How to use Default SMTP port with SSL-startTLS client requirement for no default 25 port insecure open

[deepa]

Hi

We received client requirement


How to use Default SMTP port with SSL-startTLS client requirement for no default 25 port insecure open

we enabled clients domain ssl in Mailenable - localhost- SSL
and now to test we are using different desktop with eopnssl command which giveserrors
please suggest correct steps

client wants to not to enable on mail server- any insecure SMTP port as per their auit
however if we disable 25 port thentheir incomibg mails will stop coming


PS C:\Program Files\OpenSSL-Win64\bin> .\openssl.exe s_client -connect domain.comn:25 -starttls smtp -tls1_2
Connecting to x.x.x.x
CONNECTED(00000200)
Didn't find STARTTLS in server response, trying anyway...
EC1B0000:error:0A000126:SSL routines::unexpected eof while reading:ssl\record\rec_layer_s3.c:701:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 258 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.2
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1755093962
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no

We have checked SSL cert chain of website SSL is fine on client server
client server is both rnning IIS, main website and Mailenable standard with 1-2 mailboxes which they are usng only in some code purpose

[Matth]

Did you find a solution for this? While my Port 25 is open, I also get the same unexpected eof error when trying a TLS handshake. In my case, I can't configure a Vaultwarden instance to use the mail server to send out emails.

[gxavier.bh]

On Enterprise version, on SMTP properties, inbound tab, there is a field to enable starttls connections. Is this enough?

[Matth]

I have that field set, but it didn't help.

[gxavier.bh]

There is something you should understand. Port 25 is not authenticated, as you said, because otherwise no one on planet will send emails to your server.
The test you are doing is a client - server type. As you are in the same network (if you configure your server to allow IP privileges on relay tab of SMTP) mailenable will always allow without authentication.
To prevent SMTP to relay email without authentication, on SMTP properties -> relay tab -> force pop before SMTP authentication.
On Inbound tab -> port settings -> SMTP port 25, uncheck everything and select only allow secure authentication (using SSL or TLS)
After do this, restart smtp, go to gmail or any other mail server and send an email to your domain, for test propose only. Go to SMTP log and look for the transaction of receive this email and see if you get STARTTLS on connection.
Client <-> server on port 25 will never ask for authentication, other wise, as I said, you won't receive e-mail from any service in the planet.
If you do not seen a STARTTLS on this incoming, you have to use a mail proxy as Proxmox mail gateway, it is free. All emails come from the internet to my server pass through it, local users do not see this because they connect strait to Mailenable and Mailenable send strait to internet. PMG is for incoming mail only. After receive and check spam, PMG relay to my server. My server never relay to it back. I set on the router, every connection on port 25 goes to PMG and you can set port 26 to send from PMG to Mailenable. After that you can disable port 25 on Mailenable
As per documentation: "Proxmox Mail Gateway uses opportunistic TLS encryption by default. The SMTP transaction is encrypted if the STARTTLS ESMTP feature is supported by the remote server. Otherwise, messages are sent unencrypted." Chapter 4.7.9. TLS - of this document:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html

[Matth]

Well, as mentioned in my initial post on this thread, my issue is not that I want port 25 to be secure.

My 25 is open, but I get the same error message when I try to configure my local Vaultwarden's mail configuration.

[gxavier.bh]

Have you seen this on https://github.com/dani-garcia/vaultwarden/wiki/SMTP-Configuration#oauth2-support

Some general settings per port.

for mail servers that use port 465

SMTP_PORT=465
SMTP_SECURITY=force_tls

for mail servers that use port 587 (or sometimes 25)

SMTP_PORT=587
SMTP_SECURITY=starttls

for mail servers that do not support encryption at all.

SMTP_PORT=25
SMTP_SECURITY=off

Have you set, on control panel -> internet options -> advanced tab TLS 1.2 and 1.3 only.

[Matth]

Thanks for the details.

I did try the various troubleshooting tips on the Vaultwarden page, and I do get the 0 as a reply.

I also tried all the possible combinations of different ports and starttls or force_tls, but nothing helped. TLS is set to 1.2 on the server.

Sooner or later I will have to replace Mailenable anyway, as it seems to be a dead product. So for the time I use local sendmail to forward emails. Not ideal, but it does the job.