Authentication Bypass in MailboxImportServlet vulnerability (reminder)
https://blog.zimbra.com/2022/08/authentication-bypass-in-mailboximportservlet-vulnerability/

SOLVED: Must issue a STARTTLS command first

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
recipient
Posts: 10
Joined: Fri Feb 19, 2021 10:50 am
Location: Poland
Contact:

SOLVED: Must issue a STARTTLS command first

Postby recipient » Tue Jan 24, 2023 9:59 am

Hello, fellow Zimbra Administrators.
I have a problem with sending messages to one domain.
While doing this, message is bounced with an error:

Code: Select all

Jan 24 10:19:16 smtp postfix/smtp[27760]: 6120319A03B0: to=<REDACTED@REDACTED.com>, relay=REDACTED.com[IP_ADDRESS_HERE]:25, delay=0.23, delays=0/0/0.22/0, dsn=5.0.0, status=bounced (host REDACTED.com[IP_ADDRESS_HERE] refused to talk to me: 530 #5.7.0 Must issue a STARTTLS command first)


On my server I have configured:

Code: Select all

zmprov gcf zimbraMtaTlsSecurityLevel
zimbraMtaTlsSecurityLevel: may

Code: Select all

zmprov gs `zmhostname` zimbraMtaSmtpTlsSecurityLevel
zimbraMtaSmtpTlsSecurityLevel: may


After setting zimbraMtaSmtpTlsSecurityLevel to 'encrypt', all incoming messages are deferred with an error:

Code: Select all

TLS is required, but was not offered by host 127.0.0.1[127.0.0.1]

Also, it does not resolve the problem with sending messages to mentioned domain - the 'Must issue a STARTTLS command first' error persists.

Did you have that problem? Do you have any idea how to resolve that?
Last edited by recipient on Wed Jan 25, 2023 5:06 pm, edited 4 times in total.


lytledd
Outstanding Member
Outstanding Member
Posts: 536
Joined: Sat Sep 13, 2014 12:54 am
ZCS/ZD Version: Release 9.0.0.ZEXTRAS.20221203 FOSS

Re: Must issue a STARTTLS command first

Postby lytledd » Wed Jan 25, 2023 9:37 am

I've had to do this for a past employer and I followed the below linked instructions:

https://forums.zimbra.org/viewtopic.php?t=4050

Doug
User avatar
recipient
Posts: 10
Joined: Fri Feb 19, 2021 10:50 am
Location: Poland
Contact:

Re: Must issue a STARTTLS command first

Postby recipient » Wed Jan 25, 2023 1:11 pm

I configured TLS following these instructions: https://blog.zimbra.com/2021/10/zimbra-skillz-using-zimbra-with-strong-tls-configuration/, but I had to re-enable DH, EDH and ADH ciphers in tls_medium_cipherlist, because some network printers-scanners use some of these ciphers :/

lytledd wrote:I've had to do this for a past employer and I followed the below linked instructions:

https://forums.zimbra.org/viewtopic.php?t=4050

Doug


Thank you for the link, I was about to check and configure smtp_tls_policy_maps.

Unfortunately, the problem persists.
My server's config must be malformed :/
User avatar
recipient
Posts: 10
Joined: Fri Feb 19, 2021 10:50 am
Location: Poland
Contact:

Re: SOLVED: Must issue a STARTTLS command first

Postby recipient » Wed Jan 25, 2023 3:24 pm

I should have included another line from zimbra.log in the first post of this thread:

Code: Select all

enabling PIX workarounds: disable_esmtp for REDACTED.com[IP_ADDRESS_HERE]:25

What helped was changing:

Code: Select all

postconf smtp_pix_workarounds
smtp_pix_workarounds = disable_esmtp,delay_dotcrlf

to empty value (although disable_esmtp seemed to cause the problem):

Code: Select all

postconf -e smtp_pix_workarounds=""

Now it seems to work:

Code: Select all

Jan 25 16:09:38 smtp postfix/smtp[26174]: 4BD0419A168D: to=<REDACTED@REDACTED.com>, relay=REDACTED.com[IP_ADDRESS_HERE]:25, delay=1.7, delays=0.01/0.01/0.59/1.1, dsn=2.0.0, status=sent (250 ok:  Message 37959181 accepted)
Last edited by recipient on Wed Jan 25, 2023 5:07 pm, edited 1 time in total.
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2547
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 8.8.15 Network Edition
Contact:

Re: RESOLVED: Must issue a STARTTLS command first

Postby L. Mark Stone » Wed Jan 25, 2023 4:48 pm

You may want to keep the delay_dotcrlf value in that attribute, but this article has more detail and a clear explanation on how and why this can happen:

https://www.suse.com/support/kb/doc/?id=000020587

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
User avatar
recipient
Posts: 10
Joined: Fri Feb 19, 2021 10:50 am
Location: Poland
Contact:

Re: SOLVED: Must issue a STARTTLS command first

Postby recipient » Wed Jan 25, 2023 6:36 pm

Clearing smtp_pix_workarounds already solved the problem.

L. Mark Stone wrote:You may want to keep the delay_dotcrlf value in that attribute, but this article has more detail and a clear explanation on how and why this can happen:

https://www.suse.com/support/kb/doc/?id=000020587

Hope that helps,
Mark


Thank you for the link, I will try with smtp_pix_workarounds set to "delay_dotcrlf", I hope this will still make it work.
User avatar
recipient
Posts: 10
Joined: Fri Feb 19, 2021 10:50 am
Location: Poland
Contact:

Re: SOLVED: Must issue a STARTTLS command first

Postby recipient » Thu Jan 26, 2023 7:27 am

Setting smtp_pix_workarounds to delay_dotcrlf probably helped sending e-mail to yet another domain.

When smtp_pix_workarounds was cleared, I sent message to that domain and message was deferred because connection to remote host timed out.
When I set smtp_pix_workarounds to delay_dotcrlf, message was successfully delivered to that domain.

Return to “Administrators”

Who is online

Users browsing this forum: Google [Bot] and 25 guests