TLS/SSL errors in Outlook SMTP (meerdere versies)

2016.04.26 11:05:50 SMTP (mail.element-networks.nl): Port: 465, Secure: SSL, SPA: no
2016.04.26 11:05:50 SMTP (mail.element-networks.nl): Finding host
2016.04.26 11:05:50 SMTP (mail.element-networks.nl): Connecting to host
2016.04.26 11:05:50 SMTP (mail.element-networks.nl): Securing connection
2016.04.26 11:05:50 SMTP (mail.element-networks.nl): Disconnected from host
[b][/b]

2016.04.27 13:52:55 SMTP (mail.element-networks.nl): Begin execution
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): Port: 25, Secure: TLS, SPA: no
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): Finding host
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): Connected to host
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 220 mail.zm1.element-networks.nl ESMTP Postfix
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): [tx] EHLO Zeratul
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 250-mail.zm1.element-networks.nl
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 250-PIPELINING
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 250-SIZE 10240000
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 250-VRFY
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 250-ETRN
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 250-STARTTLS
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 250-ENHANCEDSTATUSCODES
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 250-8BITMIME
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 250 DSN
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): Securing connection
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): [tx] STARTTLS
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): <rx> 220 2.0.0 Ready to start TLS
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): Securing connection
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): Disconnected from host
2016.04.27 13:52:55 SMTP (mail.element-networks.nl): End execution

#########################################################
testssl.sh v2.4  (https://testssl.sh)
($Id: testssl.sh,v 1.250 2015/05/16 18:42:08 dirkw Exp $)

   This program is free software. Redistribution + 
   modification under GPLv2 is permitted. 
   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

 Note: you can only check the server with what is
 available (ciphers/protocols) locally on your machine!
#########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2h-dev)" [~179 ciphers] on
 thinlinc:/usr/local/ssl/bin/openssl
 (built: "reproducible build, date unspecified", platform: "linux-x86_64")


Testing now (2016-04-27 22:29) ---> 10.1.1.41:25 (mail) <---

 rDNS (10.1.1.41):       mail.zm1.element-networks.nl
 Service set:            STARTTLS via SMTP

--> Testing protocols (via native openssl)

 SSLv2      not offered (OK) 
 SSLv3      not offered (OK) 
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK) 
 SPDY/NPN   
     (SPDY is a HTTP protocol and thus not tested here)
--> Testing standard cipher lists 

 Null Cipher              not offered (OK) 
 Anonymous NULL Cipher    not offered (OK) 
 Anonymous DH Cipher      not offered (OK) 
 40 Bit encryption        not offered (OK) 
 56 Bit encryption        not offered (OK) 
 Export Cipher (general)  not offered (OK) 
 Low (<=64 Bit)           not offered (OK) 
 DES Cipher               not offered (OK) 
 Triple DES Cipher        offered
 Medium grade encryption  not offered (OK) 
 High grade encryption    offered (OK) 

--> Testing server preferences 

 Has server cipher order?     yes (OK) 
 Negotiated protocol          TLSv1.2 
 Negotiated cipher            ECDHE-RSA-AES256-GCM-SHA384 
 Cipher order
     TLSv1:     ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA 
     TLSv1.1:   ECDHE-RSA-AES256-SHA DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-SHA CAMELLIA256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA 
     TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA DHE-RSA-CAMELLIA256-SHA AES256-GCM-SHA384 AES256-SHA256 AES256-SHA CAMELLIA256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-CAMELLIA128-SHA AES128-GCM-SHA256 AES128-SHA256 AES128-SHA CAMELLIA128-SHA ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA DES-CBC3-SHA 

     (SPDY is a HTTP protocol and thus not tested here)
--> Testing server defaults (Server Hello) 

 TLS timestamp:               (not yet implemented for STARTTLS) 
 HTTP clock skew:             not tested as we're not tagetting HTTP
 TLS server extensions        renegotiation info, EC point formats, session ticket
 Session Tickets RFC 5077     7200 seconds
 Server key size              4096 bit 
 Signature Algorithm          SHA256withRSA 
 Fingerprint / Serial         SHA1 9649C74152E97EDA763BC39377358B7B9CDB6F94 / 05CC95C699A701
                              SHA256 0B0E79268EB491A33FA368FAB3A2E95B84BB42AA299315E6F36CB2FD803C85DE
 Common Name (CN)             mail.element-networks.nl (CN doesn't match but for non-HTTP services it might be ok) 
 subjectAltName (SAN)         mail.element-networks.nl element-networks.nl 
 Issuer                       StartCom Class 1 Primary Intermediate Server CA (StartCom Ltd. from IL)
 Certificate Expiration       >= 60 days  (2015-06-05 10:47 --> 2016-06-05 12:48 +0200)
 # of certificates provided   10
 Certificate Revocation List  http://crl.startssl.com/crt1-crl.crl
 OCSP URI                     http://ocsp.startssl.com/sub/class1/server/ca
 OCSP stapling                not offered

--> Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                (not yet implemented for STARTTLS)
 CCS  (CVE-2014-0224)                      (not yet implemented for STARTTLS)
 Secure Renegotiation (CVE 2009-3555)      not vulnerable (OK) 
 Secure Client-Initiated Renegotiation     VULNERABLE (NOT ok) , DoS threat
 CRIME, TLS (CVE-2012-4929)                Local Problem: Your /usr/local/ssl/bin/openssl lacks zlib support 
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK) 
 FREAK  (CVE-2015-0204), experimental      not vulnerable (OK) 
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-DES-CBC3-SHA EDH-RSA-DES-CBC3-SHA
                                                 DES-CBC3-SHA 
                                           -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK) 

--> Testing (perfect) forward secrecy, (P)FS  -- omitting 3DES, RC4 and Null Encryption here

OK: PFS is offered.  Client/browser support is important here. Offered PFS server ciphers follow... 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
-------------------------------------------------------------------------
 xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH       AESGCM     256          
 x9f     DHE-RSA-AES256-GCM-SHA384      DH         AESGCM     256          
 x6b     DHE-RSA-AES256-SHA256          DH         AES        256          
 x39     DHE-RSA-AES256-SHA             DH         AES        256          
 x88     DHE-RSA-CAMELLIA256-SHA        DH         Camellia   256          
 xc028   ECDHE-RSA-AES256-SHA384        ECDH       AES        256          
 xc014   ECDHE-RSA-AES256-SHA           ECDH       AES        256          
 xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH       AESGCM     128          
 xc027   ECDHE-RSA-AES128-SHA256        ECDH       AES        128          
 x9e     DHE-RSA-AES128-GCM-SHA256      DH         AESGCM     128          
 x67     DHE-RSA-AES128-SHA256          DH         AES        128          
 x33     DHE-RSA-AES128-SHA             DH         AES        128          
 x45     DHE-RSA-CAMELLIA128-SHA        DH         Camellia   128          
 xc013   ECDHE-RSA-AES128-SHA           ECDH       AES        128          



Done now (2016-04-27 22:29) ---> 10.1.1.41:25 (mail) <---

#########################################################
testssl.sh v2.4  (https://testssl.sh)
($Id: testssl.sh,v 1.250 2015/05/16 18:42:08 dirkw Exp $)

   This program is free software. Redistribution + 
   modification under GPLv2 is permitted. 
   USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

 Note: you can only check the server with what is
 available (ciphers/protocols) locally on your machine!
#########################################################

 Using "OpenSSL 1.0.2-chacha (1.0.2h-dev)" [~179 ciphers] on
 thinlinc:/usr/local/ssl/bin/openssl
 (built: "reproducible build, date unspecified", platform: "linux-x86_64")


Testing now (2016-04-27 22:39) ---> 10.1.1.41:143 (mail) <---

 rDNS (10.1.1.41):       mail.zm1.element-networks.nl
 Service set:            STARTTLS via IMAP

--> Testing protocols (via native openssl)

 SSLv2      not offered (OK) 
 SSLv3      not offered (OK) 
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK) 
 SPDY/NPN   
     (SPDY is a HTTP protocol and thus not tested here)
--> Testing standard cipher lists 

 Null Cipher              not offered (OK) 
 Anonymous NULL Cipher    not offered (OK) 
 Anonymous DH Cipher      not offered (OK) 
 40 Bit encryption        not offered (OK) 
 56 Bit encryption        not offered (OK) 
 Export Cipher (general)  not offered (OK) 
 Low (<=64 Bit)           not offered (OK) 
 DES Cipher               not offered (OK) 
 Triple DES Cipher        offered
 Medium grade encryption  not offered (OK) 
 High grade encryption    offered (OK) 

--> Testing server preferences 

 Has server cipher order?     yes (OK) 
 Negotiated protocol          TLSv1.2 
 Negotiated cipher            ECDHE-RSA-AES128-GCM-SHA256 
 Cipher order
     TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA 
     TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-DES-CBC3-SHA 
     TLSv1.2:   ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 AES128-GCM-SHA256 ECDHE-RSA-DES-CBC3-SHA 

     (SPDY is a HTTP protocol and thus not tested here)
--> Testing server defaults (Server Hello) 

 TLS timestamp:               (not yet implemented for STARTTLS) 
 HTTP clock skew:             not tested as we're not tagetting HTTP
 TLS server extensions        renegotiation info
 Session Tickets RFC 5077     (none)
 Server key size              4096 bit 
 Signature Algorithm          SHA256withRSA 
 Fingerprint / Serial         SHA1 9649C74152E97EDA763BC39377358B7B9CDB6F94 / 05CC95C699A701
                              SHA256 0B0E79268EB491A33FA368FAB3A2E95B84BB42AA299315E6F36CB2FD803C85DE
 Common Name (CN)             mail.element-networks.nl (CN doesn't match but for non-HTTP services it might be ok) 
 subjectAltName (SAN)         mail.element-networks.nl element-networks.nl 
 Issuer                       StartCom Class 1 Primary Intermediate Server CA (StartCom Ltd. from IL)
 Certificate Expiration       >= 60 days  (2015-06-05 10:47 --> 2016-06-05 12:48 +0200)
 # of certificates provided   3
 Certificate Revocation List  http://crl.startssl.com/crt1-crl.crl
 OCSP URI                     http://ocsp.startssl.com/sub/class1/server/ca
 OCSP stapling                not offered

--> Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                (not yet implemented for STARTTLS)
 CCS  (CVE-2014-0224)                      (not yet implemented for STARTTLS)
 Secure Renegotiation (CVE 2009-3555)      not vulnerable (OK) 
 Secure Client-Initiated Renegotiation     VULNERABLE (NOT ok) , DoS threat
 CRIME, TLS (CVE-2012-4929)                Local Problem: Your /usr/local/ssl/bin/openssl lacks zlib support 
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK) 
 FREAK  (CVE-2015-0204), experimental      not vulnerable (OK) 
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-DES-CBC3-SHA 
                                           -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK) 

--> Testing (perfect) forward secrecy, (P)FS  -- omitting 3DES, RC4 and Null Encryption here

OK: PFS is offered.  Client/browser support is important here. Offered PFS server ciphers follow... 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
-------------------------------------------------------------------------
 xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH       AESGCM     128          
 xc027   ECDHE-RSA-AES128-SHA256        ECDH       AES        128          
 x9e     DHE-RSA-AES128-GCM-SHA256      DH         AESGCM     128          
 xc013   ECDHE-RSA-AES128-SHA           ECDH       AES        128          



Done now (2016-04-27 22:40) ---> 10.1.1.41:143 (mail) <---

Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: connect from 5ED216E3.cm-7-3a.dynamic.ziggo.nl[94.210.22.227]
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: setting up TLS connection from 5ED216E3.cm-7-3a.dynamic.ziggo.nl[94.210.22.227]
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 5ED216E3.cm-7-3a.dynamic.ziggo.nl[94.210.22.227]: TLS cipher list "aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH:!aNULL:!MD5:!DES"
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: SSL_accept:before/accept initialization
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: read from 01CFD7E0 [01D02CE0] (11 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: read from 01CFD7E0 [01D02CE0] (11 bytes => 11 (0xB))
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0000 16 03 03 00 bb 01 00 00|b7 03 03                 ........ ...
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: read from 01CFD7E0 [01D02CEE] (181 bytes => 181 (0xB5))
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0000 57 22 5f 0b 0d c7 7a 5c|28 82 54 e9 fd db 8a 14  W"_...z\ (.T.....
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0010 10 1b 26 89 87 53 90 ed|b4 a3 e7 56 f6 7b aa 25  ..&..S.. ...V.{.%
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0020 00 00 38 c0 2c c0 2b c0|30 c0 2f 00 9f 00 9e c0  ..8.,.+. 0./.....
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0030 24 c0 23 c0 28 c0 27 c0|0a c0 09 c0 14 c0 13 00  $.#.(.'. ........
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0040 9d 00 9c 00 3d 00 3c 00|35 00 2f 00 0a 00 6a 00  ....=.<. 5./...j.
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0050 40 00 38 00 32 00 13 00|05 00 04 01 00 00 56 00  @.8.2... ......V.
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0060 00 00 1d 00 1b 00 00 18|6d 61 69 6c 2e 65 6c 65  ........ mail.ele
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0070 6d 65 6e 74 2d 6e 65 74|77 6f 72 6b 73 2e 6e 6c  ment-net works.nl
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0080 00 0a 00 06 00 04 00 17|00 18 00 0b 00 02 01 00  ........ ........
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0090 00 0d 00 14 00 12 06 01|06 03 04 01 05 01 02 01  ........ ........
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 00a0 04 03 05 03 02 03 02 02|00 23 00 00 00 17 00 00  ........ .#......
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 00b0 ff 01 00 01                                      ....
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 00b4 - <SPACES/NULLS>
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: SSL_accept:SSLv3 read client hello A
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: SSL_accept:SSLv3 write server hello A
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: write to 01CFD7E0 [01D004D0] (4096 bytes => 4096 (0x1000))
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0000 16 03 03 00 3d 02 00 00|39 03 03 ab 3a 1e e5 56  ....=... 9...:..V
Apr 28 21:05:44 mail postfix/submission/smtpd[14596]: 0010 d5 0e 08 eb 95 47 57 dc|fe 8e 4f 56 08 14 7c e3  .....GW. ..OV..|.

.... cert garble ....
pr 28 21:05:45 mail postfix/submission/smtpd[14596]: 3fd0 01 5d 06 03 55 1d 20 04|82 01 54 30 82 01 50 30  .]..U. . ..T0..P0
Apr 28 21:05:45 mail postfix/submission/smtpd[14596]: 3fe0 82 01 4c 06 0b 2b 06 01|04 01 81 b5 37 01 01 01  ..L..+.. ....7...
Apr 28 21:05:45 mail postfix/submission/smtpd[14596]: 3ff0 30 82 01 3b 30 2f 06 08|2b 06 01 05 05 07 02 01  0..;0/.. +.......
Apr 28 21:05:45 mail postfix/submission/smtpd[14596]: 4000 16 23 68 74 74                                   .#htt
Apr 28 21:05:45 mail postfix/submission/smtpd[14596]: write to 01CFD7E0 [01D0B233] (16389 bytes => -1 (0xFFFFFFFFFFFFFFFF))
Apr 28 21:05:45 mail postfix/submission/smtpd[14596]: SSL_accept:error in SSLv3 write certificate B
Apr 28 21:05:45 mail postfix/submission/smtpd[14596]: SSL_accept:error in SSLv3 write certificate B
Apr 28 21:05:45 mail postfix/submission/smtpd[14596]: SSL_accept error from 5ED216E3.cm-7-3a.dynamic.ziggo.nl[94.210.22.227]: Broken pipe
Apr 28 21:05:45 mail postfix/submission/smtpd[14596]: lost connection after STARTTLS from 5ED216E3.cm-7-3a.dynamic.ziggo.nl[94.210.22.227]
Apr 28 21:05:45 mail postfix/submission/smtpd[14596]: disconnect from 5ED216E3.cm-7-3a.dynamic.ziggo.nl[94.210.22.227]

 Server key size              4096 bit 
 Signature Algorithm          SHA256withRSA 
 Fingerprint / Serial         SHA1 84B10BED3F8413E3CAD78544FDBF5624FA8C4695 / 363A0CA849BFD05269C7436FBD788D9A
                              SHA256 2ED0719429FEBB9069FBAE46F5017E14DB03F8908A92D5B1DA083B76B7DE1CF8
 Common Name (CN)             mail.element-networks.nl (CN doesn't match but for non-HTTP services it might be ok) 
 subjectAltName (SAN)         mail.element-networks.nl 
 Issuer                       StartCom Class 1 DV Server CA (StartCom Ltd. from IL)
 Certificate Expiration       >= 60 days  (2016-05-09 10:10 --> 2017-05-09 10:10 +0200)
 # of certificates provided   3
 Certificate Revocation List  http://crl.startssl.com/sca-server1.crl
 OCSP URI                     http://ocsp.startssl.com
 OCSP stapling                not offered

 Server key size              4096 bit 
 Signature Algorithm          SHA256withRSA 
 Fingerprint / Serial         SHA1 9649C74152E97EDA763BC39377358B7B9CDB6F94 / 05CC95C699A701
                              SHA256 0B0E79268EB491A33FA368FAB3A2E95B84BB42AA299315E6F36CB2FD803C85DE
 Common Name (CN)             mail.element-networks.nl (CN doesn't match but for non-HTTP services it might be ok) 
 subjectAltName (SAN)         mail.element-networks.nl element-networks.nl 
 Issuer                       StartCom Class 1 Primary Intermediate Server CA (StartCom Ltd. from IL)
 Certificate Expiration       >= 60 days  (2015-06-05 10:47 --> 2016-06-05 12:48 +0200)
 # of certificates provided   3
 Certificate Revocation List  http://crl.startssl.com/crt1-crl.crl
 OCSP URI                     http://ocsp.startssl.com/sub/class1/server/ca
 OCSP stapling                not offered