STARTTLS not advertised on port 25 for receiving

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Al-MacLean
Posts: 34
Joined: Fri Sep 01, 2006 5:32 pm
Location: UK
Contact:

Inbound SMTP STARTTLS not advertised on port 25

Post by Al-MacLean »

Hi,
We've had a customer call us to say they couldn't send us email and that they suspected it was related to our server not responding to allowing TLS on the inbound connection. I checked our server with the mxtoolbox.com tests and this does indicate that SMTP TLS is not supported. Our firewall has port 587 configured along with port 25 and 993 to port-forward (inbound) to our Zimbra server.

I have tried to find more information, including within the Zimbra wiki and forum posts, on the correct commands to check and configure this, but have not found very much that matches precisely.

So far, the closest match I found has been https://wiki.zimbra.com/wiki/Outgoing_S ... Enable_TLS. Though this is confusing that the Zimbra wiki titles this only for Outgoing connections rather than Incoming (or possibly both directions). (The command corroborated by an independent blogger: https://dilliganesh.wordpress.com/2015/ ... in-zimbra/)

I have run the command

Code: Select all

zmprov ms zimbra1.copeohs.com zimbraMtaSmtpTlsSecurityLevel may
and restarted the zimbra services.

Telnetting to the server and running ehlo against it (to same server) responds with 250-STARTTLS among the other 250 responses.

However, running mxtoolbox.com test again still indicates SMTP TLS is not available.

What am I doing wrong?

Version info: Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.

UPDATE: We have just a single server deployment. (Sorry this is a fairly long post, but I'm clearly not getting/understanding something correctly, so any help/pointers is greatly appreciated.)

I used telnet from an external connection against our server, first testing port 25 (as that's what mxtoolbox.com or similar services uses) and then also when connecting to port 587 (outputs below). I don't know why Zimbra doesn't offer STARTTLS when doing the test over port 25.

Output of test via port 25, which doesn't show the STARTTLS option:

Code: Select all

[alec@quietmonster ~]$ telnet zimbra1.copeohs.com 25
Trying 91.151.8.53...
Connected to zimbra1.copeohs.com.
Escape character is '^]'.
220 zimbra1.copeohs.com ESMTP Postfix
ehlo PWS3.mxtoolbox.com
250-zimbra1.copeohs.com
250-SIZE 47185920
250-VRFY
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
Then the second test through port 587, which does show STARTTLS being offered:

Code: Select all

[alec@quietmonster ~]$ telnet zimbra1.copeohs.com 587
Trying 91.151.8.53...
Connected to zimbra1.copeohs.com.
Escape character is '^]'.
220 zimbra1.copeohs.com ESMTP Postfix
ehlo PWS3.mxtoolbox.com
250-zimbra1.copeohs.com
250-PIPELINING
250-SIZE 47185920
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
quit
221 2.0.0 Bye
Connection closed by foreign host.
If I telnet to port 25 from an internal LAN machine and run the EHLO against mxtoolbox.com again, we get the full response:

Code: Select all

220 zimbra1.copeohs.com ESMTP Postfix
EHLO PWS3.mxtoolbox.com
250-zimbra1.copeohs.com
250-PIPELINING
250-SIZE 47185920
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
I'm considering if our firewall could be causing this difference of responses. We are using pfSense (2.4.0-RELEASE), with NAT rules from a virtual IP - the public IP for our Zimbra server - for ports 25, 993 and 587. I have posted a query on their forum about this topic.

Within the Zimbra admin web console (Configure -> Global -> MTA) we have both "Enable authentication" and "TLS authentication only" ticked. These are also ticked under the individual (only) server config (Configure -> Servers -> [our Zimbra server] -> MTA).

Taking diagnostic steps from https://wiki.zimbra.com/wiki/SMTP_Auth_Problems, our Authorisation settings are:

Code: Select all

...@zimbra1:~$ sudo su - zimbra -c "zmprov getServer zimbra1.copeohs.com | grep Auth"
zimbraAuthTokenNotificationInterval: 60000
zimbraLowestSupportedAuthVersion: 2
zimbraMtaAuthEnabled: TRUE
zimbraMtaAuthTarget: TRUE
zimbraMtaBrokenSaslAuthClients: yes
zimbraMtaSaslAuthEnable: yes
zimbraMtaSmtpSaslAuthEnable: no
zimbraMtaSmtpdSaslAuthenticatedHeader: no
zimbraMtaTlsAuthOnly: TRUE
zimbraShareNotificationMtaAuthRequired: FALSE
and the "Mode" settings are:

Code: Select all

...@zimbra1:~$ sudo su - zimbra -c "zmprov getServer zimbra1.copeohs.com | grep Mode"
zimbraBackupMode: Standard
zimbraCBPolicydBypassMode: tempfail
zimbraIPMode: ipv4
zimbraMailMode: redirect
zimbraMailReferMode: reverse-proxied
zimbraMailSSLClientCertMode: Disabled
zimbraOpenidConsumerStatelessModeEnabled: TRUE
zimbraReverseProxyClientCertMode: off
zimbraReverseProxyImapStartTlsMode: only
zimbraReverseProxyMailMode: https
zimbraReverseProxyPop3StartTlsMode: on
And the content of our main.cf file:
smtpd_helo_required = yes
in_flow_delay = 1s
transport_maps = proxy:ldap:/opt/zimbra/conf/ldap-transport.cf
smtpd_sasl_security_options = noanonymous
address_verify_positive_refresh_time = 12h
default_process_limit = 100
smtpd_tls_ask_ccert = no
virtual_mailbox_maps = proxy:ldap:/opt/zimbra/conf/ldap-vmm.cf
smtpd_error_sleep_time = 1s
smtpd_tls_ccert_verifydepth = 9
lmtp_tls_security_level = may
smtp_tls_CApath =
smtpd_tls_loglevel = 1
smtpd_reject_unlisted_sender = yes
smtpd_data_restrictions = reject_unauth_pipelining
address_verify_poll_delay = 3s
lmtp_host_lookup = native
lmtp_tls_loglevel = 0
smtpd_banner = $myhostname ESMTP $mail_name
lmtp_tls_ciphers = export
smtpd_tls_cert_file = /opt/zimbra/conf/smtpd.crt
smtp_sasl_security_options = noplaintext,noanonymous
mail_owner = postfix
smtp_tls_ciphers = export
delay_warning_time = 0h
bounce_queue_lifetime = 5d
smtpd_tls_auth_only = yes
local_header_rewrite_clients = permit_mynetworks,permit_sasl_authenticated
mailbox_size_limit = 0
notify_classes = resource, software
bounce_notice_recipient = postmaster
smtp_sasl_auth_enable = no
lmtp_tls_protocols = !SSLv2, !SSLv3
mynetworks = 127.0.0.0/8 10.0.0.0/24 [::1]/128 [fe80::]/64
message_size_limit = 47185920
smtpd_relay_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination
newaliases_path = /opt/zimbra/postfix/sbin/newaliases
smtp_helo_name = $myhostname
mailq_path = /opt/zimbra/postfix/sbin/mailq
address_verify_poll_count = ${stress?3}${stress:5}
smtp_tls_loglevel = 0
myhostname = zimbra1.copeohs.com
smtpd_sasl_auth_enable = yes
virtual_alias_expansion_limit = 10000
mydestination = localhost
smtpd_client_port_logging = no
relayhost =
header_checks =
smtp_sasl_password_maps =
smtpd_tls_CAfile =
smtpd_tls_security_level = may
inet_protocols = ipv4
import_environment =
smtpd_recipient_restrictions = reject_non_fqdn_recipient, permit_sasl_authenticated, permit_mynetworks, reject_unlisted_reci$
max_use = 100
broken_sasl_auth_clients = yes
milter_content_timeout = 300s
disable_dns_lookups = no
minimal_backoff_time = 300s
recipient_delimiter =
unverified_recipient_defer_code = 250
command_directory = /opt/zimbra/postfix/sbin
queue_directory = /opt/zimbra/data/postfix/spool
smtp_tls_mandatory_ciphers = medium
smtpd_sender_login_maps = proxy:ldap:/opt/zimbra/conf/ldap-slm.cf
lmtp_connection_cache_destinations =
content_filter = smtp-amavis:[127.0.0.1]:10024
queue_run_delay = 300s
lmtp_tls_mandatory_ciphers = medium
smtp_generic_maps =
smtpd_tls_key_file = /opt/zimbra/conf/smtpd.key
milter_connect_timeout = 30s
milter_default_action = tempfail
address_verify_negative_refresh_time = 10m
lmtp_tls_exclude_ciphers =
smtpd_end_of_data_restrictions =
sendmail_path = /opt/zimbra/postfix/sbin/sendmail
virtual_alias_domains = proxy:ldap:/opt/zimbra/conf/ldap-vad.cf
smtp_tls_security_level = may
smtpd_tls_mandatory_ciphers = medium
lmtp_tls_CAfile =
manpage_directory = /opt/zimbra/postfix/man
smtpd_milters =
smtpd_sender_restrictions = reject_authenticated_sender_login_mismatch, check_sender_access regexp:/opt/zimbra/postfix/conf/$
smtp_tls_protocols = !SSLv2, !SSLv3
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_CApath =
virtual_mailbox_domains = proxy:ldap:/opt/zimbra/conf/ldap-vmd.cf
smtpd_soft_error_limit = 10
setgid_group = postdrop
smtp_fallback_relay =
lmtp_tls_CApath =
virtual_alias_maps = proxy:ldap:/opt/zimbra/conf/ldap-vam.cf
smtp_cname_overrides_servername = no
smtpd_proxy_timeout = 100s
alias_maps = lmdb:/etc/aliases
propagate_unmatched_extensions = canonical
smtp_sasl_mechanism_filter =
milter_command_timeout = 30s
non_smtpd_milters =
daemon_directory = /opt/zimbra/postfix/libexec
smtpd_tls_ciphers = export
smtpd_client_restrictions = reject_unauth_pipelining
lmdb_map_size = 16777216
smtpd_sasl_authenticated_header = no
smtpd_hard_error_limit = 20
maximal_backoff_time = 4000s
smtp_tls_CAfile =
smtpd_reject_unlisted_recipient = yes
smtpd_tls_protocols = !SSLv2, !SSLv3
tls_append_default_CA = no
virtual_transport = error
sender_canonical_maps = proxy:ldap:/opt/zimbra/conf/ldap-scm.cf
always_add_missing_headers = yes
lmtp_connection_cache_time_limit = 4s
smtpd_tls_exclude_ciphers =
UPDATE #2 Friday 27th Oct '17.
Ok, so I've continued researching this. I have determined that for postfix, smtp_tls_* control properties relate to outbound connections and smtpd_tls_* relate to inbound.
Sources:
Initially spotted comment about it here: https://bugzilla.mozilla.org/show_bug.cgi?id=956714#c4
and then confirmed here: http://www.postfix.org/TLS_README.html#how.
Within that same postfix TLS Readme page are references to the settings we see Zimbra controlling for us via the admin console (seems only some are controllable through this) and zmprov and similar CLI commands.
In particular to my original question, the property described at http://www.postfix.org/TLS_README.html#server_enable shows that the setting "smtpd_tls_security_level = may" is the one that controls advertising Opportunistic TLS, aka STARTTLS.

