<div dir="ltr">No, the <a href="http://smtp.setarnet.aw">smtp.setarnet.aw</a> is the server that is not accepting the tls handshake.<div><br></div><div>Ok, from your info, it seems that the server is only connecting to 25 and failing, is there a way to make it check port 25, and then port 587?<br><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 14, 2020 at 11:41 AM Michael Stauber <<a href="mailto:mstauber@blueonyx.it">mstauber@blueonyx.it</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Gregg,<br>
<br>
> I managed to bypass the issue by adding <br>
> Try_TLS:<a href="http://server.com" rel="noreferrer" target="_blank">server.com</a> NO to the send mail access config. It’s a fix but I<br>
> don’t like doing it that way. <br>
<br>
The <a href="http://smtp.setarnet.aw" rel="noreferrer" target="_blank">smtp.setarnet.aw</a> isn't one of your boxes, right?<br>
<br>
> openssl s_client -starttls smtp -connect <a href="http://smtp.setarnet.aw:25" rel="noreferrer" target="_blank">smtp.setarnet.aw:25</a><br>
<br>
That doesn't work for me:<br>
<br>
--------------------------------------------------------------------<br>
$ openssl s_client -starttls smtp -connect <a href="http://smtp.setarnet.aw:25" rel="noreferrer" target="_blank">smtp.setarnet.aw:25</a><br>
CONNECTED(00000005)<br>
Didn't find STARTTLS in server response, trying anyway...<br>
write:errno=32<br>
---<br>
no peer certificate available<br>
---<br>
No client certificate CA names sent<br>
---<br>
SSL handshake has read 0 bytes and written 0 bytes<br>
Verification: OK<br>
--------------------------------------------------------------------<br>
<br>
That port 25 over there doesn't have a certificate set up. So let's try<br>
port 587:<br>
<br>
--------------------------------------------------------------------<br>
$ openssl s_client -starttls smtp -connect <a href="http://smtp.setarnet.aw:587" rel="noreferrer" target="_blank">smtp.setarnet.aw:587</a><br>
CONNECTED(00000005)<br>
<br>
depth=2 C = US, O = DigiCert Inc, OU = <a href="http://www.digicert.com" rel="noreferrer" target="_blank">www.digicert.com</a>, CN = DigiCert<br>
Global Root CA<br>
verify return:1<br>
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA<br>
verify return:1<br>
depth=0 C = AW, L = Oranjestad, O = SERVICIO DI TELECOMUNICACION DI<br>
ARUBA (SETAR) N.V., CN = *.<a href="http://setarnet.aw" rel="noreferrer" target="_blank">setarnet.aw</a><br>
verify return:1<br>
---<br>
Certificate chain<br>
 0 s:C = AW, L = Oranjestad, O = SERVICIO DI TELECOMUNICACION DI ARUBA<br>
(SETAR) N.V., CN = *.<a href="http://setarnet.aw" rel="noreferrer" target="_blank">setarnet.aw</a><br>
   i:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA<br>
 1 s:C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA<br>
   i:C = US, O = DigiCert Inc, OU = <a href="http://www.digicert.com" rel="noreferrer" target="_blank">www.digicert.com</a>, CN = DigiCert<br>
Global Root CA<br>
---<br>
Server certificate<br>
-----BEGIN CERTIFICATE-----<br>
MIIGtDCCBZygAwIBAgIQCDxYnrpRR1aZOBYKbTSfPjANBgkqhkiG9w0BAQsFADBN<br>
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E<br>
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTkwNTEwMDAwMDAwWhcN<br>
<br>
<br>
MjEwNjI5MTIwMDAwWjB3MQswCQYDVQQGEwJBVzETMBEGA1UEBxMKT3Jhbmplc3Rh<br>
<br>
<br>
ZDE7MDkGA1UEChMyU0VSVklDSU8gREkgVEVMRUNPTVVOSUNBQ0lPTiBESSBBUlVC<br>
<br>
<br>
QSAoU0VUQVIpIE4uVi4xFjAUBgNVBAMMDSouc2V0YXJuZXQuYXcwggEiMA0GCSqG<br>
<br>
<br>
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrfHn34A/V1kkt+1TiPXUXdRd8tVJIXwlN<br>
<br>
<br>
omyoLd19/7tdaQ4dYleZHCZW8IKSHk0mcDoVMyWWhXtcPsl3jOsOLZMlhcM+OOZ8<br>
<br>
<br>
2cw5PCJjYOcZhuzqy7DTVio7eGhkvSQFWtsz4tv1thlzIo2hHiJwj05PUkTUSrFA<br>
<br>
<br>
WMn4my0Vh5ulyHuojW54Bko8XEjCzwF7QsrI6FFb+Ptfxb9WF+mTY8TxuZ+WGWdb<br>
<br>
<br>
Z5SXFbb9oGyZhJEoZJkF5rjpQFOwILD/hguRu/zZ+ZSsiGPbsnPu8VGabtH99EgQ<br>
<br>
<br>
WgY3mnHXm7ilXSqs9Rt8jkAqcbUAkLlzYP7+YYySRgTY389SH2rDAgMBAAGjggNk<br>
<br>
<br>
MIIDYDAfBgNVHSMEGDAWgBQPgGEcgjFh1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQU<br>
