System.IO.IOException: Authentication failed because the remote party has closed the transport stream

Johnny Broe 246 Reputation points
2024-09-26T10:56:42.2066667+00:00

I have a customer who has an exchange 2019 server where an external supplier has used an email account with my customer to send out invoices to my customer's customers. This has happened via port 587 Now the external supplier has updated its security locally at itself as follows: - removed insecure ciphers in the registry at the following address: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 So the function looks like the following: TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_NULL_SHA TLS_PSK_WITH_AES_256_GCM_SHA384 TLS_PSK_WITH_AES_128_GCM_SHA256 TLS_PSK_WITH_AES_256_CBC_SHA384 TLS_PSK_WITH_AES_128_CBC_SHA256 TLS_PSK_WITH_NULL_SHA384 TLS_PSK_WITH_NULL_SHA256

The external supplier cannot now send mail via port 587 and the following error is registered on the Exchange server in the System Event Log:
An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The TLS connection request has failed. The SSPI client process is MSExchangeFrontendTransport (PID: 7860).
Event ID: 36874

I need some advice :-)

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,283 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,615 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mike Hu-MSFT 3,600 Reputation points Microsoft Vendor
    2024-09-27T05:34:52.6+00:00

    Hi,

    Welcome to Microsoft Q&A community.

    It sounds like the issue is due to a mismatch between the cipher suites supported by the external supplier’s updated security settings and those supported by your customer’s Exchange 2019 server. Here are a few steps you can take to resolve this:

    Verify Supported Cipher Suites on Exchange Server: Ensure that the Exchange 2019 server supports the same cipher suites that the external supplier has enabled. You can check and update the supported cipher suites in the registry at:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

    Enable TLS 1.2 on Exchange Server: Make sure that TLS 1.2 is enabled on the Exchange server. You can do this by modifying the registry:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

    "Enabled"=dword:00000001

    Update .NET Framework and Enable Strong Cryptography: Ensure that the .NET Framework is updated and strong cryptography is enabled. You can enable strong cryptography by adding the following registry keys:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]

    "SchUseStrongCrypto"=dword:00000001

    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]

    "SchUseStrongCrypto"=dword:00000001

    Check for Updates: Ensure that both the Exchange server and the external supplier’s systems are fully updated with the latest security patches and updates.

    Review Event Logs: Continuously monitor the System Event Log for any additional errors or warnings that might provide more insight into the issue.

    By aligning the cipher suites and ensuring that TLS 1.2 is properly configured and enabled, you should be able to resolve the connection issue.

    If you need further assistance, feel free to post back!

    0 comments
  2. Johnny Broe 246 Reputation points
    2024-09-28T07:26:16.9566667+00:00

    Hi Mike
    thansk for your reply :-)
    I have checked all registry settings and they are ok.
    I have only found one difference between my own Exchange server and my client's
    I have also used HealthChecker and everything is fine
    I attached some pictures
    the red lines mean they are not on my own Exchange server

    More info:
    As I understand it, the customer's supplier has carried out the customer's website solution and from this website you can create orders that were previously sent via a user at the customer via port 587 The supplier can no longer do this because he has changed his security settings.
    I have temporarily created a workaround where the supplier's wan ip can relay on port 25, but I would like to change it back so that the supplier uses port 587 with username / password encrypted
    Is there anything else I can check?
    thanks in advance :-)TLS_Versions

    TLS_Versions2_diff

    ExchangeVersion1

    ExchangeVersion2

    reg3

    reg2

    Reg1

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.