Re-examining my main.cf file, this property is definitely set with the "may" option (now highlighted with bold above).

Can anyone suggest why our public inbound port 25 connection (telnet zimbra1.copeohs.com 25 -> ehlo blah) currently will NOT advertise the STARTTLS option?
Last edited by Al-MacLean on Fri Oct 27, 2017 9:17 am, edited 4 times in total.
Al-MacLean
Posts: 34
Joined: Fri Sep 01, 2006 5:32 pm
Location: UK
Contact:

Re: Inbound SMTP STARTTLS not advertised on port 25

Post by Al-MacLean »

Is my post above the in the right section? Can anyone suggest why STARTTLS is not being advertised when connecting to our port 25, but basic properties are?
The PIPELINING option is also not being advertised on the public 25 port.

This is really frustrating
Al-MacLean
Posts: 34
Joined: Fri Sep 01, 2006 5:32 pm
Location: UK
Contact:

STARTTLS not advertised on port 25 for receiving

Post by Al-MacLean »

Hi,

Zimbra version: Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P7.

Issue: When testing our SMTP config from mxtoolbox.com we see that the STARTTLS option is not being advertised/offered over port 25 for inbound (receive) connections to our server (PIPELINING is also not indicated). Our bank have indicated that they force/expect TLS connections with target email servers they send to (our contact is not from their email admin team, but is relaying what he has apparently been told by them) - but it would explain why their emails to us are currently failing to arrive on our Zimbra system, but do reach my Gmail account in testing (the email header confirms TLS was established to the Gmail MX).

I previously posted a query within the forum's Admin section viewtopic.php?f=15&t=62964 that lists our system settings and the checks I have done so far, but while it's been read quite a few times, no-one has yet offered any responses as to what might be the problem.

In brief: testing port 587, we do seeing STARTTLS being advertised/offered, but not when testing port 25. All connections to/from our server are routed via our firewall (pfSense) using NAT. Both port 587 and port 25 are configured under the same firewall rule, using an alias list for grouping the ports together, so the rule that works for port 587 is the same rule that applies to port 25 - so I think I can exclude the firewall being a factor here.

I believe the main setting (according to the postfix readme) for offering Opportunistic TLS (inbound to the server) is controlled by smtpd_tls_security_level, which should be set to (and we have set as) "may". (Confirmed by reviewing our main.cf file, shown in my original post linked above).

None of the web searches I've run so far have revealed anything more than enabling that smtpd_tls_security_level=may option.

Can anyone offer suggestions what else I could check?
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: STARTTLS not advertised on port 25 for receiving

Post by phoenix »

I've merged your recent post with this thread as they both belong in the Admin forums.

Have you tried setting the following:

Code: Select all

postconf -e smtpd_use_tls=yes
Retest with mxtoolbox.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Al-MacLean
Posts: 34
Joined: Fri Sep 01, 2006 5:32 pm
Location: UK
Contact:

Re: STARTTLS not advertised on port 25 for receiving

Post by Al-MacLean »

Hi Bill,

Thanks for the response. I have just set the option you mention trying, then ran "postfix reload", confirmed setting present via

Code: Select all

sudo su - zimbra -c "postconf"
, then retested from mxtoolbox.com.

Unfortunately, still no TLS offered.

Alec
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: STARTTLS not advertised on port 25 for receiving

Post by phoenix »

I can't imagine offhand why it's not showing with mxtoolbox, it works on my server and shows as enabled using mxtoolbox - I do use ZCS 8.8.4 but I haven't modified that setting recently nor do I remember adding anything else that might have affected this feature. I'll have a look a bit later at your main.cf file and see how it compares to mine.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: STARTTLS not advertised on port 25 for receiving

Post by phoenix »

The only significant difference that I can see between your main.cf and mine is the following (missing) entry:

Code: Select all

postconf | grep smtpd_tls_mandatory_protocols

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
I can't imagine that it would cause your problem but you can read some more on this wiki page: https://wiki.zimbra.com/wiki/How_to_dis ... CS_8.5.x_2
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Al-MacLean
Posts: 34
Joined: Fri Sep 01, 2006 5:32 pm
Location: UK
Contact:

Re: STARTTLS not advertised on port 25 for receiving

Post by Al-MacLean »

phoenix wrote:The only significant difference that I can see between your main.cf and mine is the following (missing) entry:

Code: Select all

postconf | grep smtpd_tls_mandatory_protocols

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
I can't imagine that it would cause your problem but you can read some more on this wiki page: https://wiki.zimbra.com/wiki/How_to_dis ... CS_8.5.x_2
Thanks Bill.
Looking at the comment on the wiki, those settings seem to apply to mandatory SSL via port 465 (noted in the "warnings" prefix in section https://wiki.zimbra.com/wiki/How_to_dis ... _.28MTA.29).

...but you got my brain working along a slightly different path... and I feel like a bit of a donkey :roll:

We also use an Untangle server in transparent bridge mode between the firewall and LAN to help fight spam/phishing. I don't know why I didn't think of checking on this earlier - blinkered-vision on the problem I suppose (hence my donkey-face).
The setting on the Untangle anti-spam module was not allowing TLS for SMTP! (I suspect that meant "stripping" the TLS from the response.)

What led me back to it:
I had tested using telnet from an internal PC in the same LAN as the Zimbra server (noted in original post above) and knew STARTTLS was being offered by our Zimbra under that condition.
I just re-ran that same telnet test from home via my VPN connection to the LAN IP of our server (not the public IP). However, the STARTTLS was again no longer offered, even with the LAN IP option.
At that point I remembered the Untangle processes...(hand slap to forehead) ... so at first I simply turned them off one at a time to retest. Turned off the "Spam Blocker Lite" module - and STARTTLS now offered on 25!
So within the "Advanced SMTP Settings" section for "Spam Blocker Lite" is a tick-box option for "Allow and ignore TLS sessions" which was not ticked.
Ticked that and re-enabled the module and retested - and we still have STARTTLS :D

Re-ran the diagnostic from mxtoolbox - and that independently confirmed TLS now available on port 25.

So, hope this assists anyone else who might see a similar problem - don't forget your other network devices in the connection path!
phoenix
Ambassador
Ambassador
Posts: 27272
Joined: Fri Sep 12, 2014 9:56 pm
Location: Liverpool, England

Re: STARTTLS not advertised on port 25 for receiving

Post by phoenix »

Well done on that investigation and solution. :) It never occurred to me that it might be external to your server, I'm never keen on putting anti-spam on a firewall but prefer it on a server in the LAN. Obviously I'm just a home user so it's easier for me.
Regards

Bill

Rspamd: A high performance spamassassin replacement

Per ardua ad astra
Al-MacLean
Posts: 34
Joined: Fri Sep 01, 2006 5:32 pm
Location: UK
Contact:

Re: STARTTLS not advertised on port 25 for receiving

Post by Al-MacLean »

Our connection path is:
WAN -> pfSense (firewall) -> LAN
On the LAN side of the pfSense firewall, the next connection is
Untangle (only used for anti-spam, anti-phishing, web site policies, no firewall module)
then behind that are the internal servers (Zimbra email and other web servers) and the office computers.

But, I'm just happy I finally sorted it!
Post Reply