• Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
    Dedicated community for Japanese speakers
  • 한국 커뮤니티
    Dedicated community for Korean speakers
Exit
0

CFMail, SES via SMTP and TLS V1.2 Issue

New Here ,
Sep 08, 2023 Sep 08, 2023

Copy link to clipboard

Copied

I'm using a HostNexus CF server (CF10 Enterprise v10.0.14.291717 running on Windows Server 2012 R2 with jvm v1.8.0_172C). I am sucessfully using Amazon SES for email using CFMail to Amazon's SES SMTP gatway.  I use the useTLS = "yes" option in the CFMail tag.

 

Amazon is upgrading to TLS v1.2 and is sending me warnings that my SES connections are using TLSv1 and will no longer be supported within a few weeks.

 

Since the server is not on my network, I don't know how I can troubleshoot to see the TLS version that CFMail is connecting with, and attempt to get it to use TLS V1.2.

 

I did a trouble ticket to the provider, but it seems they don't have any idea for how to proceed (i.e., Restarted mail services from our end. Can you please check now.).


Anyone have any ideas of what to try on my end, or what the provider can try on their end to get me to TLS v1.2?

 

Thanks,

 

Marty M

 

Views

508

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Beginner ,
Sep 09, 2023 Sep 09, 2023

Copy link to clipboard

Copied

You said you are using CF10. May I ask what Java version are you using? because I believe CF10 shipped with Java 6 and that will not support tls 1.2

I believe v7 was the first that supported tls 1.2 and java 8 which is the highest you can go on CF10 has tls 1.2 as default. So if you are still running Java 6 on your CF10 install that likely would have to be upgraded. 

 

As a side note, you will also start running into problems in the future with the Windows Server 2012 as it will not support tls 1.3. 

 

Another important note to be mindful of. Just because you have tls 1.2 there are other issues in that there are many ciphers included in each tls version. So as the companies you are connecting to via cfmail or cfhttp start upgrading they may start refusing your connections. Most will give advanced notice of this but it is hard, especially if you have a ton of servers to start upgrading both Windows and CF at the same time. There are code changes required in some cases to your application between CF10 and the newest CF. So not only are up upgrading Windows but the app server as well and potentially many coding changes to make it all work correctly. 

 

In the short term, you can likely get it going but just going to keep it in mind for the future so you don't get caught off guard. 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Sep 09, 2023 Sep 09, 2023

Copy link to clipboard

Copied

The server is using jvm v1.8.0_172C.

I'm trying to figure out what I can do to check the TLS version that CFMail is using to connect to the SES SMTP gateway (probably nothing) and what I can suggest the provider can to (as I'm the one that won't be sending any email after SES updates their gateway)...

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Nov 02, 2023 Nov 02, 2023

Copy link to clipboard

Copied

I have the same issue on CF10 java version 1.8.0_171.   CFMAIL will only connect with TLSv1

 

The java argument -Dhttps.protocols=TLSv1.2,TLSv1.2 does work for outbound HTTPS connections, but doesn't seem to have any affect on SMTP connections.  Is there another jvm argument that could be used to target mail connections?

 

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 02, 2023 Nov 02, 2023

Copy link to clipboard

Copied

mail.smtp.ssl.protocols


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Nov 02, 2023 Nov 02, 2023

Copy link to clipboard

Copied

Thanks Charlie!  

 

Adding -Dmail.smtp.ssl.protocols=TLSv1.2 to the JVM arguments did indeed work, and CFMAIL is now connecting on TLSv1.2

 

Just a reminder to anyone to also ensure that "useTLS" is set to "yes" in your cfmail tag.

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Community Expert ,
Nov 02, 2023 Nov 02, 2023

Copy link to clipboard

Copied

LATEST

Great to hear and glad to have helped. As for usetls, I'd not mentioned it as the original post here did. I was just answering your question, about the other jvm argument you needed. Indeed, some will notice I was going for my shortest answer ever. 🙂 


/Charlie (troubleshooter, carehart.org)

Votes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources
Documentation