Hello, we need to receive mails from *.appiancloud.com. I noticed that the appiancloud.com MX server has a very small set of supported cipher suites. Just 4 of them, TLS 1.2 only. No TLS 1.3 support.
The receiving end requires TLS 1.2 or TLS 1.3 with supporting suites:
Supported Server Cipher(s):Preferred TLSv1.3 256 bits TLS_AES_256_GCM_SHA384 Curve P-384 DHE 384Accepted TLSv1.3 256 bits TLS_CHACHA20_POLY1305_SHA256 Curve P-384 DHE 384Accepted TLSv1.3 128 bits TLS_AES_128_GCM_SHA256 Curve P-384 DHE 384Preferred TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384 Curve P-384 DHE 384Accepted TLSv1.2 256 bits ECDHE-ECDSA-CHACHA20-POLY1305 Curve P-384 DHE 384Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256 Curve P-384 DHE 384 Server Key Exchange Group(s):TLSv1.3 192 bits secp384r1 (NIST P-384)TLSv1.3 260 bits secp521r1 (NIST P-521)TLSv1.3 128 bits x25519TLSv1.3 224 bits x448TLSv1.2 192 bits secp384r1 (NIST P-384)TLSv1.2 260 bits secp521r1 (NIST P-521)TLSv1.2 128 bits x25519TLSv1.2 224 bits x448 SSL Certificate:Signature Algorithm: ecdsa-with-SHA384ECC Curve Name: secp384r1ECC Key Strength: 192
The appiancloud.com MX server only seems to accept P-256 or DHE 1024 bits, both at the low end, which may be why delivery fails. The server should support other key exchange groups such as secp384r1, curve 448 and curve 25519. The CA certificate uses ECC and it requires secp384r1. Supporting TLS 1.3 would probably solve many TLS problems. Mail providers such as Google and Microsoft can deliver their mails at high security level without issue.
TLS security recommendations and commonly used 'good' ciphers.
Connected to 54.208.196.229 Testing SSL server mail-us-east-1.mail.appiancloud.com on port 25 using SNI name mail-us-east-1.mail.appiancloud.com SSL/TLS Protocols: SSLv2 disabled SSLv3 disabled TLSv1.0 disabled TLSv1.1 disabled TLSv1.2 enabled TLSv1.3 disabled TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Session renegotiation not supported TLS Compression: Compression disabled Heartbleed: TLSv1.2 not vulnerable to heartbleed Supported Server Cipher(s): Preferred TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384 Curve P-256 DHE 256 Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384 DHE 1024 bits Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256 Curve P-256 DHE 256 Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256 DHE 1024 bits Server Key Exchange Group(s): TLSv1.2 128 bits secp256r1 (NIST P-256) SSL Certificate: Signature Algorithm: sha256WithRSAEncryption RSA Key Strength: 2048 Subject: *.mail.appiancloud.com Altnames: DNS:*.mail.appiancloud.com, DNS:mail.appiancloud.com Issuer: Go Daddy Secure Certificate Authority - G2 Not valid before: Mar 6 16:34:29 2024 GMT Not valid after: Mar 14 13:46:03 2025 GMT
Discussion posts and replies are publicly visible
I guess you would need to raise a support ticket to get the Appian product teams attention to this