Postfix TLS over SMTP - RCPT TO prompts renegotiation then 554 5.5.1 Error: no valid recipients
Solution 1
Pressing "R" in an s_client session causes openssl to renegotiate. Try entering "rcpt to:" instead of "RCPT TO".
You might also try tools that are more suited to SMTP-specific testing, such as Tony Finch's smtpc or swaks.
Solution 2
It's a design flaw in openssl. As @jj33 alludes, the R at the beginning of a line causes openssl to renegotiate.
Start openssl s_client with the -quiet
option. I use:
openssl s_client -starttls smtp -quiet -connect $HOST:$PORT
Granted, you will not see as much debugging output for the certificate. If it fails to verify the cert, you may need to add that option.
Hat tips:
- 200_success
- jj33
https://serverfault.com/a/336657/238998
I didn't mean to steal your answer, but I thought it better if there is an actual answer which fully explains the work-around, rather than for people to fish in comments.
Related videos on Youtube
Comments
-
lol almost 2 years
I've setup ispconfig3 on my debian six server, and here is a little smtp over ssl:
The server is postfix
AUTH PLAIN (LOL!) 235 2.7.0 Authentication successful MAIL FROM: [email protected] 250 2.1.0 Ok RCPT TO: [email protected] RENEGOTIATING depth=0 /C=AU/ST=NSW/L=Sydney/O=Self-Signed Key! Procees with caution!/OU=Web Hosting/[email protected] verify error:num=18:self signed certificate verify return:1 depth=0 /C=AU/ST=NSW/L=Sydney/O=Self-Signed Key! Procees with caution!/OU=Web Hosting/[email protected] verify return:1 DATA 554 5.5.1 Error: no valid recipients
but, the thing is, if I just do a vanilla telnet over port 25 I can authenticate and send mail like a madman... hopefully this is enough information! (as opposed to 'mail.app can't handle ssl!')
-
adaptr over 12 yearsNot by a long shot. Provide the output from
postconf -n
and the relevant part of your mail log (the part containing the entire transaction from beginning to end). -
Andy Smith over 12 yearsHave you tried another
RCPT TO: [email protected]
? -
jj33 over 12 yearspossible duplicate of Exim TLS and Secure SMTP
-
jj33 over 12 yearsOoh, I like the automatic comments when you flag as a dupe, nice touch. It's not super obvious that the questions are duplicates since they're using different MTAs and @lol didn't say that he was using s_client to test, but he is, and they are =)
-
lol over 12 yearsreally, you're beautiful people. you can have a doctorate in methods in computing but if you simply are not well versed in using programs you still need community help! I <3 stack overflow. In terms of the actual duplicate post - what should I do? (since the tags and the title in no way reflect what is actually going on in the tty) ...?
-
jj33 over 12 yearsre: the dupe... I'd leave the question alone. Its completely different wording for the same problem may help other users find it. If the community wants it closed as a dupe, they can vote for it to be closed (as I did).
-
-
lol over 12 years+1 for case sensitivity... you're never too old to forget what is and isn't case sensitive!
-
jj33 over 12 yearsTo be clear, s_client is just wrong here. You were correct in principle for using "RCPT TO". It's completely braindead that a plain text "R", in a tool that's made for typing text into, causes a renegotiate. The fact that you can get around it by using "rcpt to" is just a way to work around the bug/poor implementation decision in s_client.
-
lol over 12 yearsThanks, I will keep that in mind - I'm migrating from a play server -> a production one (with real ssl!) and so I haven't used all the security tools before, just learned about the unsecured transport protocols :)
-
bot47 over 9 yearsOh my goodness. OpenSSL, what did you smoke? :'(
-
binki over 8 yearsIt’s behavior that could be useful, but on by default? When I saw the message I assumed the renegotiation was caused by the server and there was a bug there. (Sorry for this “me too!” post)
-
Icebreaker over 7 yearsAnother workaround is to use
openssl s_client -quiet
, which suppresses the interactive interpretation ofR
andQ
characters. -
Kishan K over 6 yearso-m-g saved my day
-
niknah about 5 yearsThis only happens if R is on the start of the line. Note that the "MAIL FROM" command didn't do a renegotiation.
-
Admin about 2 years
MAIL FROM:
andDATA
commands can be sent as upper case, butRCPT TO:
must be sent in lowercase like thisrcpt to:
. Someone not in mood for too much testing before releasing :)