POSTFIX cant connect from SMTP with TLS

ssl postfix smtp email-server dovecot

10,222

Solution 1

The STARTTLS command indicates that the client wants to upgrade the connection to TLS. After the successful response from the server the client should now upgrade the connection to TLS. openssl s_client ... -starttls smtp exactly does this, i.e. initiates a TLS handshake with the server and let the user talk to the server using the now encrypted connection once this handshake is done.

Your attempt to do this with telnet instead does no upgrade to TLS. telnet has no idea of how a TLS handshake should be done and when it should be done. This means you just continue to talk in plain with the server even though the server expects the start of a TLS handshake. That's why your server attempts to interpret your auth plain ... as a TLS ClientHello and since it is no TLS fails to proceed and emits the error message you see.

In short: you cannot use telnet for this.

Solution 2

telnet client/program with SSL and STARTTLS support [debugging]

You can use telnet-ssl package (available on Linux/Debian) instead of telnet to get telnet client supporting

"SSL at once" (smtps on port 465)
telnet -z ssl smtp.gmail.com 465
telnet -z ssl -z verbose -z debug smtp.gmail.com 465
STARTTLS command during SMTP session
startssl telnet command after starttls SMTP command.
Use Ctrl-] keyboard sequence to switch from SMTP session to telnet commands mode

man telnet-ssl

10,222

Furkan Kıyıkçı

Updated on September 18, 2022

Comments

Furkan Kıyıkçı over 1 year

Thanks all for helping me :),i was working a direct bulk mail sender project, my program was running properly then it gave me an error then i've spend too much time with a lot of searching from articles i did debug (very low level ) in last 2 days(im asleep). problem causing this from little thing "str(email)" email represents sender list(for bulking diffrent accounts) and its supposed to be a list not a str :/, it take soooo much time but in this journey i've learned a lot of cool things :) shortly : dont be afraid to make little mistakes

i can connect with external openssl but couldnt with telnet(on mail.example.com:587)

openssl s_client -starttls smtp -connect mail.example.com:587

after i execute starttls in smtp connection closed by foreign host

mail.log

Dec  6 15:45:45 example postfix/submission/smtpd[5149]: connect from unknown[********]
Dec  6 15:45:57 example postfix/submission/smtpd[5149]: SSL_accept error from unknown[********]: -1
Dec  6 15:45:57 example postfix/submission/smtpd[5149]: warning: TLS **library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:**
Dec  6 15:45:57 example postfix/submission/smtpd[5149]: lost connection after STARTTLS from unknown[*******]
Dec  6 15:45:57 example postfix/submission/smtpd[5149]: disconnect from unknown[*********] ehlo=1 starttls=0/1 commands=1/2

postconf -n

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
local_recipient_maps = unix:passwd.byname $alias_maps
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = mail.example.com,example.com, localhost,localhost.localdomain
mydomain = example.com
myhostname = mail.example.com
mynetworks = 168.100.189.0/28, 127.0.0.0/8,***.**.***.**/25
myorigin = /etc/mailname
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:localhost:12301
recipient_delimiter = +
sendmail_path = /usr/sbin/postfix
setgid_group = postdrop
smtp_tls_ciphers = high
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_milters = inet:localhost:12301
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = auth/dovecot
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/postfix/cert-20181202-231932.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/postfix/key-20181202-231932.pem
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtputf8_enable = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual

master.cf

smtp        inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen
#smtpd     pass  -       -       y       -       -       smtpd
#dnsblog   unix  -       -       y       -       0       dnsblog
#tlsproxy  unix  -       -       y       -       0       tlsproxy
#submission inet n       -       y       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_wrappermode=no
  #-o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
  -o smtpd_sasl_type=dovecot
#  -o smtpd_sasl_path = auth/dovecot
  -o smtpd_sasl_path=private/auth

#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions= permit_mynetworks,permit_sasl_authenticated,reject
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes

dovecot.conf

disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = maildir:~/Maildir
auth_mechanisms = plain
auth_username_format ="%Ln"
userdb {
  driver = passwd
}
passdb {
  args = %s
  driver = pam
}
protocols = " imap"


protocol imap {
  mail_plugins = " auto"
}
plugin {
  autocreate = Trash
  autocreate2 = Sent
  autosubscribe = Trash
  autosubscribe2 = Sent
}
service auth {
  unix_listener /var/spool/postfix/private/auth {
    group = postfix
    mode = 0660
    user = postfix
  }
}
listen = *
ssl=yes
ssl_cert = </etc/postfix/cert-20181202-231932.pem
ssl_key = </etc/postfix/key-20181202-231932.pem

netstat

netstat --proto=inet -pnl | grep 587
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      5073/master

openssl s_client -starttls smtp -connect mail.example.com:587

CONNECTED(00000003)
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
 0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
******************************
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2531 bytes and written 302 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E34DC2BC95BF207D4B5E38C6FABD2A25AC43290A994C50C7AEC183CA224A31D2
    Session-ID-ctx: 
    Master-Key: 0413A1112B664D6FA2EA348D70F6614AF5567338F0C61FDDC62030DC24A9C7719332CE322960AC5DD1D84A1205E2B0B9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 97 4c 40 cf ae aa cc f3-32 80 52 0d fe 9f c0 da   [email protected].....
    0010 - a5 b8 3f 3c 0d ae 29 a7-88 b4 c1 6b 65 bf 38 e0   ..?<..)....ke.8.
    0020 - cc f9 05 93 43 4f 60 d4-a2 0f 3e 27 88 3e 13 1b   ....CO`...>'.>..
    0030 - 6a 31 01 86 5a 83 4c 80-a4 c4 5f 6b 6c bb ee e6   j1..Z.L..._kl...
    0040 - 5c 02 71 e1 2f 1e 96 38-4c 58 65 02 2e 89 78 96   \.q./..8LXe...x.
    0050 - 45 a6 b5 0c b4 b5 b6 61-65 c5 43 37 8d 4c 82 99   E......ae.C7.L..
    0060 - 88 2f 48 98 ce 9a 68 35-d8 1a b8 86 ff 3b ce 15   ./H...h5.....;..
    0070 - 0e e2 fd 02 60 07 1b 2a-2c 6d 0d 3b 32 25 f9 0d   ....`..*,m.;2%..
    0080 - d6 f8 31 2f 04 88 84 c9-bb 98 b3 fa ee 72 bd c1   ..1/.........r..
    0090 - 75 29 31 29 cb 68 99 36-49 77 4e 4a 07 71 ed 6c   u)1).h.6IwNJ.q.l
    00a0 - 20 88 c3 4d f3 d1 1c 3e-a4 16 7a 53 53 8b 51 17    ..M...>..zSS.Q.

    Start Time: 1544115275
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: yes
---
250

telnet mail.example.com 587

Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix (Ubuntu)
ehlo mail.example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
starttls
220 2.0.0 Ready to start TLS
auth plain AHJvb3QAZXhhbXBsZXBhc3M=
Connection closed by foreign host.

Steffen Ullrich over 5 years

"... i can connect with external openssl but couldnt with telnet(on mail.example.com:587) .." - it is unclear what you are doing here. Please provide the exact output of openssl s_client and also provide what you exactly tried with telnet. In general both s_client and telnet create a TCP connection first and it makes no sense that one will succeed in doing this while the other not (from the same host). So you do something different, like using the wrong port with telnet, connecting from a different system or having some specific understanding of "cant connect" which you don't tell us.
Furkan Kıyıkçı over 5 years

First of all thanks for reply,i need to configure this mail server for sent mail with tls also i need to connect to server tought smtp to sending mails from an external program which using telnet smtp protocol
Michael Hampton over 5 years

It appears you are already finished and everything is working correctly. What problem are you having?
Furkan Kıyıkçı over 5 years

@MichaelHampton i can connect server with smtp but when i started tls with starttls connection lost and mail.log says "SSL_accept error"
Michael Hampton over 5 years

Did you actually try sending mail?
Furkan Kıyıkçı over 5 years

yes i did,"mail [email protected]" it sents mail with tls encryption from server there is no problem here, problem starts when i trying smtp with starttls
Furkan Kıyıkçı over 5 years

@SteffenUllrich
Furkan Kıyıkçı over 5 years

@MichaelHampton

Furkan Kıyıkçı over 5 years

thanks for information , but in gmail services allow to starttls from telnet,am i wrong ? how this is possible then? (im newbie sorry if this question looks a bit silly)
Furkan Kıyıkçı over 5 years

and how can i build no secure from telnet to server and tls in server to other server communication
Steffen Ullrich over 5 years

@FurkanKıyıkçı: "... but in gmail services allow to starttls from telnet,am i wrong .." - gmail just requires a client which can speak the text based SMTP protocol (which is possible with telnet) and can also do TLS when needed - which normal telnet does not support. openssl s_client -starttls smtp or using python smtplib on the other side do support it.