SOLVED: Must issue a STARTTLS command first

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
User avatar
recipient
Posts: 11
Joined: Fri Feb 19, 2021 10:50 am
Location: Poland
Contact:

SOLVED: Must issue a STARTTLS command first

Post by recipient »

Hello, fellow Zimbra Administrators.
I have a problem with sending messages to one domain.
While doing this, message is bounced with an error:

Code: Select all

Jan 24 10:19:16 smtp postfix/smtp[27760]: 6120319A03B0: to=<REDACTED@REDACTED.com>, relay=REDACTED.com[IP_ADDRESS_HERE]:25, delay=0.23, delays=0/0/0.22/0, dsn=5.0.0, status=bounced (host REDACTED.com[IP_ADDRESS_HERE] refused to talk to me: 530 #5.7.0 Must issue a STARTTLS command first)
On my server I have configured:

Code: Select all

zmprov gcf zimbraMtaTlsSecurityLevel
zimbraMtaTlsSecurityLevel: may

Code: Select all

zmprov gs `zmhostname` zimbraMtaSmtpTlsSecurityLevel
zimbraMtaSmtpTlsSecurityLevel: may
After setting zimbraMtaSmtpTlsSecurityLevel to 'encrypt', all incoming messages are deferred with an error:

Code: Select all

TLS is required, but was not offered by host 127.0.0.1[127.0.0.1]
Also, it does not resolve the problem with sending messages to mentioned domain - the 'Must issue a STARTTLS command first' error persists.

Did you have that problem? Do you have any idea how to resolve that?
Last edited by recipient on Wed Jan 25, 2023 5:06 pm, edited 4 times in total.
lytledd
Outstanding Member
Outstanding Member
Posts: 536
Joined: Sat Sep 13, 2014 12:54 am
ZCS/ZD Version: Release 9.0.0.ZEXTRAS.20221203 FOSS

Re: Must issue a STARTTLS command first

Post by lytledd »

I've had to do this for a past employer and I followed the below linked instructions:

viewtopic.php?t=4050

Doug
User avatar
recipient
Posts: 11
Joined: Fri Feb 19, 2021 10:50 am
Location: Poland
Contact:

Re: Must issue a STARTTLS command first

Post by recipient »

I configured TLS following these instructions: https://blog.zimbra.com/2021/10/zimbra- ... iguration/, but I had to re-enable DH, EDH and ADH ciphers in tls_medium_cipherlist, because some network printers-scanners use some of these ciphers :/
lytledd wrote:I've had to do this for a past employer and I followed the below linked instructions:

viewtopic.php?t=4050

Doug
Thank you for the link, I was about to check and configure smtp_tls_policy_maps.

Unfortunately, the problem persists.
My server's config must be malformed :/
User avatar
recipient
Posts: 11
Joined: Fri Feb 19, 2021 10:50 am
Location: Poland
Contact:

Re: SOLVED: Must issue a STARTTLS command first

Post by recipient »

I should have included another line from zimbra.log in the first post of this thread:

Code: Select all

enabling PIX workarounds: disable_esmtp for REDACTED.com[IP_ADDRESS_HERE]:25
What helped was changing:

Code: Select all

postconf smtp_pix_workarounds
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf
to empty value (although disable_esmtp seemed to cause the problem):

Code: Select all

postconf -e smtp_pix_workarounds=""
Now it seems to work:

Code: Select all

Jan 25 16:09:38 smtp postfix/smtp[26174]: 4BD0419A168D: to=<REDACTED@REDACTED.com>, relay=REDACTED.com[IP_ADDRESS_HERE]:25, delay=1.7, delays=0.01/0.01/0.59/1.1, dsn=2.0.0, status=sent (250 ok:  Message 37959181 accepted)
Last edited by recipient on Wed Jan 25, 2023 5:07 pm, edited 1 time in total.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: RESOLVED: Must issue a STARTTLS command first

Post by L. Mark Stone »

You may want to keep the delay_dotcrlf value in that attribute, but this article has more detail and a clear explanation on how and why this can happen:

https://www.suse.com/support/kb/doc/?id=000020587

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
User avatar
recipient
Posts: 11
Joined: Fri Feb 19, 2021 10:50 am
Location: Poland
Contact:

Re: SOLVED: Must issue a STARTTLS command first

Post by recipient »

Clearing smtp_pix_workarounds already solved the problem.
L. Mark Stone wrote:You may want to keep the delay_dotcrlf value in that attribute, but this article has more detail and a clear explanation on how and why this can happen:

https://www.suse.com/support/kb/doc/?id=000020587

Hope that helps,
Mark
Thank you for the link, I will try with smtp_pix_workarounds set to "delay_dotcrlf", I hope this will still make it work.
User avatar
recipient
Posts: 11
Joined: Fri Feb 19, 2021 10:50 am
Location: Poland
Contact:

Re: SOLVED: Must issue a STARTTLS command first

Post by recipient »

Setting smtp_pix_workarounds to delay_dotcrlf probably helped sending e-mail to yet another domain.

When smtp_pix_workarounds was cleared, I sent message to that domain and message was deferred because connection to remote host timed out.
When I set smtp_pix_workarounds to delay_dotcrlf, message was successfully delivered to that domain.
Post Reply