ContentStore Mailbox (SMTP Journal Solution) encountering TLS/Algorithm errors

  • 18 March 2021
  • 0 replies
  • 16 views

Userlevel 3
Badge +4

Hi Community,

For those who use our ContentStore Mailbox (SMTP Journal Solution) with M365, please note that we are seeing a spike in support incidents being raised due to either mail not being received or cleanup jobs not actually processing any mail. 

In each instance so far, we have determined that the reason for this is due to the SMTP access nodes still having TLS 1.0 and 1.1 enabled (these protocols were flagged for deprecation by MSFT a few years ago however official rollout appears to be happening now).

As per this article: https://documentation.commvault.com/commvault/v11_sp20/article?p=28943.htm we recommend that TLS 1.2 be enabled and these legacy protocols be disabled in order for the agent to work correctly. 

You will need to ensure that your environment supports TLS 1.2 / apply the necessary MSFT updates in your environment to achieve this.

You can validate if this problem is impacting you by viewing the Exchange Send Connector logs (default location: %ExchangeInstallPath%TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpSend) and if you see the following error:

Server at xxxxxxx.outlook.com returned 'xxx x.x.xxx Message expired, cannot connect to remote server(xxx x.x.x Security status AlgorithmMismatch)'

Server at smtpjournal.customer.domain (xxx.xxx.xxx.xxx) returned 'xxx x.x.xxx Cannot connect to remote server [Message=xxx x.x.x Security status AlgorithmMismatch] [LastAttemptedServerName=smtpjournal.customer.domain] [LastAttemptedIP=xxx.xxx.xxx.xxx:25] [xxxxxxx.outlook.com](xxx x.x.x Security status AlgorithmMismatch)'


If you attempt to validate the send connector in exchange, the same error will also be received.

If you have or see this behaviour, please validate that TLS 1.0 and 1.1 is disabled (if enabled, make the registry changes listed in our article above and reboot the access nodes). 

Note: please ensure post reboot changes have applied as we’ve seen GPO re-enable TLS 1.0 and 1.1

Validation should work once this has completed - if not and you receive other errors, please raise a support case for further investigation. 


Thanks,
 


0 replies

Be the first to reply!

Reply