Back to Top

Poodle + Domino SSL = Mail Problems

If  you use Domino today, you effectively
cannot use SSL for email (SMTP) until the promised
IBM
fix
is available. Here is why: The fix
vendors applied that patched the
POODLE
vulnerability
broke communications
with Domino servers that use SSL. These patched servers will start a secure
(SSL) SMTP session but will not fall back to plain text. This means messages
queued up in mail.box for sending outbound, or mail queued up at the sender
that will not be received by you.

The best non-technical explanation that
I can give is that the STARTTLS command that the two SMTP servers use to
negotiate a secure connections cannot agree on a protocol and the negotiation
fails, so the message transfer fails.

Vendors like ProofPoint (pphosted.com) would
not fall back to plain text no matter what my Domino settings were. And
I tried 10 different combinations. Once a session started with SSL, Domino
offers (before the promised fix) no acceptable fallback path, so the session
ends without a successful mail transfer.

The only option that works before the IBM
fix is released is to disable SSL for Inbound and Outbound messages.

In summary, messages transfers that start
out as plain text will be transferred. Messages that start out as secure
will not be transferred.

This is suboptimal (like having a leg cut
off is suboptimal) but messages will flow.

Tip:  We like to use this service called
http://www.kloth.net/services/dig.php
to check MX records for problems with message transfer:

A picture named M2

Frank Paolino's picture
ABOUT THE AUTHOR

Frank Paolino is the Founder and President of Maysoft, Inc. He likes to blog about Email security, email viruses and general email management.