STARTTLS not working?

Discussion forum for Enterprise Edition.
Post Reply
Matth
Posts: 133
Joined: Fri Nov 08, 2002 8:34 am
Location: Hong Kong

STARTTLS not working?

Post by Matth »

I am trying to trouble shoot a problem with an iPhone. So I was checking what kind of SSL certificate Mailenable is sending back.

So I connected to IMAP via Port 465 to check the certificate from a linux machine.

Code: Select all

openssl s_client -connect mail.domain.com:465 -servername mail.domain.com
That gave me the proper certificate back that I actually expected. So that seems fine. Same via port 993.

Then I was curious to check if STARTTLS is working on the SMTP Port 25. I connected again from my linux machine:

Code: Select all

openssl s_client -connect mail.domain.com:25 -starttls smtp
But that didn't work, I only get an error back:

Code: Select all

140257658393920:error:0200206E:system library:connect:Connection timed out:../crypto/bio/b_sock2.c:110:
140257658393920:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=110
When I telnet into the server on port 25 it does claim that STARTTLS is available. So why does it not work?

Code: Select all

220 mail.domain.com ESMTP MailEnable Service, Version: 10.31--10.31 ready
at 10/01/21 23:34:26
ehlo
250-mail.domain.com [5.xxx.xxx.xxx], this server offers 7 extensions
250-AUTH NTLM CRAM-MD5 LOGIN
250-SIZE 0
250-HELP
250-AUTH=LOGIN
250-STARTTLS
250-XSAVETOSENT
250 X-SAVETOSENT
I also tried connecting from Outlook using Port 25 and TLS, but that also returned an error message.

Code: Select all

Send test e-mail message: Outlook cannot connect to your outgoing (SMTP) e-mail server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).
What is missing to make STARTTLS work?

cfdynamics
Posts: 154
Joined: Mon May 24, 2010 2:27 pm

Re: STARTTLS not working?

Post by cfdynamics »

Do you have a SSL cert assigned to mailenable for use?
Kent Runyan
CFDynamics.com
Providing World Class Hosting Solutions for over two decades.

Matth
Posts: 133
Joined: Fri Nov 08, 2002 8:34 am
Location: Hong Kong

Re: STARTTLS not working?

Post by Matth »

Yes, of course.

cfdynamics
Posts: 154
Joined: Mon May 24, 2010 2:27 pm

Re: STARTTLS not working?

Post by cfdynamics »

Sorry. Just had to start with the basic thing that could be missed.
We've never had any difficulties getting STARTTLS/SSL to work so the only other thing I would think could be missing is in the SMTP connector setting, inbound tab > Port Settings.

normally leave port 25 to not require SSL

port 587 is typically set as an alternate port

under additional ports:
port 465 is typically configured to require SSL and Auth
Kent Runyan
CFDynamics.com
Providing World Class Hosting Solutions for over two decades.

Matth
Posts: 133
Joined: Fri Nov 08, 2002 8:34 am
Location: Hong Kong

Re: STARTTLS not working?

Post by Matth »

That is pretty much how I have set it up.

Port 25 is setup to Always allow authentication, with both checkmarks unticked.

Then I defined Port 465 as an alternative port, which requires both SSL and connections to authenticate before sending email. It "Only allow secure authentication (using SSL or TLS)".

I can connect using SSL on Port 465. But from my understanding is, that Starttls should allow to connect to port 25 unsecurely, and then negotiate an encrypted connection to continue. And that's not working.

cfdynamics
Posts: 154
Joined: Mon May 24, 2010 2:27 pm

Re: STARTTLS not working?

Post by cfdynamics »

Does this work on the ME server?

telnet localhost 25

Then type:

EHLO

Next:

starttls
Kent Runyan
CFDynamics.com
Providing World Class Hosting Solutions for over two decades.

Matth
Posts: 133
Joined: Fri Nov 08, 2002 8:34 am
Location: Hong Kong

Re: STARTTLS not working?

Post by Matth »

It does work up to that point, yes.

Code: Select all

220 domain.com ESMTP MailEnable Service, Version: 10.31--10.31 ready at 10/15/21 2
3:16:36
ehlo
250-domain.com [::1], this server offers 7 extensions
250-AUTH NTLM CRAM-MD5 LOGIN
250-SIZE 0
250-HELP
250-AUTH=LOGIN
250-STARTTLS
250-XSAVETOSENT
250 X-SAVETOSENT
starttls
220 Ready to start TLS
454 TLS not available due to temporary reason
After that, it lost the connection to the host and I was back at the DOS prompt. But when I tried again the

Code: Select all

openssl s_client -connect mail.domain.com:25 -starttls smtp
from a non-local Linux machine, it takes a very long time and eventually it comes back with this error:

Code: Select all

140240614282560:error:0200206E:system library:connect:Connection timed out:../crypto/bio/b_sock2.c:110:
140240614282560:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=110
After searching for the above error:0200206E I found a page that claimed it was not working from their provider side. So I just tried it from my office computer and ran the same Linux openssl command and received the following success message:

Code: Select all

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = domain.com
verify return:1
---
Certificate chain
 0 s:CN = domain.com
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF...
...ZhC8QiNrAJHiLbmGGOURiiV0yqNcZUf8j
-----END CERTIFICATE-----
subject=CN = domain.com

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3736 bytes and written 488 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 3072 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 5604000001A692984BB...198148A6198DBF4F9B77
    Session-ID-ctx:
    Master-Key: 3977ACFE09FA588E....7CA9313689EAA5859CEC7DA
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1634311560
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
250 X-SAVETOSENT
read:errno=0
So it seems it is working, it is just my home network is somehow blocking this. Strange enough.

Thanks for your help.

MailEnable-Ian
Site Admin
Posts: 9738
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: STARTTLS not working?

Post by MailEnable-Ian »

Hi,

You cant enable a port to require SSL and also use TLS. If you would like the client to authenticate securely over TLS then you need to configure port 465 to not "Require SSL" and set the authentication method to: "Only allow secure authentication (using SSL or TLS)". Then configure the client to use TLS auth.
Regards,

Ian Margarone
MailEnable Support

Post Reply