Outgoing mail fails to deliver to secure server due to TLS problem

Hello, we need to receive mails from *.appiancloud.com. I noticed that the appiancloud.com MX server has a very small set of supported cipher suites. Just 4 of them, TLS 1.2 only. No TLS 1.3 support.

The receiving end requires TLS 1.2 or TLS 1.3 with supporting suites:

  Supported Server Cipher(s):
Preferred TLSv1.3  256 bits  TLS_AES_256_GCM_SHA384        Curve P-384 DHE 384
Accepted  TLSv1.3  256 bits  TLS_CHACHA20_POLY1305_SHA256  Curve P-384 DHE 384
Accepted  TLSv1.3  128 bits  TLS_AES_128_GCM_SHA256        Curve P-384 DHE 384
Preferred TLSv1.2  256 bits  ECDHE-ECDSA-AES256-GCM-SHA384 Curve P-384 DHE 384
Accepted  TLSv1.2  256 bits  ECDHE-ECDSA-CHACHA20-POLY1305 Curve P-384 DHE 384
Accepted  TLSv1.2  128 bits  ECDHE-ECDSA-AES128-GCM-SHA256 Curve P-384 DHE 384

  Server Key Exchange Group(s):
TLSv1.3  192 bits  secp384r1 (NIST P-384)
TLSv1.3  260 bits  secp521r1 (NIST P-521)
TLSv1.3  128 bits  x25519
TLSv1.3  224 bits  x448
TLSv1.2  192 bits  secp384r1 (NIST P-384)
TLSv1.2  260 bits  secp521r1 (NIST P-521)
TLSv1.2  128 bits  x25519
TLSv1.2  224 bits  x448

  SSL Certificate:
Signature Algorithm: ecdsa-with-SHA384
ECC Curve Name:      secp384r1
ECC Key Strength:    192

The appiancloud.com MX server only seems to accept P-256 or DHE 1024 bits, both at the low end, which may be why delivery fails. The server should support other key exchange groups such as secp384r1, curve 448 and curve 25519. The CA certificate uses ECC and it requires secp384r1. Supporting TLS 1.3 would probably solve many TLS problems. Mail providers such as Google and Microsoft can deliver their mails at high security level without issue.

TLS security recommendations and commonly used 'good' ciphers.


Connected to 54.208.196.229

Testing SSL server mail-us-east-1.mail.appiancloud.com on port 25 using SNI name mail-us-east-1.mail.appiancloud.com

  SSL/TLS Protocols:
SSLv2     disabled
SSLv3     disabled
TLSv1.0   disabled
TLSv1.1   disabled
TLSv1.2   enabled
TLSv1.3   disabled

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLSv1.2 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 1024 bits
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 1024 bits

  Server Key Exchange Group(s):
TLSv1.2  128 bits  secp256r1 (NIST P-256)

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    2048

Subject:  *.mail.appiancloud.com
Altnames: DNS:*.mail.appiancloud.com, DNS:mail.appiancloud.com
Issuer:   Go Daddy Secure Certificate Authority - G2

Not valid before: Mar  6 16:34:29 2024 GMT
Not valid after:  Mar 14 13:46:03 2025 GMT


  Discussion posts and replies are publicly visible