Mandatory TLS1.2 - Message Headers report TLS version incorrectly.

%3CLINGO-SUB%20id%3D%22lingo-sub-255008%22%20slang%3D%22en-US%22%3EMandatory%20TLS1.2%20-%20Message%20Headers%20report%20TLS%20version%20incorrectly.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-255008%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20a%20large(ish)%20tenant%2C%2080k%2B%20Mailboxes%2C%20with%20thousands%20of%26nbsp%3Bservers%20%2F%20MFPs%20connecting%20using%20Client%20Submission.%20-%20we%20recently%20finished%20work%20to%20verify%20devices%20are%20all%20showing%20as%20%22TLS1_2%22%20in%20the%20headers%2C%20as%20mentioned%20on%20the%20EHLO%20Blog.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20just%20discovered%20that%20the%20TLS%20version%20reported%20in%20headers%20is%20not%20accurate%2C%20by%20stumbling%20across%20a%20unix%20device%20only%20capable%20of%20TLS1.0%20but%20EXO%20Headers%20were%20reporting%20it%20as%20using%20TLS1.2%20-%20reviewing%20the%20EMT%20and%20normal%20message%20trace%20confirmed%20it%20is%20using%20TLS1.0.%20-%20my%20advice%20to%20anyone%20undertaking%20similar%20work%20is%20to%20check%20message%20traces%20instead%20of%20Headers%20-%20screenshot%20of%20the%20same%20message%2C%20headers%20vs%20message%20trace%20below.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20828px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F50136i35CC1064C2DB9291%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22techc.png%22%20title%3D%22techc.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-255008%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EChange%20Alerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-261082%22%20slang%3D%22en-US%22%3ERe%3A%20Mandatory%20TLS1.2%20-%20Message%20Headers%20report%20TLS%20version%20incorrectly.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-261082%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20the%20Unix%20device%20using%20IPv6%3F%20(Is%20your%20network%20using%20IPv6%20at%20all%3F)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20looks%20to%20me%20that%20that's%20a%20intra-%3CSPAN%3EMicrosoft%26nbsp%3B%3C%2FSPAN%3Enetwork%20Received%20header%20and%20not%26nbsp%3Bthe%20one%20for%20the%20first%20hop%20of%20the%20Unix-device%20to%20EXO.%20There%20are%20normally%20a%20few%20Received%20hops%20within%20Microsoft's%20network.%20What%20other%20Received%20headers%20are%20there%3F%20Is%20header-analyzer%20maybe%20missing%20the%20first%20one%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOhh%20and%20the%20first%20hop%26nbsp%3Bis%20normally%20more%20obviously%20an%20EOP%20one%2C%20e.g.%26nbsp%3BAM5EUR02FT045.mail.protection.outlook.com%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

We have a large(ish) tenant, 80k+ Mailboxes, with thousands of servers / MFPs connecting using Client Submission. - we recently finished work to verify devices are all showing as "TLS1_2" in the headers, as mentioned on the EHLO Blog.

 

We have just discovered that the TLS version reported in headers is not accurate, by stumbling across a unix device only capable of TLS1.0 but EXO Headers were reporting it as using TLS1.2 - reviewing the EMT and normal message trace confirmed it is using TLS1.0. - my advice to anyone undertaking similar work is to check message traces instead of Headers - screenshot of the same message, headers vs message trace below.

 

techc.png

 

 

 

 

1 Reply
Highlighted

Is the Unix device using IPv6? (Is your network using IPv6 at all?)

 

It looks to me that that's a intra-Microsoft network Received header and not the one for the first hop of the Unix-device to EXO. There are normally a few Received hops within Microsoft's network. What other Received headers are there? Is header-analyzer maybe missing the first one?

 

Ohh and the first hop is normally more obviously an EOP one, e.g. AM5EUR02FT045.mail.protection.outlook.com