I configured an SMTP mail server using Postfix and Dovecot.
OS: Debian 9
Web Server: Apache
certificate from https://www.sslforfree.com/
When I try using an external client to send emails over TLS, I get the following error:
/var/log/syslog:
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30394]: connect from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30395]: connect from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30394]: lost connection after CONNECT from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30394]: disconnect from unknown[185.81.141.117] commands=0/0
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30395]: lost connection after CONNECT from unknown[185.81.141.117]
Oct 31 19:40:49 designtuner postfix/submission/smtpd[30395]: disconnect from unknown[185.81.141.117] commands=0/0
Node JS client:
{ Error: 1XXXXXXXXXX35275584:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:../deps/openssl/openssl/ssl/s23_clnt.c:797:
code: 'ECONNECTION', command: 'CONN' }
Node JS file:
let transporter = nodemailer.createTransport({
host: 'mail.designtuner.com',
port: 587,
secure: true, // secure:true for port 465, secure:false for port 587
auth: {
user: 'admin#designtuner.com',
pass: 'XXXXXXX'
},
tls: {
rejectUnauthorized: false
}
});
Am I missing something? Is it because my reverse DNS hasn't propagated yet? I recently updated my reverse DNS, but the website is accessible from a web browser just fine, and the SSL certificate seems to be working fine.
SMTPs and STARTTLS
There are two ways of encrypted SMTP: SMTPs on port 465, which first establishes an TLS handshake and then start the SMTP session, and SMTP with STARTTLS on port 587 which first start an SMTP session and then initializes TLS after the STARTTLS SMTP command (and then starts with authentication and everything to be protected).
SMTPs (TLS first, port 465) is considered deprecated; standard conformant SMTP with STARTTLS (port 587) does not imply any drawbacks with respect to security or privacy. A properly configured SMTP server will not allow any unsecured connection on the SMTP submission port.
Enforcing encryption with Nodemailer
The secure flag of nodemailer is only to indicate TLS before SMTP, which is also indicated by the comment following the line (which also explicitly explains what setting to use).
secure: true, // secure:true for port 465, secure:false for port 587
Looking at the Nodemailer documentation, there is some further information on configuration options:
options.secure if true the connection will only use TLS. If false (the default), TLS may still be upgraded to if available via the STARTTLS command.
[...]
options.requireTLS if this is true and secure is false, it forces Nodemailer to use STARTTLS even if the server does not advertise support for it.
With other words, to enforce an encrypted session following standards and best practices, set requireTLS instead of secure and use SMTP submission on port 587.
The comment in your code already points you to the problem in that secure should be set to false for port 587
port: 587,
secure: true, // secure:true for port 465, secure:false for port 587
Same is true for the documentation which clearly says:
secure – if true the connection will use TLS when connecting to server. If false (the default) then TLS is used if server supports the STARTTLS extension. In most cases set this value to true if you are connecting to port 465. For port 587 or 25 keep it false
The reason for this is that secure expects implicit TLS, i.e. TLS from start. But, port 25 and port 587 usually use explicit TLS, i.e. plain connection and then upgrade to TLS after a successful STARTTLS command.
If you want to use explicit TLS (port 587) but also make sure that TLS is not optional use requireTLS as documented:
requireTLS – if this is true and secure is false then Nodemailer tries to use STARTTLS even if the server does not advertise support for it. If the connection can not be encrypted then message is not sent
Related
I've got CRC running on Windows 11 and I would like to connect there from a RHEL9 VM.
CRC listening on 127.0.0.1:6443
Port forwarding rule created on Win machine to fwd connections on 192.168.1.156 (local intf) to 127.0.0.1:
$ netsh interface portproxy show v4tov4
Listen on ipv4: Connect to ipv4:
Address Port Address Port
192.168.1.156 9000 127.0.0.1 6443
Added rule in firewall to allow connections to port 9000
From the VM:
[test#workstation ~]$ telnet 192.168.1.156 9000
Trying 192.168.1.156...
Connected to 192.168.1.156.
Escape character is '^]'.
Connection closed by foreign host.
