

After you stop the capture you should find the IP address of the remote SMTP server/gateway to which you sent your test e-mail and apply the filter so that only the packets sent to that server are displayed. You should see the following screen:

After you apply the filter, you will be able to follow the SMTP packets with ease and, again, a good understanding of how the telnet SMTP session works will help you debug TLS encryption using Network Monitor.

在下面的图片中，我们可以看到本地Exchange-1服务器已成功交换了名为Test的远程服务器的问候语。远程服务器已发送220确认，即它已准备好接收SMTP流量。

Exchange-1服务器向测试服务器发送了ehlo命令：

And the Test server successfully replied to EHLO by sending the information about the SIZE of the message that it supports and it also started STARTTLS service because the request came from the server that has TLS encryption enabled.

Exchange-1服务器发出的下一个命令是邮件：此处是第一个指示发送的电子邮件未加密，而TLS握手失败，因为发件人的电子邮件地址未加密。

远程服务器通过发送250确认，接受发件人的电子邮件。

The recipient command RCPT: and the e-mail address of the e-mail recipient was issued by the Exchange-1 server.

收件人的电子邮件地址由测试服务器接受。

The Exchange-1 server issued DATA command, which was accepted by the test server and here we can see the header information and e-mail ID number which you can plug into the Message Tracking Tool on Microsoft Exchange 2003 server:

Once you scroll down, you will be able to see the content of the e-mail and in this case it was: Test, test, test, test.

测试服务器承认,它收到了message:

As we could see in from the information provided by the Network Monitor, the TLS handshake negotiations between servers Exchange-1 and Test failed and the message was sent in clear text. The negotiations were initiated correctly by both servers, but the Exchange-1 server failed to respond to the acknowledgement that was sent from the Test server.

Therefore, the problem must lie with the Exchange-1 server. The TLS encryption on the Exchange-1 server could have been misconfigured. The Exchange-1 server could have two Virtual SMTP servers, one configured as a Default SMTP server and the other could have been configured as a dedicated secure TLS Virtual SMTP server, and all TLS enabled connecters used it to route TLS encrypted e-mails.