Enable TLS 1.2 for SQL Server 2016 database mail

Question

I have been puzzled by this issue for almost 1 week. Hopefully someone in our community has experienced the same issue and already found a solution.

So here is my problem:

As per our company policy, we want database mail to be able to send emails over port 25 with TLS 1.2 enabled and with TLS 1.0 & TLS 1.1 disabled.

Our mail server is Exchange Server 2010, our SQL Server 2016 (Developer and Enterprise editions) boxes have OS of Windows Server 2016 Standard editions.

Our SQL Server version is:

select @@version
----------------------------------------
Microsoft SQL Server 2016 (SP1-CU7-GDR) (KB4057119) - 13.0.4466.4 (X64) 
    Dec 22 2017 11:25:00 
    Copyright (c) Microsoft Corporation
    Developer Edition (64-bit) on Windows Server 2016 Datacenter 10.0 <X64> (Build 14393: ) (Hypervisor)

We have the DB mail configuration as shown here.

The issue is whenever we turn on SSL

use msdb
exec dbo.sysmail_update_account_sp @account_id=2, @enable_ssl = 1;

We CANNOT send db mail (no matter whether our SMTP authentication is Windows Authentication, Basic authentication or Anonymous Authentication). The error message in db mail log is as follows:

Message

The mail could not be sent to the recipients because of the mail server failure. (Sending Mail using Account 2 (2018-07-30T10:52:41). Exception Message: Cannot send mails to mail server. (Failure sending mail.). )

But if we turn off this SSL, there is no problem for db mail sent out.

So how can we enable SSL and uses TLS 1.2 for db mail?

I have enabled TLS 1.2 by adding registry as shown below

The details is from this link (see the FAQ section)

Answer 1

TLS1.2 is the only version of TLS considered secure now (March 2019). It took considerable time and effort to discover that there are 2 essential, additional settings which are required to get this working which are not well known nor well documented, by Microsoft or on the web generally. The following could save you a great deal of time and effort.

These are the 2 new Registry settings that fixed the problem for us:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

This is a reference to the thread where we eventually found this information, buried halfway down the thread: TLS 1.2 in .NET Framework 4.0

Below is the content for a simple executable registry file that I put together that will make the 2 new settings and the settings already shown on the thread above (i.e. this makes all of the necessary Registry settings*):

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

Note 1: SQL needs to be restarted for these settings to take affect but it is better to restart Windows since the new settings will affect .NET 4.x generally.

Note 2: In SQL, the SSL-checkbox must be ticked in the mail profile to use TLS1.2.

*Note 3: FYI We ran the free tool, Crypto V2, with the "Best Practices" option enabled before starting on getting this working. We verified our changes afterwards using the new Crypto version 3.

Hopefully this will save considerable time, effort and frustration for others ;)

Answer 2

It's odd because the linked article clearly states:

Support for TLS v1.2 included in the .NET Framework version 3.5 SP1 on Windows 8.1 and Windows Server 2012 R2

which contradicts the response you get from MS support. Edit: I found in this StackOverflow question that although .NET 3.5 didn't include support for TLS 1.2 at first it was added later by MS:

Support for TLS System Default Versions included in the .NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1

Reading the FAQ section I think that the problem is that you missed one registry key when enabling TLS 1.2. The FAQ section says:

The correct registry settings are as follows:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
  "DisabledByDefault"=dword:00000000
  "Enabled"=dword:00000001 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
  "DisabledByDefault"=dword:00000000
  "Enabled"=dword:00000001  

These settings are required for both server and client computers.

But in the screen shot that you provided I only see "Enabled"=dword:00000001, the "DisabledByDefault"=dword:00000000 key is missing.

Also it says:

Is TLS 1.1 supported on SQL Server 2016?

Yes. SQL Server 2016 and SQL Server 2017 on Windows versions ship with TLS 1.0 to TLS 1.2 support. You have to disable TLS 1.0 and 1.1 if you want to use only TLS 1.2 for client-server communication.

which can be interpreted as that you need to disable TLS 1.0 and 1.1 in order to use 1.2, but I'm not sure about this one.

Answer 3

Since it seems nobody can answer this question, I opened a support case with Microsoft, and still it took almost 1 week for MS support to come back with an answer as he went through various internal resources to get the definite answer.

The summary is:

SQL Server Database mail uses System.Net.Mail to do the work, the System.Net.Mail is able to send mail using TLS 1.2 but only when the build runtime version is 4.6 or above. SQL Server 2016 db mail is built for .Net 3.5, hence SQL Server 2016 db mail does not support TLS 1.2 as of now.

Answer 4

We had a similar issue few weeks ago with SQLServer database mail. We use office365 SMTP server in Azure.

Configuration was "Windows 2012R2 + SQLServer 2012" and "Windows 2012R2 + SQLServer 2014".

Error on database mail was:

The message could not be sent to the recipients due to an email server error".

The error was not systematic. We suppose that when we reach an azure end point allowing TLS1.0 the email is well sent, but when we reach an end point using TLS1.2 our email is rejected.

If we analyze email header sent by database mail we can see that SMTP server use TLS1.2 but database mail sent email with TLS1.0 protocol.

Microsoft SMTP Server (version=TLS1_2,...)
Received: from ... with Microsoft SMTP Server (version=TLS1_0, ...

We fix the issue with adding following registry key on each server (Powershell Script)

#TLS1.2 configure strong encryption
#The strong cryptography uses more secure network protocols (TLS 1.2, TLS 1.1, and TLS 1.0) and blocks protocols that are not secure.
#64 bits applications
New-ItemProperty -Path "HKLM:\Software\Microsoft\.NETFramework\v2.0.50727" -Name "SchUseStrongCrypto" -Value "1"  -PropertyType "dword";
New-ItemProperty -Path "HKLM:\Software\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value "1"  -PropertyType "dword";
#32 bits applications
New-ItemProperty -Path "HKLM:\Software\WOW6432Node\Microsoft.NETFramework\v2.0.50727" -Name "SchUseStrongCrypto" -Value "1"  -PropertyType "dword";
New-ItemProperty -Path "HKLM:\Software\WOW6432Node\Microsoft.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -Value "1"  -PropertyType "dword";
#SystemDefaultTlsVersions
#A value of 1 causes your app to allow the operating system to choose the protocol
New-ItemProperty -Path "HKLM:\Software\Microsoft.NETFramework\v2.0.50727" -Name "SystemDefaultTlsVersions" -Value "1"  -PropertyType "dword";
New-ItemProperty -Path "HKLM:\Software\Microsoft.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value "1"  -PropertyType "dword";
#32 bits applications
New-ItemProperty -Path "HKLM:\Software\WOW6432Node\Microsoft.NETFramework\v2.0.50727" -Name "SystemDefaultTlsVersions" -Value "1"  -PropertyType "dword";
New-ItemProperty -Path "HKLM:\Software\WOW6432Node\Microsoft.NETFramework\v4.0.30319" -Name "SystemDefaultTlsVersions" -Value "1"  -PropertyType "dword";