<\/p>\n
For reference while investigating Event ID: 36887 Shannel\u00a0Error 46 alerts in the System event log (A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46<\/em>)\u00a0we saw the following results of\u00a0incorrect cyphers for\u00a0mail.sealionshippping.co.uk<\/p>\n Some versions of Windows Server (including Windows Server 2008 using IIS 7<\/span> & Server 2012) allow SSL 2.0 and SSL 3.0 by default. Unfortunately, these are insecure protocols and you will fail a\u00a0<\/span><\/span>PCI Compliance scan<\/a>\u00a0<\/span>if you don’t disable them. To properly secure your server and ensure that you pass your PCI-DSS scans, you will need to disable SSL 2.0, SSL 3.0 and disable weak ciphers. Other algorithms are also insecure and current ones may be deprecated in the future. Make sure to follow\u00a0<\/span><\/span>SSL Deployment Best Practices<\/a>\u00a0<\/span>when determining which protocols and ciphers to enable.<\/span><\/p>\n The simplest way to disable and correct insecure protocols and ciphers is to use a GUI. Because Windows doesn’t provide such an interface, you’ll need to use a tool like\u00a0<\/span><\/span>Nartac’s IIS Crypto tool<\/a>\u00a0<\/span>.<\/span><\/p>\n Checking the Exchange server with Nartac’s\u00a0IIS Crypto tool we can see we are not using SSL 2.0 or SSL 3.0 but we are using a number of obsolete RC cyphers installed by default<\/p>\n By clicking on Best Practices button, the IIS was set\u00a0to the correct settings (as below)<\/p>\n And now checking using\u00a0digicert.com\/help<\/span><\/u><\/a>\u00a0produces the following confirmation that the certificate is installed correctly.<\/p>\n <\/p>\n Note that the problem with TLS error that we originally investigating was not<\/strong> the result of an incorrectly installed SSL certificate but because\u00a0Mimecast\u00a0checks inbound emails against spam and viruses by using TLS to hand out the email to our server via the “Default ServerName” Receive connector.\u00a0The default FQDN setting for that connector is “servername.domain”\u00a0and this\u00a0SMTP connector has\u00a0a Self-signed Certificate for the server name only.<\/p>\n There is no way to change the name with one using a public certificate – so we disabled the SCHANNEL Event logging completely https:\/\/support.microsoft.com\/en-us\/kb\/260729<\/a><\/p>\n <\/p>\n References:- The free DigiCert Certificate Utility for Windows is an indispensable tool for administrators and a must-have for anyone that uses SSL Certificates for Websites and servers or Code Signing Certificates for trusted software.<\/p>\n![\"\"](\"http:\/\/help.sealionshipping.co.uk\/wp-content\/uploads\/2017\/04\/Exchange-IIS-TLS-Results-APR-17before-correcting.jpg\")
<\/a><\/p>\n![\"\"](\"http:\/\/help.sealionshipping.co.uk\/wp-content\/uploads\/2017\/04\/Exchange-IIS-TLS-REsults-APR-17before-setting-using-IIS-Crypto-2.0-v2.jpg\")
<\/a><\/p>\n![\"\"](\"http:\/\/help.sealionshipping.co.uk\/wp-content\/uploads\/2017\/04\/Exchange-IIS-Settings-APR-17-now-after-using-IIS-Crypto-2.0.jpg\")
<\/a><\/p>\n![\"\"](\"http:\/\/help.sealionshipping.co.uk\/wp-content\/uploads\/2017\/04\/Exchange-IIS-TLS-REsults-APR-17-after-setting-using-IIS-Crypto-2.0.jpg\")
<\/a><\/p>\n
\nEvent ID: 36887 Schannel Error 46 – Exchange 2010<\/a>
\n Troubleshooting Certificate Status and Revocation<\/a><\/p>\nDigiCert Certificate Utility for Windows<\/h1>\n