TLS 1.2 ?

[sandmanmac]

Hello all.
Just looking for a little lay person clarification/ explanation here please

I have little to no trouble setting up my devices for scan to email.
I have a handful of smaller clients that I simply use the mail server from my own company. I have a variety of reasons that I do that on occasion that aren't important.
Today I had a couple of calls come in reporting that their scanning had failed - both are configured with my mail server. It didn't seem to be a coincidence.
I got back to my office and was also unable to scan on any of the machines I have there either.
I assumed it was just a temporary mail server issue on the other end, but upon a little further testing, I realized that I could scan to email via Port 587 (unencrypted) on that same server.
I contacted technical support at my hosting company, and was advised that they have apparently discontinued support on their servers for TLS 1.0 and 1.1 and that this will cause a problem for certain older devices, etc.

I don't think that should be the case for any of the models I'm having (known) issues with. Such as, MP501, MP C306, MP C401, MP C3503.
I can confirm that the MP501 and C406 have the most updated F/W as they are in my office, the others may be slightly outdated.

So, I'm wondering if there are additional steps that need to be taken when only TLS 1.2 is available? Like a device certificate?
(I've never had much success trying to do that).

I feel like they should still "just work", and that there may be something on their end that's causing the issue, but they say "no", and have asked me for some further info about the specific models I'm having problems with, and I wanted to check here for some advice first.

Thanks in advance for your expertise!

[slimslob]

To my knowledge, Ricoh has supported TLS1.2 since before I retired in 2017. You might check and see if you can turn off TLS1.0 and TLS1.1. That should force initial handshaking at TLS1.2. I can't remember if it has to be changed from the control panel or form WIM.

[sandmanmac]

To my knowledge, Ricoh has supported TLS1.2 since before I retired in 2017. You might check and see if you can turn off TLS1.0 and TLS1.1. That should force initial handshaking at TLS1.2. I can't remember if it has to be changed from the control panel or form WIM.

Thanks Tim.
That sounded like promising advice, but when I checked my machines, TLS 1.0 and 1.1 were already turned off on one of them, and it made no difference when I turned it off on the other

[rthonpm]

Without one of those in front of me, do they support StartTLS in the mail options? I've had issues with other systems when not using that.

You may also want to look at getting those customers off a server that they don't have control over. You're opening yourself up to a bit of liability having their information available to you without some kind of agreement between you and them.

All you need is one lawyer to scream about it to find yourself in a world of hurt.

Sent from my Pixel 6 Pro using Tapatalk

[sandmanmac]

Without one of those in front of me, do they support StartTLS in the mail options? I've had issues with other systems when not using that.

You may also want to look at getting those customers off a server that they don't have control over. You're opening yourself up to a bit of liability having their information available to you without some kind of agreement between you and them.

All you need is one lawyer to scream about it to find yourself in a world of hurt.

Sent from my Pixel 6 Pro using Tapatalk

No they don't have the StartTLS option.
I've not yet dealt with a RICOH model that has that feature as far as I can recall.
I imagine the new IM Series would, but I've not gotten to them quite yet.

As for my Mail server....I appreciate the advice, and there only only a handful of very small clients I have still on there - and certainly none of them are law offices.

[Oze]

Without one of those in front of me, do they support StartTLS in the mail options? I've had issues with other systems when not using that.

You may also want to look at getting those customers off a server that they don't have control over. You're opening yourself up to a bit of liability having their information available to you without some kind of agreement between you and them.

All you need is one lawyer to scream about it to find yourself in a world of hurt.

Sent from my Pixel 6 Pro using Tapatalk

No START TLS option on the IMC series that I can find.
In front of one right now and the option's not in the security settings.

[rthonpm]

As for my Mail server....I appreciate the advice, and there only only a handful of very small clients I have still on there - and certainly none of them are law offices.

The issue is that a mail server the customer doesn't have any degree of control over is sending data that could include sensitive information.

Almost any legal advisor would tell both you and the customer that this is a potential risk. What if a disgruntled employee is emailing data to a competitor, or internal pricing to a customer? With no ability for the customer to audit or see what's being sent there's a degree of risk. There's also the fact that you have access to that server and by extension, access to internal and potentially sensitive information. For a lot of small firms, nothing like that may be sent, but you should look to get some kind of paperwork that covers you and shows that the customer accepts the risk.

Back to the bigger issue at hand: with the TLS 1.2 change, you may want to check and make sure the hosting firm hasn't changed anything else, or if they're just reselling someone else's services that may require a more stringent setting like MFA or SMTP AUTH.

Sent from my Pixel 6 Pro using Tapatalk

[sandmanmac]

The issue is that a mail server the customer doesn't have any degree of control over is sending data that could include sensitive information.

Back to the bigger issue at hand: with the TLS 1.2 change, you may want to check and make sure the hosting firm hasn't changed anything else, or if they're just reselling someone else's services that may require a more stringent setting like MFA or SMTP AUTH.

Sent from my Pixel 6 Pro using Tapatalk

Point taken.
Thank you.

As for the TLS issue....it's had very little affect on me, and has actually been a good excuse to get some of the customers off my mail server as they call in to report their scanning issues.
It just seemed to me that there MUST be something on their end blocking the connection, and I'm positive I'm not the only one who has complained, and suggesting to me that I just use the non-ssl setup wasn't an acceptable solution.

They've been pretty good at making some suggestions, but most of them had already been tried - particularly their suggestion to disable TLS 1.0 / 1.1 which Tim suggested right out of the gate.
Thus far, they've been unable to find a solution for me, but they have apparently escalated the call to their 'system administrators', and I'm in a holding pattern.

Thanks to all who weighed in!

[slimslob]

Point taken.
Thank you.

As for the TLS issue....it's had very little affect on me, and has actually been a good excuse to get some of the customers off my mail server as they call in to report their scanning issues.
It just seemed to me that there MUST be something on their end blocking the connection, and I'm positive I'm not the only one who has complained, and suggesting to me that I just use the non-ssl setup wasn't an acceptable solution.

They've been pretty good at making some suggestions, but most of them had already been tried - particularly their suggestion to disable TLS 1.0 / 1.1 which Tim suggested right out of the gate.
Thus far, they've been unable to find a solution for me, but they have apparently escalated the call to their 'system administrators', and I'm in a holding pattern.

Thanks to all who weighed in!

Is there anything common between the customers have the problem? Like maybe the same ISP or the same DSL or cable modem. I know there used to be a problem with the Motorola NVG410 DSL modem that ATR&T Uverse used would actually block all common SMTP ports going to any mail server except theirs. The only work around other than use their SMTP was to go with a hosting service like GoDaddy whose email hosting allowed Port 80 usage. Port 80 is the common port for HTTP and to block it would block nearly all internet access.

[sandmanmac]

Is there anything common between the customers have the problem? Like maybe the same ISP or the same DSL or cable modem. I know there used to be a problem with the Motorola NVG410 DSL modem that ATR&T Uverse used would actually block all common SMTP ports going to any mail server except theirs. The only work around other than use their SMTP was to go with a hosting service like GoDaddy whose email hosting allowed Port 80 usage. Port 80 is the common port for HTTP and to block it would block nearly all internet access.

Thanks Tim.
No, it's not just them, I've been fooling around with multiple devices here at my home office too.
No joy