TLS 1.2 and Database mail

  • miapjp

    Right there with Babe

    Points: 765


    We use office 365, and just recently received an email from them saying we had a client using TLS 1.0.  I tracked this down to database mail.  I'm an accidental DBA (more a developer, but now a jack-of-all-trades IT), so don't know about security at all.

    We have MSSQL 2017 on Server 2016.  One suggestions was to check the "use SSL" box in Database mail setup, but I already have that checked.  I just checked the box for "force encryption" in SQL Server Config Manager -> Network config -> Protocols.  I don't know how to test what TLS version Database mail is using - is there a way?

    Other things I read say you need to disable TLS 1.0 and 1.1 in the registry for the entire server.  Some other sites said there were a couple other registry settings that were needed to keys for .Net Framework.

    This server is set to go into production in less than 3 weeks, and has many interfaces (third party, supposedly compatible with TLS 1.2) and SSRS and Crystal Reports that need to be tested.  Some things I can't test until we go live (for example, electronic prescriptions - can't have those go to the non-prod database!).  So I'm feeling a time crunch - we just got the email from Microsoft on Thursday, and I've been madly Googling since.

    Please forgive my convoluted and/or unclear explanations.  I hardly know enough about this subject to be able to ask the correct questions. Any help would be greatly appreciated!



  • miapjp

    Right there with Babe

    Points: 765

    An update - after checking that "force unencrypted" option, I dug around on the Office 365 security and compliance site and did an email trace.  Maybe that fixed it!!!  :-O  See attachment:

    It says Message received by: DMXXXX using TLS 1.2 with AES256.  Can anyone confirm if this meets the Office 365 new requirements?

    Sorry again for the confused and hysterical posts  😛

    You must be logged in to view attached files.
  • miapjp

    Right there with Babe

    Points: 765

    Oops, another update.  I ran that O365 trace report on an earlier SMTP mail it told me used TLS 1.0, and that also said "Message received by: DMXXXX using TLS 1.2 with AES256. "  So the SMTP Auth Report tells me TLS 1.0 was used, and the mail trace tells me TLS 1.2 was used.

    So that just made things worse ....sigh

    More confused than ever,


  • BrownCoat42

    SSC Enthusiast

    Points: 117

    I'd use a local mail server to relay through and then configure TLS 1.2 on that. I dont think SQL 2016 database mail can do it and am uncertain about 2017. Not to mention, SQL's SMTP functionality is pretty primitive. If you use a relay, and something goes wrong during send, you will probably be able to do more about it on the relay than you will in database mail.

    My default is using an IIS 6 relay, but Exchange or some other paid SMTP server would be better.

    If you google something like "Relay smtp to Office 365 using IIS 6"

    You should find a few guides. You'd just need to disable everything lower than TLS 1.2 under the schannel key for CLIENT settings.

    implementing TLS with a user credential is the easiest, but you can only send a few hundred emails per hour before you start to get throttled.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply