Vendor cannot connect via SSL

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
wankel
New user
New user
Posts: 5
Joined: 2019-01-27 15:44

Vendor cannot connect via SSL

Post by wankel » 2019-02-12 18:21

Hello all,
I'm having a unique problem.
I have a vendor that needs to connect to my hmailserver to relay using SSL/TLS via port 587 but is unable to connect. Basically the hand shake fails.
It also fails in port 25 using STARTTLS required.

Here is my error in the logs..
TCPConnection - TLS/SSL handshake failed. Session Id: 261, Remote IP: xxx.xxx.xxx.xxx, Error code: 335544539, Message: short read"

They error on their side is:
SOCKET_ERROR: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond ;cmd=


We have connect with no issues using plaintext smtp.

I have also tested using a mail client from the outside and also using https://www.checktls.com/TestReceiver to test and no issues.

This could be an issue with their smtp server but I want to research everything on my side.

Could this be an issue with the ciphers that are declared in the hmailserver by default?

User avatar
Dravion
Senior user
Senior user
Posts: 1333
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Vendor cannot connect via SSL

Post by Dravion » 2019-02-12 18:31

Winsock 10060 is a Timeout Error.

It simply means TCP packets flow is disturbed and TCP RST Restransmits has reached its threshold.

Check with Ping and see if you have Packetloss at pinging to your TCP destination.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

wankel
New user
New user
Posts: 5
Joined: 2019-01-27 15:44

Re: Vendor cannot connect via SSL

Post by wankel » 2019-02-12 19:37

I will have to open ICMP in the firewall and test..

User avatar
mattg
Moderator
Moderator
Posts: 19810
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Vendor cannot connect via SSL

Post by mattg » 2019-02-12 22:11

you should not have StartTLS Required for port 25

Port 25 should be StartTLS optional

This is a fault with the other end of the connection, in that their machine can't negotiate your SSL / STartTLS connections, either they don't support a TLS version that you require, or they don't have a suitable common cipher,, OR the other machine doesn't do StartTLS

If you need further help Run this and post the results back >> http://www.hmailserver.com/forum/viewto ... 20&t=30914

Also enable all logging, force the connection, wait for at least two minutes or until the connection is closed and include all logs created
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

wankel
New user
New user
Posts: 5
Joined: 2019-01-27 15:44

Re: Vendor cannot connect via SSL

Post by wankel » 2019-02-13 19:24

I have added the additional cipher that the vendor had and I was missing..
Still have the problem.

I'm using hmailserver for special cases to just relay mail and the password encrypted.

Here is my report logs. As much logs as the app is giving..

Code: Select all

"DEBUG"	2404	"2019-02-13 12:02:49.145"	"Creating session 3"
"TCPIP"	2404	"2019-02-13 12:02:49.145"	"TCP - 18.208.xxx.xxx connected to 10.xx.xx.xxx:587."
"DEBUG"	2404	"2019-02-13 12:02:49.145"	"TCP connection started for session 2"
"DEBUG"	2404	"2019-02-13 12:02:49.145"	"Performing SSL/TLS handshake for session 2. Verify certificate: False"
"DEBUG"	2404	"2019-02-13 12:03:47.756"	"Creating session 4"
"TCPIP"	2404	"2019-02-13 12:03:47.756"	"TCP - 18.208.xxx.xxx connected to 10.xx.xx.xxx:587."
"DEBUG"	2404	"2019-02-13 12:03:47.756"	"TCP connection started for session 3"
"DEBUG"	2404	"2019-02-13 12:03:47.756"	"Performing SSL/TLS handshake for session 3. Verify certificate: False"
"TCPIP"	2404	"2019-02-13 12:07:50.046"	"TCPConnection - TLS/SSL handshake failed. Session Id: 2, Remote IP: 18.208.xxx.xxx, Error code: 335544539, Message: short read"
"DEBUG"	2404	"2019-02-13 12:07:50.061"	"Ending session 2"
Here is my report

Code: Select all

2019-02-13   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - roxxxxxxxxxx                   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 18.208.xxx.xxx - 18.208.xxx.xxx     Priority: 30     Name: ProEd

  Allow connections                         Other
     SMTP:   True                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       - False           
     Local To External    - False           
     External To Local    - False    
     External To External -  True              External To External -  True


IP: 10.XX.XX.XXX - 10.XX.XX.XXX     Priority: 25     Name: testboxtools

  Allow connections                         Other
     SMTP:   True                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       - False           
     Local To External    - False           
     External To Local    - False    
     External To External -  True              External To External -  True


IP: 159.89.187.50 - 159.89.187.50     Priority: 20     Name: checktls

  Allow connections                         Other
     SMTP:   True                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       - False           
     Local To External    - False           
     External To Local    - False    
     External To External -  True              External To External -  True


IP: 204.XX.XX.XXX - 204.XX.XX.XXX     Priority: 15     Name: ExternalTestSite

  Allow connections                         Other
     SMTP:   True                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       - False           
     Local To External    - False           
     External To Local    - False    
     External To External -  True              External To External -  True


IP: 10.XX.X.XXX - 10.XX.X.XXX     Priority: 10     Name: MyComputer

  Allow connections                         Other
     SMTP:   True                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       - False           
     Local To External    - False           
     External To Local    - False    
     External To External -  True              External To External -  True


IP: 127.0.0.1 - 127.0.0.1     Priority: 5     Name: Localhost

  Allow connections                         Other
     SMTP:   True                              Antispam :   True !! 'Spam tests' not enabled !!
     POP3:   True !! Protocol DISABLED !!      Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True !! Protocol DISABLED !!      SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      3
                              Minutes Before Reset:           30  (0.50 hours, 0.02 days)
                              Minutes to Autoban:             60  (1.00 hours, 0.04 days)

No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries: 10 Mins: 30   Plain Text:        False  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:   100
Max Msg Size: 20480  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                      EXTERNAL.TLD  (ok)       Disc. on invalid:  False  Delivered-To hdr: False
                     Port:  25                                           Loop limit:           5
                     Req Auth: False                                     Recipient hosts:     15
                     Con. Sec.: None
  Routes:
     No routes defined.

