LO39537: POSTINI USING SSL WITH 256BIT CIPHER CAUSES SMTP TASK TO PEG CPU

APAR status

• Closed as returned (APAR cannot be resolved without additional info from IBM or customer.)

Error description

• Inbound and outbound SMTP mail through Domino server to Postini
  Web Service for A/V AntiSpam pegs the CPU
  by the SMTP task when using STARTTLS and SSL protocol and the
  256 bit ESA cipher available in the 8 codestream.
  Debug indicates continuous connections which get broken by
  Postini after the RCPT TO: command and subsequent
  250 Recipient OK response. (This is during the inbound SMTP
  session on which we focussed.)
  There do NOT appear to be SSL Handshake errors, and the SSL
  conversation uses the
  RSA_WITH_AES_256_CBC_SHA cipher.
  Same Postini service can communicate without issue with Domino
  6.5.4 using STARTTLS and SSL.
  

Local fix

• Work around initially to disable STARTTLS and Negotiated SSL,
  but that was finally improved to reverting to the
  ciphers use in 6.5.4 by implementing the INI parameter:
  SSLCipherSpec=04050A
  This forces the use of ONLY the ciphers that were available in
  6.5.4
  
  This work around was tested and the 802FP1 domino servers will
  function normally and successfully using SSL (via the STARTTLS
  commands)
  with Postini as long as we use the old ciphers only.
  

Problem summary

Problem conclusion

Temporary fix

Comments

• This APAR is associated with SPR# ICRE7QYPGX.
  Development was not able to reproduce.  If reproducible case
   found in 8.5x, please reopen
  

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels