SOLVED: Must issue a STARTTLS command first

[recipient]

Hello, fellow Zimbra Administrators.
I have a problem with sending messages to one domain.
While doing this, message is bounced with an error:

Code: Select all

Jan 24 10:19:16 smtp postfix/smtp[27760]: 6120319A03B0: to=<REDACTED@REDACTED.com>, relay=REDACTED.com[IP_ADDRESS_HERE]:25, delay=0.23, delays=0/0/0.22/0, dsn=5.0.0, status=bounced (host REDACTED.com[IP_ADDRESS_HERE] refused to talk to me: 530 #5.7.0 Must issue a STARTTLS command first)

On my server I have configured:

Code: Select all

zmprov gcf zimbraMtaTlsSecurityLevel
zimbraMtaTlsSecurityLevel: may

Code: Select all

zmprov gs `zmhostname` zimbraMtaSmtpTlsSecurityLevel
zimbraMtaSmtpTlsSecurityLevel: may

After setting zimbraMtaSmtpTlsSecurityLevel to 'encrypt', all incoming messages are deferred with an error:

Code: Select all

TLS is required, but was not offered by host 127.0.0.1[127.0.0.1]

Also, it does not resolve the problem with sending messages to mentioned domain - the 'Must issue a STARTTLS command first' error persists.

Did you have that problem? Do you have any idea how to resolve that?

[lytledd]

I've had to do this for a past employer and I followed the below linked instructions:

https://forums.zimbra.org/viewtopic.php?t=4050

Doug

[recipient]

I configured TLS following these instructions: https://blog.zimbra.com/2021/10/zimbra-skillz-using-zimbra-with-strong-tls-configuration/, but I had to re-enable DH, EDH and ADH ciphers in tls_medium_cipherlist, because some network printers-scanners use some of these ciphers :/

I've had to do this for a past employer and I followed the below linked instructions:

https://forums.zimbra.org/viewtopic.php?t=4050

Doug

Thank you for the link, I was about to check and configure smtp_tls_policy_maps.

Unfortunately, the problem persists.
My server's config must be malformed :/

[recipient]

I should have included another line from zimbra.log in the first post of this thread:

Code: Select all

enabling PIX workarounds: disable_esmtp for REDACTED.com[IP_ADDRESS_HERE]:25

What helped was changing:

Code: Select all

postconf smtp_pix_workarounds
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf

to empty value (although disable_esmtp seemed to cause the problem):

Code: Select all

postconf -e smtp_pix_workarounds=""

Now it seems to work:

Code: Select all

Jan 25 16:09:38 smtp postfix/smtp[26174]: 4BD0419A168D: to=<REDACTED@REDACTED.com>, relay=REDACTED.com[IP_ADDRESS_HERE]:25, delay=1.7, delays=0.01/0.01/0.59/1.1, dsn=2.0.0, status=sent (250 ok:  Message 37959181 accepted)


[L. Mark Stone]

You may want to keep the delay_dotcrlf value in that attribute, but this article has more detail and a clear explanation on how and why this can happen:

https://www.suse.com/support/kb/doc/?id=000020587

Hope that helps,
Mark

[recipient]

Clearing smtp_pix_workarounds already solved the problem.

You may want to keep the delay_dotcrlf value in that attribute, but this article has more detail and a clear explanation on how and why this can happen:

https://www.suse.com/support/kb/doc/?id=000020587

Hope that helps,
Mark

Thank you for the link, I will try with smtp_pix_workarounds set to "delay_dotcrlf", I hope this will still make it work.

[recipient]

Setting smtp_pix_workarounds to delay_dotcrlf probably helped sending e-mail to yet another domain.

When smtp_pix_workarounds was cleared, I sent message to that domain and message was deferred because connection to remote host timed out.
When I set smtp_pix_workarounds to delay_dotcrlf, message was successfully delivered to that domain.