TLS Negotiation | MDaemon Technologies, Ltd.
  1. Forum
  2. MDaemon
  3. TLS Negotiation

TLS Negotiation

  • D

    We're doing business with a firm in the Czech Republic. When sending an email, and the negotiation for TLS happens, I see this in the logs:

    Tue 2026-01-06 10:59:54.017: 05: Waiting for protocol to start...
    Tue 2026-01-06 10:59:54.152: 02: <-- 220 mail.company.cz ESMTP MTA
    Tue 2026-01-06 10:59:54.154: 03: --> EHLO mail.ourcompany.com
    Tue 2026-01-06 10:59:54.297: 02: <-- 250-abcd.company.local
    Tue 2026-01-06 10:59:54.297: 02: <-- 250-PIPELINING
    Tue 2026-01-06 10:59:54.297: 02: <-- 250-SIZE 20971520
    Tue 2026-01-06 10:59:54.297: 02: <-- 250-STARTTLS
    Tue 2026-01-06 10:59:54.297: 02: <-- 250-ENHANCEDSTATUSCODES
    Tue 2026-01-06 10:59:54.297: 02: <-- 250 8BITMIME
    Tue 2026-01-06 10:59:54.297: 03: --> STARTTLS
    Tue 2026-01-06 10:59:54.443: 02: <-- 220 2.0.0 Ready to start TLS
    Tue 2026-01-06 10:59:54.736: 01: SSL negotiation successful (TLS 1.2, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384)
    Tue 2026-01-06 10:59:54.739: 01: SSL certificate is not valid (not signed by recognized CA)
    Tue 2026-01-06 10:59:54.739: 03: --> EHLO mail.ourcompany.com
    Tue 2026-01-06 10:59:54.883: 02: <-- 250-abcd.company.local
    Tue 2026-01-06 10:59:54.883: 02: <-- 250-PIPELINING
    Tue 2026-01-06 10:59:54.883: 02: <-- 250-SIZE 20971520
    Tue 2026-01-06 10:59:54.883: 02: <-- 250-ENHANCEDSTATUSCODES
    Tue 2026-01-06 10:59:54.883: 02: <-- 250 8BITMIME

    So, my question is, is TLS still being used, even though MDaemon doesn't recognize the CA? Or is it dropping encryption entirely? How can I discover what the issue is, or rectify it?

    Thanks,

    Dave

     

    0 likes
  • A

    Yes TLS is being used.  The certificate that the receiving server is using is not signed by a recognized Certificate Authority, so it is not trusted by your server.  Most likely the certificate is self signed.  The certificate can still be used to encrypt traffic.

    There really isn't anything for you to do to rectify the situation other than alert the administrators of the receiving server.  They may be intentionally using a self signed certificate, in which case there is nothing you can other than try to convince them to use a trusted certificate.

     

    --
    Arron Caruth

    0 likes
  • D

    Great. Thanks, Arron!

    Dave

     

    0 likes
Please login to reply this topic!