POSTFIX cant connect from SMTP with TLS
Solution 1
The STARTTLS command indicates that the client wants to upgrade the connection to TLS. After the successful response from the server the client should now upgrade the connection to TLS. openssl s_client ... -starttls smtp
exactly does this, i.e. initiates a TLS handshake with the server and let the user talk to the server using the now encrypted connection once this handshake is done.
Your attempt to do this with telnet
instead does no upgrade to TLS. telnet
has no idea of how a TLS handshake should be done and when it should be done. This means you just continue to talk in plain with the server even though the server expects the start of a TLS handshake. That's why your server attempts to interpret your auth plain ...
as a TLS ClientHello and since it is no TLS fails to proceed and emits the error message you see.
In short: you cannot use telnet
for this.
Solution 2
telnet client/program with SSL and STARTTLS support [debugging]
You can use telnet-ssl
package (available on Linux/Debian) instead of telnet
to get telnet client supporting
- "SSL at once" (smtps on port 465)
telnet -z ssl smtp.gmail.com 465
telnet -z ssl -z verbose -z debug smtp.gmail.com 465
- STARTTLS command during SMTP session
startssl
telnet command afterstarttls
SMTP command.
UseCtrl
-]
keyboard sequence to switch from SMTP session to telnet commands mode
Related videos on Youtube
Furkan Kıyıkçı
Updated on September 18, 2022Comments
-
Furkan Kıyıkçı over 1 year
Thanks all for helping me :),i was working a direct bulk mail sender project, my program was running properly then it gave me an error then i've spend too much time with a lot of searching from articles i did debug (very low level ) in last 2 days(im asleep). problem causing this from little thing "str(email)" email represents sender list(for bulking diffrent accounts) and its supposed to be a list not a str :/, it take soooo much time but in this journey i've learned a lot of cool things :) shortly : dont be afraid to make little mistakes
i can connect with external openssl but couldnt with telnet(on mail.example.com:587)
openssl s_client -starttls smtp -connect mail.example.com:587
after i execute starttls in smtp connection closed by foreign host
mail.log
Dec 6 15:45:45 example postfix/submission/smtpd[5149]: connect from unknown[********] Dec 6 15:45:57 example postfix/submission/smtpd[5149]: SSL_accept error from unknown[********]: -1 Dec 6 15:45:57 example postfix/submission/smtpd[5149]: warning: TLS **library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:** Dec 6 15:45:57 example postfix/submission/smtpd[5149]: lost connection after STARTTLS from unknown[*******] Dec 6 15:45:57 example postfix/submission/smtpd[5149]: disconnect from unknown[*********] ehlo=1 starttls=0/1 commands=1/2
postconf -n
alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases command_directory = /usr/sbin compatibility_level = 2 daemon_directory = /usr/lib/postfix/sbin data_directory = /var/lib/postfix debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5 home_mailbox = Maildir/ inet_interfaces = all inet_protocols = all local_recipient_maps = unix:passwd.byname $alias_maps mailbox_size_limit = 0 milter_default_action = accept milter_protocol = 2 mydestination = mail.example.com,example.com, localhost,localhost.localdomain mydomain = example.com myhostname = mail.example.com mynetworks = 168.100.189.0/28, 127.0.0.0/8,***.**.***.**/25 myorigin = /etc/mailname newaliases_path = /usr/bin/newaliases non_smtpd_milters = inet:localhost:12301 recipient_delimiter = + sendmail_path = /usr/sbin/postfix setgid_group = postdrop smtp_tls_ciphers = high smtp_tls_protocols = !SSLv2, !SSLv3 smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_milters = inet:localhost:12301 smtpd_sasl_auth_enable = yes smtpd_sasl_local_domain = $mydomain smtpd_sasl_path = auth/dovecot smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_cert_file = /etc/postfix/cert-20181202-231932.pem smtpd_tls_ciphers = high smtpd_tls_key_file = /etc/postfix/key-20181202-231932.pem smtpd_tls_loglevel = 1 smtpd_tls_protocols = !SSLv2, !SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtputf8_enable = yes tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_alias_maps = hash:/etc/postfix/virtual
master.cf
smtp inet n - y - - smtpd #smtp inet n - y - 1 postscreen #smtpd pass - - y - - smtpd #dnsblog unix - - y - 0 dnsblog #tlsproxy unix - - y - 0 tlsproxy #submission inet n - y - - smtpd submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_wrappermode=no #-o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_sasl_type=dovecot # -o smtpd_sasl_path = auth/dovecot -o smtpd_sasl_path=private/auth # -o smtpd_sender_restrictions=$mua_sender_restrictions # -o smtpd_recipient_restrictions= permit_mynetworks,permit_sasl_authenticated,reject # -o smtpd_relay_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes
dovecot.conf
disable_plaintext_auth = no mail_privileged_group = mail mail_location = maildir:~/Maildir auth_mechanisms = plain auth_username_format ="%Ln" userdb { driver = passwd } passdb { args = %s driver = pam } protocols = " imap" protocol imap { mail_plugins = " auto" } plugin { autocreate = Trash autocreate2 = Sent autosubscribe = Trash autosubscribe2 = Sent } service auth { unix_listener /var/spool/postfix/private/auth { group = postfix mode = 0660 user = postfix } } listen = * ssl=yes ssl_cert = </etc/postfix/cert-20181202-231932.pem ssl_key = </etc/postfix/key-20181202-231932.pem
netstat
netstat --proto=inet -pnl | grep 587 tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 5073/master
openssl s_client -starttls smtp -connect mail.example.com:587
CONNECTED(00000003) depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify error:num=18:self signed certificate verify return:1 depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd verify return:1 --- Certificate chain 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd --- Server certificate -----BEGIN CERTIFICATE----- ****************************** -----END CERTIFICATE----- subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: X25519, 253 bits --- SSL handshake has read 2531 bytes and written 302 bytes Verification error: self signed certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: E34DC2BC95BF207D4B5E38C6FABD2A25AC43290A994C50C7AEC183CA224A31D2 Session-ID-ctx: Master-Key: 0413A1112B664D6FA2EA348D70F6614AF5567338F0C61FDDC62030DC24A9C7719332CE322960AC5DD1D84A1205E2B0B9 PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 7200 (seconds) TLS session ticket: 0000 - 97 4c 40 cf ae aa cc f3-32 80 52 0d fe 9f c0 da [email protected]..... 0010 - a5 b8 3f 3c 0d ae 29 a7-88 b4 c1 6b 65 bf 38 e0 ..?<..)....ke.8. 0020 - cc f9 05 93 43 4f 60 d4-a2 0f 3e 27 88 3e 13 1b ....CO`...>'.>.. 0030 - 6a 31 01 86 5a 83 4c 80-a4 c4 5f 6b 6c bb ee e6 j1..Z.L..._kl... 0040 - 5c 02 71 e1 2f 1e 96 38-4c 58 65 02 2e 89 78 96 \.q./..8LXe...x. 0050 - 45 a6 b5 0c b4 b5 b6 61-65 c5 43 37 8d 4c 82 99 E......ae.C7.L.. 0060 - 88 2f 48 98 ce 9a 68 35-d8 1a b8 86 ff 3b ce 15 ./H...h5.....;.. 0070 - 0e e2 fd 02 60 07 1b 2a-2c 6d 0d 3b 32 25 f9 0d ....`..*,m.;2%.. 0080 - d6 f8 31 2f 04 88 84 c9-bb 98 b3 fa ee 72 bd c1 ..1/.........r.. 0090 - 75 29 31 29 cb 68 99 36-49 77 4e 4a 07 71 ed 6c u)1).h.6IwNJ.q.l 00a0 - 20 88 c3 4d f3 d1 1c 3e-a4 16 7a 53 53 8b 51 17 ..M...>..zSS.Q. Start Time: 1544115275 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: yes --- 250
telnet mail.example.com 587
Connected to mail.example.com. Escape character is '^]'. 220 mail.example.com ESMTP Postfix (Ubuntu) ehlo mail.example.com 250-mail.example.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-DSN 250 SMTPUTF8 starttls 220 2.0.0 Ready to start TLS auth plain AHJvb3QAZXhhbXBsZXBhc3M= Connection closed by foreign host.
-
Steffen Ullrich over 5 years"... i can connect with external openssl but couldnt with telnet(on mail.example.com:587) .." - it is unclear what you are doing here. Please provide the exact output of
openssl s_client
and also provide what you exactly tried with telnet. In general both s_client and telnet create a TCP connection first and it makes no sense that one will succeed in doing this while the other not (from the same host). So you do something different, like using the wrong port with telnet, connecting from a different system or having some specific understanding of "cant connect" which you don't tell us. -
Furkan Kıyıkçı over 5 yearsFirst of all thanks for reply,i need to configure this mail server for sent mail with tls also i need to connect to server tought smtp to sending mails from an external program which using telnet smtp protocol
-
Michael Hampton over 5 yearsIt appears you are already finished and everything is working correctly. What problem are you having?
-
Furkan Kıyıkçı over 5 years@MichaelHampton i can connect server with smtp but when i started tls with starttls connection lost and mail.log says "SSL_accept error"
-
Michael Hampton over 5 yearsDid you actually try sending mail?
-
Furkan Kıyıkçı over 5 yearsyes i did,"mail [email protected]" it sents mail with tls encryption from server there is no problem here, problem starts when i trying smtp with starttls
-
Furkan Kıyıkçı over 5 years@SteffenUllrich
-
Furkan Kıyıkçı over 5 years@MichaelHampton
-
-
Furkan Kıyıkçı over 5 yearsthanks for information , but in gmail services allow to starttls from telnet,am i wrong ? how this is possible then? (im newbie sorry if this question looks a bit silly)
-
Furkan Kıyıkçı over 5 yearsand how can i build no secure from telnet to server and tls in server to other server communication
-
Steffen Ullrich over 5 years@FurkanKıyıkçı: "... but in gmail services allow to starttls from telnet,am i wrong .." - gmail just requires a client which can speak the text based SMTP protocol (which is possible with telnet) and can also do TLS when needed - which normal telnet does not support.
openssl s_client -starttls smtp
or using python smtplib on the other side do support it.