Skip to main content
M
MarblesLost
Participant
September 8, 2023
Question

CFMail, SES via SMTP and TLS V1.2 Issue

  • September 8, 2023
  • 2 replies
  • 1188 views

I'm using a HostNexus CF server (CF10 Enterprise v10.0.14.291717 running on Windows Server 2012 R2 with jvm v1.8.0_172C). I am sucessfully using Amazon SES for email using CFMail to Amazon's SES SMTP gatway.  I use the useTLS = "yes" option in the CFMail tag.

 

Amazon is upgrading to TLS v1.2 and is sending me warnings that my SES connections are using TLSv1 and will no longer be supported within a few weeks.

 

Since the server is not on my network, I don't know how I can troubleshoot to see the TLS version that CFMail is connecting with, and attempt to get it to use TLS V1.2.

 

I did a trouble ticket to the provider, but it seems they don't have any idea for how to proceed (i.e., Restarted mail services from our end. Can you please check now.).


Anyone have any ideas of what to try on my end, or what the provider can try on their end to get me to TLS v1.2?

 

Thanks,

 

Marty M

 

    This topic has been closed for replies.

    2 replies

    R
    retfird
    Participating Frequently
    November 2, 2023

    I have the same issue on CF10 java version 1.8.0_171.   CFMAIL will only connect with TLSv1

     

    The java argument -Dhttps.protocols=TLSv1.2,TLSv1.2 does work for outbound HTTPS connections, but doesn't seem to have any affect on SMTP connections.  Is there another jvm argument that could be used to target mail connections?

     

    Charlie Arehart
    Community Expert
    Charlie ArehartCommunity Expert
    Community Expert
    November 2, 2023

    mail.smtp.ssl.protocols

    /Charlie (troubleshooter, carehart. org)
      R
      retfird
      Participating Frequently
      November 3, 2023

      Thanks Charlie!  

       

      Adding -Dmail.smtp.ssl.protocols=TLSv1.2 to the JVM arguments did indeed work, and CFMAIL is now connecting on TLSv1.2

       

      Just a reminder to anyone to also ensure that "useTLS" is set to "yes" in your cfmail tag.

      R
      rickmaz
      Inspiring
      September 9, 2023

      You said you are using CF10. May I ask what Java version are you using? because I believe CF10 shipped with Java 6 and that will not support tls 1.2

      I believe v7 was the first that supported tls 1.2 and java 8 which is the highest you can go on CF10 has tls 1.2 as default. So if you are still running Java 6 on your CF10 install that likely would have to be upgraded. 

       

      As a side note, you will also start running into problems in the future with the Windows Server 2012 as it will not support tls 1.3. 

       

      Another important note to be mindful of. Just because you have tls 1.2 there are other issues in that there are many ciphers included in each tls version. So as the companies you are connecting to via cfmail or cfhttp start upgrading they may start refusing your connections. Most will give advanced notice of this but it is hard, especially if you have a ton of servers to start upgrading both Windows and CF at the same time. There are code changes required in some cases to your application between CF10 and the newest CF. So not only are up upgrading Windows but the app server as well and potentially many coding changes to make it all work correctly. 

       

      In the short term, you can likely get it going but just going to keep it in mind for the future so you don't get caught off guard. 

      M
      MarblesLostAuthor
      Participant
      September 9, 2023

      The server is using jvm v1.8.0_172C.

      I'm trying to figure out what I can do to check the TLS version that CFMail is using to connect to the SES SMTP gateway (probably nothing) and what I can suggest the provider can to (as I'm the one that won't be sending any email after SES updates their gateway)...

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices