Current List of TLS for ProofPoint 2023 / Messages deferred

Created by Jason Carreiro, Modified on Thu, 4 May, 2023 at 12:15 PM by Yves Lacombe

Symptoms:


ProofPoint have updated there list of cipher TLS protocols and currently any mails servers with outdated ciphers will experience delay in mail delivery. The following error is displayed in Proofpoint logs and messages show as deferred.   After 10 minutes, the Email will be delivered opportunistically in cleartext.




SOLUTION / FIXES:


Proofpoint only supports modern cipher suites now so if you're running say, an older exchange server on an older platform, you can either remove the cipher suites that are no longer supported, upgrade exchange or otherwise modernise your platform.


Update to the local cipher or upgrading the certificate to the recommend ciphers listed below by ProofPoint Essentials.


Currently, Proofpoint MTAs support TLS 1.2, TLS 1.3 and the following list of ciphers: 


• TLS_AES_128_GCM_SHA256 

• TLS_CHACHA20_POLY1305_SHA256 

• TLS_AES_256_GCM_SHA384 

• ECDHE-RSA-AES128-GCM-SHA256 

• ECDHE-RSA-CHACHA20-POLY1305 

• ECDHE-RSA-AES256-GCM-SHA384 

• ECDHE-RSA-AES128-SHA256 

• ECDHE-RSA-AES256-SHA384 

• AES128-GCM-SHA256 

• AES256-GCM-SHA384 

• AES128-SHA256 

• AES256-SHA256 


WORKAROUND:


If for some reason you cannot upgrade your platform due to logistical reasons, we could add an extra hop through vircom servers to reduce the delay since vircom operates clusters of servers that aren't so restrictive.


So instead of doing this:


{ internet } ===> { proofpoint } ====> { your old MTA }


We could do this:


{ internet } ===> { proofpoint } ==== { vircom MX } ====> { your old MTA }


Open a ticket with our team if you'd like to do this.