POP3
 !! Service Not Enabled !!

IMAP
 !! Service Not Enabled !!
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:           False        Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:   False    
  Add X-HmailServer-Reason:   True    Check MX records:  False    
  Add X-HmailServer-Subject: False    Verify DKIM:       False    

  Spam delete threshold: 20         Maximum message size: 1024

DNSBL ENTRIES:
   No 'enabled' entries

SURBL ENTRIES:
   No 'enabled' entries

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   eforwarder
       Certificate: d:\certs\eforwarder.crt
       Private key: d:\certs\eforwarder.key
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :   True
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:  False
SslCipherList  :

TLS_ECDHE_ECDSA_WITH_AES_256_GCM- TLS_ECDHE_ECDSA_WITH_AES_128_GCM- TLS_ECDHE_RSA_WITH_AES_256_GCM_S
TLS_ECDHE_RSA_WITH_AES_128_GCM_S- TLS_DHE_RSA_WITH_AES_256_GCM_SHA- TLS_DHE_RSA_WITH_AES_128_GCM_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC- TLS_ECDHE_ECDSA_WITH_AES_128_CBC- TLS_ECDHE_RSA_WITH_AES_256_CBC_S
TLS_ECDHE_RSA_WITH_AES_128_CBC_S- TLS_ECDHE_ECDSA_WITH_AES_256_CBC- TLS_ECDHE_ECDSA_WITH_AES_128_CBC
TLS_ECDHE_RSA_WITH_AES_256_CBC_S- TLS_ECDHE_RSA_WITH_AES_128_CBC_S- TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA- TLS_RSA_WITH_AES_256_GCM_SHA384 - TLS_RSA_WITH_AES_128_GCM_SHA256 
TLS_RSA_WITH_AES_256_CBC_SHA256 - TLS_RSA_WITH_AES_128_CBC_SHA256 - TLS_RSA_WITH_AES_256_CBC_SHA    
TLS_RSA_WITH_AES_128_CBC_SHA    - TLS_RSA_WITH_3DES_EDE_CBC_SHA   - TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA- TLS_DHE_DSS_WITH_AES_256_CBC_SHA- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SH- TLS_RSA_WITH_RC4_128_SHA        - TLS_RSA_WITH_RC4_128_MD5        
TLS_RSA_WITH_NULL_SHA256        - TLS_RSA_WITH_NULL_SHA           - ECDHE-RSA-AES128-GCM-SHA256     
ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     - ECDHE-ECDSA-AES256-GCM-SHA384   
DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       - kEDH+AESGCM                     
ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       - ECDHE-RSA-AES128-SHA            
ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         - ECDHE-ECDSA-AES256-SHA384       
ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          - DHE-RSA-AES128-SHA256           
DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           - DHE-RSA-AES256-SHA256           
DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              - AES128-GCM-SHA256               
AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               - ECDHE-ECDSA-RC4-SHA             
AES128                          - AES256                          - RC4-SHA                         
HIGH                            - !aNULL                          - !eNULL                          
!EXPORT                         - !DES                            - !3DES                           
!MD5                            - !PSK;                                                    
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   None                
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 143   / IMAP   -   None                
               0.0.0.0         / 587   / SMTP   -   SSL/TLS             Cert: eforwarder
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  D:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-02-13.log
    Error:    D:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-02-13.log - !! ERRORS PRESENT !!
    Event:    D:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  D:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -      .
                        IMAP        -      .
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -    True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

ERROR: Backup directory has not been specified.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  D:\Program Files (x86)\hMailServer\
Database folder: D:\Program Files (x86)\hMailServer\Database
Data folder:     D:\Program Files (x86)\hMailServer\Data
Log folder:      D:\Program Files (x86)\hMailServer\Logs
Temp folder:     D:\Program Files (x86)\hMailServer\Temp
Event folder:    D:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQLCE
Username=           
PasswordEncryption=1
Port=              0
Server=             
Internal=          1
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.95, Hmailserver Forum.

wankel
New user
New user
Posts: 5
Joined: 2019-01-27 15:44

Re: Vendor cannot connect via SSL

Post by wankel » 2019-02-13 19:34

So this start to work using StartTLS optional but wouldn't that downgrade to standard plain text if it fails?

Should I be using port 465 with SSL only?

User avatar
Dravion
Senior user
Senior user
Posts: 1333
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Vendor cannot connect via SSL

Post by Dravion » 2019-02-13 20:35

wankel wrote:
2019-02-13 19:34
So this start to work using StartTLS optional but wouldn't that downgrade to standard plain text if it fails?
Yes.
And thats completely ok for Port 25.
If this where not the case than all unencrypted arriving Emails would be dropped with or without notification of the sender.
Should I be using port 465 with SSL only?
Thats a complete diffrent debatte.

465 as well as 587 SMTP is for sending Emails from Your Outlook or Thunderbird App to hMaiServer while Port 25 is for Mailserver to other Mailserver communication.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
mattg
Moderator
Moderator
Posts: 19810
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Vendor cannot connect via SSL

Post by mattg » 2019-02-13 23:24

However the 'standard' is that port 587 is StartTLS required, and that port 465 (where used) is SSL

The difference being
SSL negotiates the security of the connection in the first instance immediately when trying to connect
StartTLS makes the connection, and then sets the security before any usernames or passwords are exchanged
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply