Axigen Community Forum

  • If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Announcement

Collapse
No announcement yet.

New Docker install, having StartTTLS problems

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

    New Docker install, having StartTTLS problems

    Hi!

    I am new to Axigen, I did the docker install which was pretty convenient.

    I got the system to the point in which I am able to send and receive from another email account/server I have. I also applied recommended acceptance/routing rules for plain/ssl authentication.

    So, now I am starting to look into deliverability. For that I am sending emails to test services such as MX tools or mail tester.

    Then I am stuck at StartTLS. I am just not been able to send the messages to them.

    I have looked at the other threads in the forum and the Kb related to settings for TLS compatibility, but they do not help neither with old or new messages in the queue with or without axigen restart. I still get the TLS handshake problems.

    Errors I am seeing in SMTP-OUT are:

    2019-01-14 07:41:15 +0000 02 acf2eaf91b55 SMTP-OUT:00000021: SSL error remote 18.213.63.88:25, SSL_connect:failed in SSLv2/v3 read server hello A
    2019-01-14 07:41:13 +0000 02 acf2eaf91b55 SMTP-OUT:00000020: Unable to perform STARTTLS

    I wonder why I see SSLv2/3 since they are disabled.

    Anyway I got to a point in which I dont know how to continue to resolve this issue.

    Any suggestions? what could the problem be?

    I there any test service you recommend?

    #2
    Hello,

    Could you please check this KB and made the settings mentioned into the Configure the outgoing TLS settings for compatibility section?

    If you have still problems please increase the log level for SMTP Sending service to Communication Protocol and share us the SMTP-OUT logs related to an outgoing message (for example to a Gmail account).

    HTH,
    Ioan

    Comment


      #3
      yes, I follow the KB but I still get the problem, here are the logs:

      # created by AXIGEN version 10.2.2 (Linux/x64)
      2019-01-15 19:59:35 +0000 08 6a6061e6d449 SMTP-OUT:00000001: Relay mail 3A3828: connecting to 54.87.6.0:25
      2019-01-15 19:59:35 +0000 08 6a6061e6d449 SMTP-OUT:00000001: Relay mail 3A3828: connected to 54.87.6.0:25
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 220 tools.mxtoolbox.com ESMTP Postfix
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: >> EHLO 6a6061e6d449
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 250-tools.mxtoolbox.com
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 250-PIPELINING
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 250-SIZE 10240000
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 250-VRFY
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 250-ETRN
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 250-STARTTLS
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 250-ENHANCEDSTATUSCODES
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 250-8BITMIME
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 250 DSN
      2019-01-15 19:59:35 +0000 16 6a6061e6d449 SMTP-OUT:00000001: >> STARTTLS
      2019-01-15 19:59:36 +0000 16 6a6061e6d449 SMTP-OUT:00000001: << 220 2.0.0 Ready to start TLS
      2019-01-15 19:59:36 +0000 16 6a6061e6d449 SMTP-OUT:00000001: >> SSL: client hello, remote 54.87.6.0:25, version TLS 1.2 (0303)
      2019-01-15 19:59:36 +0000 16 6a6061e6d449 SMTP-OUT:00000001: >> SSL: client hello, remote 54.87.6.0:25, 65 cipher suites: c027009cc011c007c016c00cc0020005c030c02cc028c024c0 14c00a00a500a1006900680037003600860085c01900a7006d 003a0089c032c02ec02ac026c00fc005009d003d00350084c0 2fc02bc023c013c00900a400a0003f003e0031003000430042 c01800a6006c00340046c031c02dc029c025c00ec004003c00 2f004100ff
      2019-01-15 19:59:36 +0000 02 6a6061e6d449 SMTP-OUT:00000001: SSL error remote 54.87.6.0:25, SSL_connect:failed in SSLv2/v3 read server hello A

      Comment


        #4
        Did you see my previous message?

        I am now starting to think that there is something wrong/broken in my installation.

        I have found the following things that are not consistent.

        I tested my webmail in SSLLABS and I got an F. One of the failed tests is RC4 enabled, while I can clearly see in the webmail SSL listener ciphers configuration the !RC4 entry.

        Another result that I found surprising is that according to SSLLABS my certificate chain is incomplete. I am using Letsencrypt managed by Axigen. I am starting to suspect that perhaps, not being able to fetch the intermediate certificate (port 80 closed) is leading to a broken chain... and perhaps that is why I am experiencing TLS problems.

        Another inexplicable behaviour that I am seen, is STARTTLS failures in SMTP-IN. for some reason if I send an email to an address X everything works but if I reply to email from the same X address, then I get STARTTLS failure.

        I think something is broken in my TLS configuration, because these points don't make any sense.

        Comment


          #5
          I fixed the certificate chain, but configure the ca properly on the listener.

          Still I get an F in ssllabs and I can see that the cipherlist is not been honored. RC4 remains activated even thou !RC4 is in the list.

          is it a known issue?

          Comment


            #6
            Hello,

            Could you confirm if you have followed the steps mentioned in our documentation?

            HTH,
            Ioan

            Comment


              #7
              Yes, the A-grade on website is effectively working well.

              After making some amendments in banner / EHLO settings I am getting better results.

              But now am looking into StartTLS problem with hotmail.com (as an example).

              Comment


                #8
                Just in case someone runs into the same issue: with many StartTLS failuer.

                In my case it turned out to be a networking MTU issue.

                Our provider requires MTU to be 1400, insted of the typical 1500. Packet fragmentation not always work, which resulted in some emails being delivered and others not.

                I would get StartTLS errors because the connectivity would break at that point, but it was unrelated to StartTLS itself.

                Setting the docker mtu for the bridge network driver to 1400 fixed the issue.

                Comment


                  #9
                  Hello,

                  Thank you for posting about your problem and the solution you have identified for your specific case.

                  Best regards,
                  Ioan

                  Comment

                  Working...
                  X