office 365 "Cannot connect to SMTP server" "SSL negotiation failed"

Question

Hi team, I work for Ricoh and we have had several clients call in today with an error message when trying to scan. The error message is "Cannot connect to SMTP server" "SSL negotiation failed". Upon checking their setups they are all using office365 accounts for SMTP authentication, all of them stopped working this morning.

Have their been any updates or changes we need to be aware of?

Thanks

Answer 1

Dear all, I just got a reply from Ricoh technician: "It looks to me as if Microsoft has disabled the cipher suites WITHOUT elliptic curves for TLS1.2. ECDHE is only possible with newer controllers from 18S onwards".

Our affected MFPs models are: MP C307 , MP 6055, IM C3000, MP C3004ex, and they all have an older controller 16S or 17S.

We also use IM C300, and, so far, this one seems to be affected.

Answer 2

Good morning everyone,

I did a few analyses yesterday.

I sent several queries via dig for smtp.office365.com via the large known European DNS servers. The result was 116 servers.

Only one of these 116 servers still supports TLS_RSA. All others only support Elliptic Curve.

Then I sent further queries via dig to DNS servers outside Europe and received 14 servers. Of these 14, 7 still support TLS_RSA.

Please add one of these servers as smtp server for testing.

Since the TTL of the IP addresses after resolution is less than 10 seconds, this also explains why about 1/4 scans work because a different mail server is addressed with each scan (DNS Round Robin).

Unfortunately, I have not found any information from Microsoft that Microsoft disables TLS_RSA on its mail servers. Moreover, Microsoft does not seem to have done this on all mail servers (or not yet).

List of servers that support TLS_RSA:

40.99.148.242

52.97.129.242

52.97.146.162

52.97.146.194

52.97.211.210

52.97.211.226

52.98.207.2

52.97.173.18

40.99.218.98

Answer 3

Can somebody Try enabling support for the legacy SMTP endpoint in their tenant:

https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/opt-in-exchange-online-endpoint-for-legacy-tls-using-smtp-auth

Then setting the SMTP Server on their Affected Printer to:

• smtp-legacy.office365.com

My guess is that this should work - your emails should still be encrypted with TLS 1.2 if your printer supports it, based on what OpenSSL Says (TLS 1.2 is supported on the endpoints I have been hitting with RSA)

We are awaiting a change request to try this - can anybody get it implemented and tested faster than us to check?

Answer 4

We have now solved it by setting up an internal server with an SMTP relay using hMailServer. We are routing all scans from the affected devices through it and then forwarding them to Microsoft. It's just a workaround for the problem, but it works for now.

Answer 5

I wanted to add this to the mix. We also saw this issue being reported somewhere at the beginning of February. The error when scan to email: "SSL Connection has failed. Please consult your system admin." would be displayed on our Sharp 3070n. The problem appeared to be intermittent with just about ever other scan failing with an error code of 80-0075.

I tried several things to resolve this issue but in the end it appeared to be updating the firmware from version BUNDLE 0501z100 to BUNDLE 0504z100.

Again so far this has only affected our Sharp 3070 printer. Firmware update seemed to have resolved.

Thank you,

Mike G.