Sending emails via TLS are rejected for 554 Certificate Rejected over TLS (wrong cipher returned).

 

KB78818 covers how to disable TLS 1.2 for 7.5.x & 7.6.x

 

Environment

McAfee Email Gateway (MEG) 7.5, 7.5.1, 7.6.1

 

Problem

If you send email to external domains using TLS, MEG 7.5 aborts the TLS session. If this happens, administrators and/or users see the following message (via the Dashboard and DSN):

 

554 Certificate Rejected over TLS (wrong cipher returned).

 

Cause

This issue occurs when the remote side of the conversation indicates that they want to use TLS 1.0, but then indicates that they want to use a cipher suite defined in the TLS 1.2 specification.

 

Solution

The preferred solution for this issue is for the remote server administrators to fix their mail servers to use TLS 1.2, if available.

 

NOTE: McAfee Support has found this issue to be both pervasive and problematic. For MEG 7.5.2, TLS v1.2 will be disabled by default with a user-controlled option to re-enable it.

Workaround

Disable all TLS 1.2 ciphers.

 

To fix this issue, you need to edit the Appliance configuration files. For full steps on backing up and editing the Appliance configuration files, see KB56323.

 

IMPORTANT: McAfee recommends that you save the configuration file from the McAfee Appliance and store a backup copy in a separate location. Edit the copy of the configuration file, and keep a current version in a safe place at all times.

 

    Export and extract the Appliance configuration file:

 

        On the Appliance, select System, System Administration, Configuration Management, Backup Configuration.

        Click Backup Configuration, then click the link to save the configuration.

        Save this configuration to a new folder.

 

        NOTE: The numbers in the name of the configuration file change with new versions and updates.

 

        Right-click the configuration file and select Open with WinZip.

 

    Edit the Appliance configuration file:

 

        Navigate to config\Native\smtp-config.xml.

        Right-click smtp-config.xml and select Open with WordPad.

 

        NOTE: Ensure that you do not extract the full .zip file, only the XML to be edited. Extracting the full configuration can cause corruption in the configuration.

 

        Locate the ForbiddenCiphers section and change it to read as follows (copy and paste the following):

 

        <ForbiddenCiphers>

            <Attr value="aNULL" name="0"/>

            <Attr value="TLSv1.2" name="1"/>

        </ForbiddenCiphers>

 

        Save the file.

        Update the Appliance config file with the edited smtp-config.xml.

 

    Restore the Configuration File to the Appliance:

 

        Log on to the Appliance manager console.

        Select System, System Administration, Configuration Management, Restore Configuration.

        Click Restore From File.

        Locate the .zip file you just created and click OK.

        Select the Values to Restore and click OK.

        Click Close.

        Click Apply Configuration Changes.

        Type a comment and click OK.

 

Note! With the release of MEG 7.6.2 coming soon there will now be a UI option available to disable TLS 1.2.

 

To do this open the Appliance Management Console

Browse to Email, Encryption, TLS

Expand TLS Options (Advanced)

Uncheck Enable TLS v1.2 cipher suites

Apply the Changes.

 

Capture.JPG