[test#workstation ~]$ oc login -u developer -p developer https://192.168.1.156:9000
The server is using a certificate that does not match its hostname: x509: certificate is valid for 10.217.4.1, not 192.168.1.156
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y
Error from server (InternalError): Internal error occurred: unexpected response: 412
Any idea on how I can fix this and be able to connect from my VM towards CRC?
thanks
When trying to send an email through the phpmailer nothing happens. After looking at the log it seems that when the server asks for XOAUTH2 the client simply doesn't respond... Usually the client would send the XOAUTH2 authorisation
2020-09-09 21:14:20 SERVER -> CLIENT: 220 smtp.gmail.com ESMTP p9sm413427wma.42 - gsmtp
2020-09-09 21:14:20 CLIENT -> SERVER: EHLO 'website'
2020-09-09 21:14:20 SERVER -> CLIENT: 250-smtp.gmail.com at your service, ['ip']250-SIZE 35882577250-8BITMIME250-STARTTLS250-ENHANCEDSTATUSCODES250-PIPELINING250-CHUNKING250 SMTPUTF8
2020-09-09 21:14:20 CLIENT -> SERVER: STARTTLS
2020-09-09 21:14:20 SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
2020-09-09 21:14:20 CLIENT -> SERVER: EHLO 'website'
2020-09-09 21:14:20 SERVER -> CLIENT: 250-smtp.gmail.com at your service, ['ip']250-SIZE 35882577250-8BITMIME250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH250-ENHANCEDSTATUSCODES250-PIPELINING250-CHUNKING250 SMTPUTF8
This suddenly stopped working recently for an unknown reason. Nothing has been altered on my end to cause this to occur.
Does anyone have any idea about what could be causing this?
So it seems it was an outdated refresh token.
Odd that no error was appearing in debug mode though
I'm trying to use an external smtp server from my springboot-application (scaffolded by JHipster). I have set the folling in my applocation.yml, and it picks up everything except the SSH settings.
host: send.one.com
port: 465
username: user#name
password: password
protocol: smtp
tls: true
auth: true
from: user#name
When i run the app I can see the following in my log
[DEBUG] com.sun.mail.smtp - useEhlo true, useAuth true
[DEBUG] com.sun.mail.smtp - trying to connect to host "send.one.com", port 465, isSSL false
[DEBUG] com.sun.mail.smtp - EOF: [EOF]
[DEBUG] com.sun.mail.smtp - could not connect to host "send.one.com", port: 465, response: -1
it seems the application is trying to connect without ssl, and it won't connect. What am I doing wrong?
You try to send over TLS. In general the standard port used by TLS is 587 and not 465 which is used for SSL. Try whether it works with that port?
I cant seem to get secure content through port 8080 to an Azure VM.
Regular SSL traffic through port 443 is fine, However when setting an endpoint for port 8080 and then trying to access it I'm receiving the following error:
handshake to www.... failed. System.IO.IOException Authentication failed because the remote party has closed the transport stream.
Firewall Inbound and Outbound rules have been created.
Certificate is the same one that is being used for port 443 traffic without any issue.
thank you for your help.
the output from openssl s_client -connect is:
CONNECTED(0000019C)
27308:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:.\ssl\s23_lib.c:177:
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 321 bytes
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
error in s_client
edit (solved):
The issues seems to be a bug in NodeJS. I downgraded from 0.10.29 to 0.10.26 and now everything works as expected.
I keep getting this error when I try to retrieve/update data from cassandra using cassandra-client.
{ [Error: All connections are unhealthy.]
connectionInfo:
{ host: 'localhost',
port: 9160,
keyspace: 'keyspace1',
user: undefined,
pass: undefined,
use_bigints: false,
timeout: 4000,
log_time: false,
staleThreshold: 10000 } }
Haven't got a clue as to what this error means.
The error indicates that your client is not able to connect to the specified server on localhost port 9160.
Since this is localhost you can most likely exclude any firewall problems.
What you can do
1. Check if your server is running after all
This should show you one or more processes ( except the grep process you're just executing
ps aux | grep "cassandra"
2. Verify the port
# telnet localhost 9160
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
Bad.. This would indicate that something with your configuration might be wrong. In my case I simply don't have a cassandra server listening to port 9160 ( running at all )
3. Check your logfile
By default casandra writes into the folder /var/log/cassandra/
If anything is wrong with the server, you'll most likely have some more information available in there, might even show a problem related to your nodejs client
4. Try another client for debugging
http://wiki.apache.org/cassandra/GettingStarted#Step_4:_Using_cassandra-cli