Hello all,
I'm having a unique problem.
I have a vendor that needs to connect to my hmailserver to relay using SSL/TLS via port 587 but is unable to connect. Basically the hand shake fails.
It also fails in port 25 using STARTTLS required.
Here is my error in the logs..
TCPConnection - TLS/SSL handshake failed. Session Id: 261, Remote IP: xxx.xxx.xxx.xxx, Error code: 335544539, Message: short read"
They error on their side is:
SOCKET_ERROR: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond ;cmd=
We have connect with no issues using plaintext smtp.
I have also tested using a mail client from the outside and also using https://www.checktls.com/TestReceiver to test and no issues.
This could be an issue with their smtp server but I want to research everything on my side.
Could this be an issue with the ciphers that are declared in the hmailserver by default?
Vendor cannot connect via SSL
Re: Vendor cannot connect via SSL
Winsock 10060 is a Timeout Error.
It simply means TCP packets flow is disturbed and TCP RST Restransmits has reached its threshold.
Check with Ping and see if you have Packetloss at pinging to your TCP destination.
It simply means TCP packets flow is disturbed and TCP RST Restransmits has reached its threshold.
Check with Ping and see if you have Packetloss at pinging to your TCP destination.
Re: Vendor cannot connect via SSL
I will have to open ICMP in the firewall and test..
Re: Vendor cannot connect via SSL
you should not have StartTLS Required for port 25
Port 25 should be StartTLS optional
This is a fault with the other end of the connection, in that their machine can't negotiate your SSL / STartTLS connections, either they don't support a TLS version that you require, or they don't have a suitable common cipher,, OR the other machine doesn't do StartTLS
If you need further help Run this and post the results back >> http://www.hmailserver.com/forum/viewto ... 20&t=30914
Also enable all logging, force the connection, wait for at least two minutes or until the connection is closed and include all logs created
Port 25 should be StartTLS optional
This is a fault with the other end of the connection, in that their machine can't negotiate your SSL / STartTLS connections, either they don't support a TLS version that you require, or they don't have a suitable common cipher,, OR the other machine doesn't do StartTLS
If you need further help Run this and post the results back >> http://www.hmailserver.com/forum/viewto ... 20&t=30914
Also enable all logging, force the connection, wait for at least two minutes or until the connection is closed and include all logs created
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Vendor cannot connect via SSL
I have added the additional cipher that the vendor had and I was missing..
Still have the problem.
I'm using hmailserver for special cases to just relay mail and the password encrypted.
Here is my report logs. As much logs as the app is giving..
Here is my report
Generated by HMSSettingsDiagnostics v1.95, Hmailserver Forum.
Still have the problem.
I'm using hmailserver for special cases to just relay mail and the password encrypted.
Here is my report logs. As much logs as the app is giving..
Code: Select all
"DEBUG" 2404 "2019-02-13 12:02:49.145" "Creating session 3"
"TCPIP" 2404 "2019-02-13 12:02:49.145" "TCP - 18.208.xxx.xxx connected to 10.xx.xx.xxx:587."
"DEBUG" 2404 "2019-02-13 12:02:49.145" "TCP connection started for session 2"
"DEBUG" 2404 "2019-02-13 12:02:49.145" "Performing SSL/TLS handshake for session 2. Verify certificate: False"
"DEBUG" 2404 "2019-02-13 12:03:47.756" "Creating session 4"
"TCPIP" 2404 "2019-02-13 12:03:47.756" "TCP - 18.208.xxx.xxx connected to 10.xx.xx.xxx:587."
"DEBUG" 2404 "2019-02-13 12:03:47.756" "TCP connection started for session 3"
"DEBUG" 2404 "2019-02-13 12:03:47.756" "Performing SSL/TLS handshake for session 3. Verify certificate: False"
"TCPIP" 2404 "2019-02-13 12:07:50.046" "TCPConnection - TLS/SSL handshake failed. Session Id: 2, Remote IP: 18.208.xxx.xxx, Error code: 335544539, Message: short read"
"DEBUG" 2404 "2019-02-13 12:07:50.061" "Ending session 2"
Code: Select all
2019-02-13 Hmailserver: 5.6.7-B2425
DOMAINS
"Domain1.com" - roxxxxxxxxxx Enabled: True
SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 0 Enabled: False
Max message size: 0 Plus addressing: False
Max size of accounts: 0
Greylisting: False
-----------------------------------------------------------------------------------------------
IP RANGES
IP: 18.208.xxx.xxx - 18.208.xxx.xxx Priority: 30 Name: ProEd
Allow connections Other
SMTP: True Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: True
Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - True External To External - True
IP: 10.XX.XX.XXX - 10.XX.XX.XXX Priority: 25 Name: testboxtools
Allow connections Other
SMTP: True Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: True
Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - True External To External - True
IP: 159.89.187.50 - 159.89.187.50 Priority: 20 Name: checktls
Allow connections Other
SMTP: True Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: True
Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - True External To External - True
IP: 204.XX.XX.XXX - 204.XX.XX.XXX Priority: 15 Name: ExternalTestSite
Allow connections Other
SMTP: True Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: True
Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - True External To External - True
IP: 10.XX.X.XXX - 10.XX.X.XXX Priority: 10 Name: MyComputer
Allow connections Other
SMTP: True Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: True
Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - True External To External - True
IP: 127.0.0.1 - 127.0.0.1 Priority: 5 Name: Localhost
Allow connections Other
SMTP: True Antispam : True !! 'Spam tests' not enabled !!
POP3: True !! Protocol DISABLED !! Antivirus: True !! ANTIVIRUS NOT CONFIGURED !!
IMAP: True !! Protocol DISABLED !! SSL/TLS: False
Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True
------------------------------------------------------
AUTOBANNED Local Addresses:
No entries
-----------------------------------------------------------------------------------------------
AUTOBAN
Autoban Enabled: True Max invalid logon attempts: 3
Minutes Before Reset: 30 (0.50 hours, 0.02 days)
Minutes to Autoban: 60 (1.00 hours, 0.04 days)
No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------
INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------
MIRRORING Disabled
-----------------------------------------------------------------------------------------------
PROTOCOLS
SMTP
GENERAL DELIVERY RFC COMPLIANCE ADVANCED
No. Connections: 0 No Retries: 10 Mins: 30 Plain Text: False Bind:
Host: EXTERNAL.TLD Empty sender: True Batch recipients: 100
Max Msg Size: 20480 Relay:- Incorrect endings: True Use STARTTLS: True
EXTERNAL.TLD (ok) Disc. on invalid: False Delivered-To hdr: False
Port: 25 Loop limit: 5
Req Auth: False Recipient hosts: 15
Con. Sec.: None
Routes:
No routes defined.
POP3
!! Service Not Enabled !!
IMAP
!! Service Not Enabled !!
-----------------------------------------------------------------------------------------------
ANTISPAM
GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: False Use Spamassassin: False
Add X-HmailServer-Spam: True Check HELO host: False
Add X-HmailServer-Reason: True Check MX records: False
Add X-HmailServer-Subject: False Verify DKIM: False
Spam delete threshold: 20 Maximum message size: 1024
DNSBL ENTRIES:
No 'enabled' entries
SURBL ENTRIES:
No 'enabled' entries
GREYLISTING:
Greylisting: False
WHITELISTING
No entries
-----------------------------------------------------------------------------------------------
ANTIVIRUS: No application configured.
Block Attachments: False
-----------------------------------------------------------------------------------------------
SSL CERTIFICATES
eforwarder
Certificate: d:\certs\eforwarder.crt
Private key: d:\certs\eforwarder.key
-----------------------------------------------------------------------------------------------
SSL/TLS
SSL 3.0 : True
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: False
SslCipherList :
TLS_ECDHE_ECDSA_WITH_AES_256_GCM- TLS_ECDHE_ECDSA_WITH_AES_128_GCM- TLS_ECDHE_RSA_WITH_AES_256_GCM_S
TLS_ECDHE_RSA_WITH_AES_128_GCM_S- TLS_DHE_RSA_WITH_AES_256_GCM_SHA- TLS_DHE_RSA_WITH_AES_128_GCM_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC- TLS_ECDHE_ECDSA_WITH_AES_128_CBC- TLS_ECDHE_RSA_WITH_AES_256_CBC_S
TLS_ECDHE_RSA_WITH_AES_128_CBC_S- TLS_ECDHE_ECDSA_WITH_AES_256_CBC- TLS_ECDHE_ECDSA_WITH_AES_128_CBC
TLS_ECDHE_RSA_WITH_AES_256_CBC_S- TLS_ECDHE_RSA_WITH_AES_128_CBC_S- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA- TLS_RSA_WITH_AES_256_GCM_SHA384 - TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 - TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA - TLS_RSA_WITH_3DES_EDE_CBC_SHA - TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA- TLS_DHE_DSS_WITH_AES_256_CBC_SHA- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SH- TLS_RSA_WITH_RC4_128_SHA - TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_NULL_SHA256 - TLS_RSA_WITH_NULL_SHA - ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384 - ECDHE-ECDSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256 - kEDH+AESGCM
ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA - DHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256 - DHE-RSA-AES256-SHA256
DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA - AES128-GCM-SHA256
AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA - ECDHE-ECDSA-RC4-SHA
AES128 - AES256 - RC4-SHA
HIGH - !aNULL - !eNULL
!EXPORT - !DES - !3DES
!MD5 - !PSK;
-----------------------------------------------------------------------------------------------
TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - None
0.0.0.0 / 587 / SMTP - SSL/TLS Cert: eforwarder
-----------------------------------------------------------------------------------------------
LOGGING Logging Enabled: True
Paths:-
Current: D:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-02-13.log
Error: D:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-02-13.log - !! ERRORS PRESENT !!
Event: D:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
Awstats: D:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - .
IMAP - .
TCPIP - True
DEBUG - True
AWSTATS - True
-----------------------------------------------------------------------------------------------
SYSTEM TESTS
Database type: MSSQL Compact
IPv6 support is available in operating system.
ERROR: Backup directory has not been specified.
Relative message paths are stored in the database for all messages.
-----------------------------------------------------------------------------------------------
HMAILSERVER.INI
[Directories]
Program folder: D:\Program Files (x86)\hMailServer\
Database folder: D:\Program Files (x86)\hMailServer\Database
Data folder: D:\Program Files (x86)\hMailServer\Data
Log folder: D:\Program Files (x86)\hMailServer\Logs
Temp folder: D:\Program Files (x86)\hMailServer\Temp
Event folder: D:\Program Files (x86)\hMailServer\Events
[Database]
Type= MSSQLCE
Username=
PasswordEncryption=1
Port= 0
Server=
Internal= 1
-----------------------------------------------------------------------------------------------
Re: Vendor cannot connect via SSL
So this start to work using StartTLS optional but wouldn't that downgrade to standard plain text if it fails?
Should I be using port 465 with SSL only?
Should I be using port 465 with SSL only?
Re: Vendor cannot connect via SSL
Yes.
And thats completely ok for Port 25.
If this where not the case than all unencrypted arriving Emails would be dropped with or without notification of the sender.
Thats a complete diffrent debatte.Should I be using port 465 with SSL only?
465 as well as 587 SMTP is for sending Emails from Your Outlook or Thunderbird App to hMaiServer while Port 25 is for Mailserver to other Mailserver communication.
Re: Vendor cannot connect via SSL
However the 'standard' is that port 587 is StartTLS required, and that port 465 (where used) is SSL
The difference being
SSL negotiates the security of the connection in the first instance immediately when trying to connect
StartTLS makes the connection, and then sets the security before any usernames or passwords are exchanged
The difference being
SSL negotiates the security of the connection in the first instance immediately when trying to connect
StartTLS makes the connection, and then sets the security before any usernames or passwords are exchanged
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation