Openssl s_client -connect myhostname.com:465 -tls1_2

gmashonga · June 26, 2024, 3:05pm

SYSTEM INFORMATION
OS type and version	Ubuntu 22
Webmin version	2.111
Virtualmin version	7.10.0
Related packages	php.8.0

Hi everyone. I’m trying to receive emails on port 465 as it seems port 485 is blocked.

Here’s my master.cf
465 inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=no
-o smtpd_reject_unlisted_recipient=no
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2,TLSv1.3
-o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2,TLSv1.3
:
and here’s my main.cf:

Restrictions

smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, defer_unauth_destination
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
header_size_limit = 4096000
recipient_delimiter = +

I’m getting this error when try to test emails inbound: using # openssl s_client -connect myhostname.com:465 -tls1_2:

RENEGOTIATING
80DBF5ADAA780000:error:0A000153:SSL routines:ssl3_read_bytes:no renegotiation:…/ssl/record/rec_layer_s3.c:1600:

Email testing fails here before completing:

EHLO localhost
MAIL FROM:your-email@example.com
RCPT TO:recipient-email@example.com
DATA
Subject: Test Email

This is a test email.
.
QUIT

Could you kindly assist as to what settings may be causing this for TLS handshake renegotitiation failure.

Kind Regards,

Gerald.

Joe · June 26, 2024, 6:48pm

Please wrap config files or code in triple-backticks (```) or use the “Preformatted text” icon in the editor window. It’s hard to read without that, as the markdown conversion to HTML can lose some text and make others into formatting.

ID10T · June 26, 2024, 7:38pm

I think the default is 587 for Virtualmin?

Port 465: Message submission over TLS protocol
Tl;dr Port 465 is used for implicit TLS, however, port 587 and startTLS are preferred.

Joe · June 26, 2024, 9:31pm

Virtualmin sets up both. They’re two different things.

gmashonga · June 27, 2024, 12:03am

Ok thank you for pointing that out. Will do so going forward.

gmashonga · June 27, 2024, 12:22am

Thank you, the article clarified a lot.

I’m using port 587 for outbound emails with a relayhost since AWS is blocking port 25. This works fine. Receiving inbound emails however’s proving to be a challenge. Is it possible to setup port 587 submission port to receive as well and what configuration should I use for virtualmin. I have Roundcube installed on the system.

stefan1959 · June 27, 2024, 12:47am

587 is used, the client (like thinderbird) auto detects this. Although I have seen 465 used.
You need STARTTLS as encryption type.

The settings for client are shown in Virtuamin where you edit user, Show Email Client Settings

Client end

seen this work as well

ID10T · June 27, 2024, 1:02am

I use their Lite Sail. They have a firewall you have to open. Not sure about how their other services work.

Outside servers are going to look for port 25. No way you can control that.

stefan1959 · June 27, 2024, 1:09am

Sorry I thought your talking about a client connection, port 25 is used to receive, I wouldn’t think they block that.

ID10T · June 27, 2024, 3:13am

The only thing AWS opened by default on my account was 80, I think maybe 443 (it’s been awhile) and 22. But, that machine doesn’t receive email and it’s too late for me to log in and double check.

Joe · June 27, 2024, 6:17am

No. You do not control the rest of the internet. You have no way to configure every mail server in the world to talk to you on the wrong port.

Has nothing to do with Virtualmin.

gmashonga · June 27, 2024, 7:58am

Thanks Stefan1959, will check this on the server and revert back.

gmashonga · June 27, 2024, 8:04am

I tried to contact AWS to open port 25 but my request was denied. They said I either use AWS SES or get a third party, but since I’m running and EC2 instance with Virtualmin on Ubuntu 22 distro, I’m stuck with the problem. Unfortunately AWS SES setup is quite involving because I have to setup Lambda functions etc with relayhosts.

gmashonga · June 27, 2024, 10:57am

Hi Joe. Ok so in my case where the ISP has refused to open port 25, what’s the best way to receive emails if I’m already setup with a relayhost for outbound mail?

calport · June 27, 2024, 11:12am

Joe will provide the authoritative answer but I jump in to say that AWS might have blocked port 25 only for outgoing email.

As @stefan1959 also opines.

gmashonga · June 27, 2024, 12:29pm

That’s correct Calport. They confirmed it is blocked and will not open it. So I have to find an alternative. At this point, it means using Lambda functions and their SES service which is quite a process. I thought there could be another way to avoid this that is ethical.

calport · June 27, 2024, 1:37pm

If you find nothing else, there is always this:

ID10T · June 27, 2024, 2:51pm

It’s been a while since I logged into my AWS account to double check my memory. I couldn’t even remember ‘Lightsail’. I probably opened it be ‘default’ thinking it might be needed. I’ve never confirmed it works.

It is receiving. I don’t have any accounts to confirm outgoing though. So, I’ll assume that I probably just made assumptions because I had access to the firewall. Probably just inbound.

Joe · June 27, 2024, 4:14pm

I don’t understand what Lambda functions have to do with it. You just setup your mail server to relay through SES for outgoing mail.

Incoming ports are controllable by you. Amazon does not block any ports for incoming.

gmashonga · June 27, 2024, 6:04pm

That’s great to hear, It then brings me back to a possible misconfiguration because I setup to receive emails on port 465. It’s open and I’ve run this command:

sudo ss -tuln | grep :465 tcp LISTEN 0 100 0.0.0.0:465 0.0.0.0:*

As above, my settings:

465 inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=no -o smtpd_reject_unlisted_recipient=no -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -o smtpd_tls_security_level=encrypt -o smtpd_tls_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2,TLSv1.3 -o smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1,TLSv1.2,TLSv1.3

This is master.cf, but I get this error:

RENEGOTIATING
80DBF5ADAA780000:error:0A000153:SSL routines:ssl3_read_bytes:no renegotiation:…/ssl/record/rec_layer_s3.c:1600:

when I try to test with $ openssl s_client -connect myhostname.com:465 -tls1_2:

It looks like the server is failing a TLS handshake and causing a timeout error.

I tried this command:

swaks --to mymail@myserver.com --server myserver.com:465 --auth LOGIN --auth-user mymail@server.com --auth-password XXXXXXXXXXXXXXXX --tls *** DEPRECATION WARNING: Relying on IO::Socket::INET6 to send via inet sockets. Install IO::Socket::IP instead. === Trying mymall.click:465... === Connected to myserver.com. <** Timeout (30 secs) waiting for server response

The logs are saying no renegotiation.