Jump to content

Outbound email failures

Deen

By Deen
in Service Manager

 Share
Victor
Message added by Victor,

We have deployed a patch in all live instances that should address the issue with outgoing email. Emails that failed to be send while the issue was ongoing and currently residing in Sent Items folder can be manually resent. Emails that failed to be send while the issue was ongoing and currently residing in Outbox folder will be automatically sent on the next attempt.

We identified the root cause for the issue and we are working to deploy a change that should resolve the issue. ETA for deploying the changes is 1 hour.

Due to some recent changes within Microsoft O365 email service, sending emails from Hornbill using an SMTP connector to O365 is now intermittently failing. While this is not an issue caused by Hornbill, we are currently investigating the nature of these changes and we are looking at any possible solutions to restore this functionality for all affected instances.

Proposed solutions:

Switch the SMTP connector from SMART HOST to use DIRECT OUTBOUND. For more information about how this can be configured please see: https://wiki.hornbill.com/index.php?title=Outbound_Mail_Routing

Recommended Posts

Victor Grand Master

Victor

Posted
Posted

In terms of the issue itself, we do have a decent idea of how it came to be, the what's and why's. However, we would like to investigate this a bit further, in bit more detail, before we come back with a more in depth RCA. I will update the thread when this is ready.

Link to comment
Share on other sites
Gerry Grand Master

Gerry

Posted
Posted

Following on from the above errors and by way of an explanation. 

Over the last few days/weeks, Microsoft have been updating their servers which changed the priority of TLS version negotiation as part of the key exchange process, and our server was not handling the case where the negotiation was declared as TLS1.3 and that key exchange negotiation failed, there was no fall-back to TLS1.2 which there should have been. So no fall-back and a failing TLS1.3 key exchange negotiation. This was a problem in Hornbill's code, triggered by changes being made by Microsoft. Our initial thought was this was a Microsoft issue, given that our other independent test points on systems like GMail, Postfix and others were all fine. 

A work-around was applied to our code and provided as a hot-fix, this hot fix forced the negotiation down to TLS1.2. We since applied an update to one of the third party libraries we use after their feedback has confirmed the problem is now resolved without the forced downgrade to TLS1.2, that will be in the next platform update.

We apologise for any inconvenience caused, and we appreciate just how important Hornbill is to our customers day to day operations. Unfortunately when working with 3rd-party systems, changes do happen and from time to time that are not within our control and things can get broken. Hopefully we continue to demonstrate that we are able to respond to these kind of events and resolve the issues in a timely manor. 

And for those that want some more technical details, this is the technical bit...
-------
The issue related to TLS 1.3 ClientHello w/ the "key_share" extension. The initial ClientHello message can include pre-generated key shares. While it is not computationally intensive to generate an x25519 key share, and virtually all servers support x25519, it is far more computationally expensive to generate an secp256r1 key share. If our server generated it, then for applications that requires high-performance w/ many connections, the extra work of generating the secp256r1 key share would be significant. Therefore, Hornbill SMTP implementation just pre-generates the x25519 key. If that key is not supported, the server will simply respond with a HelloRetryRequest, in which case Hornbill sends a new ClientHello with the secp256r1 key_share, or whatever other key shares are needed.

Microsoft at some point seems to have stopped supporting x25519, or maybe changed something with the HelloRetryRequest request, such that the HelloRetryRequest failed after a failed negotiation attempt for a TLS1.3 negotiation, its not clear exactly what has changed or why as this is not documented. 

Hornbill SMTP implementation now pre-generates the secp256r1 key share specifically for Microsoft servers.  This is the best generic solution because TLS connections will have better performance for the vast majority of SMTP servers currently supporting x25519
-------

  • Like 1
Link to comment
Share on other sites
  • Deen unfeatured and unpinned this topic

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...