<br>
<br>
xX4Gxmmgtg0yhm1/w+dLbWREF40wJQYDVR0RBB4wHIINKi5zZXRhcm5ldC5hd4IL<br>
<br>
<br>
c2V0YXJuZXQuYXcwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB<br>
<br>
<br>
BggrBgEFBQcDAjBrBgNVHR8EZDBiMC+gLaArhilodHRwOi8vY3JsMy5kaWdpY2Vy<br>
<br>
<br>
dC5jb20vc3NjYS1zaGEyLWc2LmNybDAvoC2gK4YpaHR0cDovL2NybDQuZGlnaWNl<br>
<br>
<br>
cnQuY29tL3NzY2Etc2hhMi1nNi5jcmwwTAYDVR0gBEUwQzA3BglghkgBhv1sAQEw<br>
<br>
<br>
KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGlnaWNlcnQuY29tL0NQUzAIBgZn<br>
<br>
<br>
gQwBAgIwfAYIKwYBBQUHAQEEcDBuMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5k<br>
<br>
<br>
aWdpY2VydC5jb20wRgYIKwYBBQUHMAKGOmh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0<br>
<br>
<br>
LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIw<br>
<br>
<br>
ADCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcAu9nfvB+KcbWTlCOXqpJ7RzhX<br>
<br>
<br>
<br>
lQqrUugakJZkNo4e0YUAAAFqoroJHwAABAMASDBGAiEA7kNKheJw8jmOVoWGTUZJ<br>
<br>
<br>
<br>
nYwPrvR7Herld7d6ui39yZQCIQCnBgr+csq4xpBg3K4rvaofivMZXomiQawx4A5B<br>
<br>
<br>
<br>
keU2pAB2AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG06v9eoIMPAAABaqK6CjQA<br>
<br>
<br>
<br>
AAQDAEcwRQIgRy4GOHAJm0Tesz76SbXJDGoJjvDDTEcAOBjZEOftE6gCIQC3+btp<br>
<br>
<br>
<br>
gaE076fW2J2w3MdAy/31X8wqNOa82VfD04qWgwB2AESUZS6w7s6vxEAH2Kj+KMDa<br>
<br>
<br>
<br>
5oK+2MsxtT/TM5a1toGoAAABaqK6CLsAAAQDAEcwRQIhAIuHb4t79FcMSYW1N0T5<br>
B0RIeeZXF3lqCffiEOTvDK0XAiAIYs0vJJ9L5h/Sa0mTIXSzORBhdbbFNH4rynQB<br>
yZJkwTANBgkqhkiG9w0BAQsFAAOCAQEAGIeCfnojrnhr2zNoXnuzAFn/AzCfTXFr<br>
R6fYMw+1fKi8PkZF8Ii/DmZdPkRz0GUP42a8z3PYtHIg4Cu3jGX6lr67ilxAh0ft<br>
hDrupdBoCdqqSRZkzmap+wtWXGlMFfNJ6+hZShD9Gdd5J1+Bh5Fb6PuqQouw4wN3<br>
NbjFJl6O/yNqwzG78fzstfNCWg/mr3AgOItkuwitt74HzO1tcpMjFTwItncqLen1<br>
T4+xGMtq87oW/cD5VITCpJrgkLjUlTJgSZ9zaHG0o0ZHNlOkizFG63fNPgL6u75v<br>
X/oznS6QmbZJxRdaaywBsNhLe4znvw0PuiIBShGxcuut0LlvR+TXEQ==<br>
-----END CERTIFICATE-----<br>
subject=C = AW, L = Oranjestad, O = SERVICIO DI TELECOMUNICACION DI<br>
ARUBA (SETAR) N.V., CN = *.<a href="http://setarnet.aw" rel="noreferrer" target="_blank">setarnet.aw</a><br>
<br>
issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA<br>
<br>
---<br>
No client certificate CA names sent<br>
Peer signing digest: SHA512<br>
Peer signature type: RSA<br>
Server Temp Key: DH, 2048 bits<br>
---<br>
SSL handshake has read 4207 bytes and written 669 bytes<br>
Verification: OK<br>
---<br>
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384<br>
Server public key is 2048 bit<br>
Secure Renegotiation IS supported<br>
Compression: NONE<br>
Expansion: NONE<br>
No ALPN negotiated<br>
SSL-Session:<br>
    Protocol  : TLSv1.2<br>
    Cipher    : DHE-RSA-AES256-GCM-SHA384<br>
    Session-ID:<br>
43145F1B6E89EF51D1D14A3E45567BBCE74A0CA356544DA6632B2BA7D9A2204F<br>
    Session-ID-ctx:<br>
    Master-Key:<br>
D8BC4F2F59B70E7F23AC72EDCB940EA74D3F74CE8BDDC94E299C7199B5E6F80587C11303CA9D533041D20B0778229014<br>
    PSK identity: None<br>
    PSK identity hint: None<br>
    SRP username: None<br>
    TLS session ticket lifetime hint: 300 (seconds)<br>
[...]<br>
---<br>
250 AUTH=PLAIN LOGIN<br>
--------------------------------------------------------------------<br>
<br>
That looks better. TLSv1.2 and DHE-RSA-AES256-GCM-SHA384 are also<br>
something that any Sendmail or Postfix on BlueOnyx will be able to talk to.<br>
<br>
However, the MTA on <a href="http://smtp.setarnet.aw" rel="noreferrer" target="_blank">smtp.setarnet.aw</a> is *clearly* misconfigured, because<br>
even if TLS works on port 587, it *also* should work on port 25. But<br>
they don't have a certificate configured for that.<br>
<br>
-- <br>
With best regards<br>
<br>
Michael Stauber<br>
_______________________________________________<br>
Blueonyx mailing list<br>
<a href="mailto:Blueonyx@mail.blueonyx.it" target="_blank">Blueonyx@mail.blueonyx.it</a><br>
<a href="http://mail.blueonyx.it/mailman/listinfo/blueonyx" rel="noreferrer" target="_blank">http://mail.blueonyx.it/mailman/listinfo/blueonyx</a><br>
</blockquote></div>