Welcome to Comcast Help & Support Forums
Find solutions, share knowledge, and get answers from customers and experts

New to the Community? Start here.

5,806,251

members

70

online now

1,952,411

discussions

Top

Comcast MTA not accepting STARTTLS

New Poster

Comcast MTA not accepting STARTTLS

We manufacture a device (industrial controller) that can send email on certain events (like boot) and it has been successfully using STARTTLS for quite a while. The protocols are my responsibility and these are not Windows/Linux/iOS/Android/etc related. I recently attempted to set up an email for my Comcast account and cannot complete the connection. This was working in the past although I am not sure how long ago it was.

 

With either port 25 or 587 at smtp.comcast.net I get the same result. The connection is made and I see that STARTTLS is supported. The device issues STARTTLS and Comcast replies with 220 2.0.0 Ready to start TLS. We send the initial TLS packet and Comcast immediately issues an RST packet dropping the connection. There is now something that it doesn't like.

 

I will be looking deeper into this today but am wondering if Comcast has a current specification as to what TLS suites it is now supporting? Our embedded device supports a limited set. It will help if I can formulate a good guess as to why we are now being rejected.

 

Thanks in advance for the help.

Official Employee

Re: Comcast MTA not accepting STARTTLS

Could you supply a tcpdump?  Could you also verify the same with another client?   Nothing relating to TLS should have changed in the past few weeks.





Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark a Best Answer!solution Icon

New Poster

Re: Comcast MTA not accepting STARTTLS

Let me first do some more testing. This may still be my fault.

 

Do you have the list of suites that your TLS (I assume v1.2) supports? I currently have a limited set. People are dropping SHA1 and RC4, etc. which breaks legacy devices but that's never considered.

 

TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA

 

Official Employee

Re: Comcast MTA not accepting STARTTLS

The systems say they offer all but the top two.

 





Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark a Best Answer!solution Icon

New Poster

Re: Comcast MTA not accepting STARTTLS


ComcastAntiSpam wrote:

The systems say they offer all but the top two.

 


That is interesting because I have had to add the top two in the past year as others are no longer supporting the other 4. I guess SHA1 and RC4 are no longer secure enough. I think FileZilla was the first to push me into that.

 

I found an issue with the ProtocolVersion in my TLS Record Layer that is supplied with the Client Hello. It was being initialized for TLSv1.0 which we were once using, and we are now trying to negotiate TLSv1.2. So, I would guess that you updated code somewhere along the line that decided to be picky about that. That is a good thing. This was my error.

 

I now get farther along (no RST) but have an issue in parsing your Certificates. Something has changed there as well. I am sure that I can resolve that.

 

Thanks for the response. I do appreciate it.

Official Employee

Re: Comcast MTA not accepting STARTTLS

Certs haven't changed in about nine months or so.  They'll be updated in a couple of months again I believe.

 

We will be updating allowed ciphers in the new few months to allow many more.





Community Icon
I am an Official Comcast Employee.
Official Employees are from multiple teams within Comcast: Product, Support, Leadership.
We ask that you post publicly so people with similar questions may benefit from the conversation.

Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am an Offical Comcast Employee.
Official Employees are from multiple teams within Comcast.
We ask that you post publicly so people with similar questions may benefit.
Was your question answered? Mark a Best Answer!solution Icon
Community Icon
I am a Comcast Employee.
Please post so people with similar questions may benefit.
Was your question answered?
Mark a Best Answer!solution Icon