Questions tagged [starttls]
STARTTLS is the SMTP command to connect to email servers securely over TLS (formerly SSL). Use with an email server tag like [postfix], [exchange], etc.
117
questions
74
votes
8
answers
89k
views
Is STARTTLS less safe than TLS/SSL?
In Thunderbird (and I assume in many other clients, too) I have the option to choose between "SSL/TLS" and "STARTTLS".
As far as I understand it, "STARTTLS" means in simple words "encrypt if both ...
- 889
18
votes
2
answers
5k
views
Is it still "wrong" to require STARTTLS on incoming SMTP messages
According to the STARTTLS Spec Section 5:
A publicly-referenced SMTP server MUST NOT require use of the
STARTTLS extension in order to deliver mail locally. This rule
prevents the STARTTLS extension ...
- 303
13
votes
3
answers
55k
views
Postfix configure to use TLSv1.2
I start build my first cloud server: Ubuntu 16.04 with postfix.
Question is how can i configure postfix to use TLSv1.2 when i send mail from my webshop?
When my webshop sending mail to my postfix ...
- 153
10
votes
1
answer
37k
views
Postfix Recipient address rejected: Access denied Error
Trying to use zend mail smtp to send email from my php app login authenticated and give me this constant error I don't have to deal with I look into de 36 question here on serverfault.com changing ...
- 391
9
votes
2
answers
13k
views
Postfix "Trusted TLS connection established" but "Server certificate not verified"
I´m using a Postfix TLS Policy to enforce TLS for outgoing email. Unfortunately in some cases the certificate verification fails and I don´t know why.
For instance, this is an excerpt of my TLS Policy
...
- 569
8
votes
2
answers
36k
views
TLS: hostname does not match CN in peer certificate
im trying to connect LDAP over StartTLS but Im stuck with an issue. I've followed step by step this guide https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls and LDAP it's ...
- 89
7
votes
2
answers
33k
views
lost connection after STARTTLS: Postfix
I've setup a Postfix + Courier server and have a Rails app configured with the SMTP server settings. Whenever the Rails app tries to send an email, this is what appears in the Postfix log (additional ...
- 183
7
votes
2
answers
7k
views
How can I decrypt STARTTLS communication over SMTP in a packet capture (if I have the private key)?
For the purpose of troubleshooting, I need to see what an email looks like when it's sent to my sendmail server via SMTP. The upstream server requires the SMTP connection to use STARTTLS so a packet ...
- 12.1k
6
votes
3
answers
2k
views
SNI like equivalent for starttls
I am trying to host two seperate domains on one IP address. I want to be able to determine from the STARTTLS command which certificate was being requested and forward to a different mail server based ...
user420606
6
votes
1
answer
2k
views
postfix TLS configuration for incoming gmx-mail
I set up my mailserver with postfix 2.7.1 and dovecot 1.2.15 and everything seemed to work just fine, but now I found out that people using @gmx.net addresses cannot send emails to me and rather ...
- 163
5
votes
1
answer
15k
views
Postfix STARTTLS only on port 25
I want to enable STARTTLS on port 25, but for unknown reasons it only works on port 465.
master.cf:
smtp inet n - - - - smtpd
-o syslog_name=postfix/smtp
-o ...
- 1,269
5
votes
2
answers
7k
views
ejabberd starttls_required in c2s/s2s and disable SSLv3 + unsecure Ciphers
I'm using ejabberd on Ubuntu.
My configuration looks like this:
{5269, ejabberd_s2s_in, [
{shaper, s2s_shaper},
{max_stanza_size, 131072},
...
- 407
5
votes
1
answer
2k
views
How to mitigate STARTTLS MITM (downgrading and forged certificates) between email servers?
I'm not as technically inclined as most on this site so please keep that in mind. I wanted to learn more about email security so I did some research and everything is according to my understanding, ...
- 51
5
votes
3
answers
416
views
Is a self signed cerificate secure from man in the middle once you have accepted it
I have a mail server that has a self signed SSL certificate.
I use Thunderbird to access this server, and it asks me to accept this certificate.
So lets say I accept this in a semi secure location, ...
- 53
5
votes
0
answers
6k
views
LDAP with TLS: connect error(-11)
I configured OpenLDAP and today I've configured the TLS for more security following these guide lines: Configure OpenLDAP with TLS=required
Modifying the cn=config.ldif with config file:
dn: cn=...
- 355
4
votes
2
answers
3k
views
How do I log tls-encrypted smtp traffic?
I'd like to know what my local postfix says to the Amazon SES smtpd after the STARTTLS. In plain text, so I can understand it. Amazon SES requires TLS, so I can't temporarily turn it off.
I currently ...
- 1,147
4
votes
3
answers
8k
views
Why is port 587 preferred over port 465 in SMTP?
I have recently been developing a C# client which sends emails via a SMTP server.
However I have been as to what the different terms ment, like: STARTTLS/TLS/SSL... I had a faint idea of what they ...
- 55
4
votes
1
answer
1k
views
Postfix TLS encryption: smtp_* vs smptd_*
I am really confused about the postfix TLS settings. There are in each case settings for private keys and public keys.
smtpd_tls_cert_file =
smtpd_tls_key_file =
smtpd_*
And
smtp_tls_cert_file =
...
- 187
4
votes
0
answers
481
views
How can I explicitly disable TLS when sending to one specific recipient?
I have a SendMail 8.14 server deployed in the middle of an SMTP workflow (Outbound mail looks like Exchange -> SendMail -> Appliance -> Internet)
I have TLS configured for the first three hosts. ...
- 12.1k
3
votes
3
answers
10k
views
Client did not present a certificate (Postfix)
I have postfix SMTP relay which have been configured with TLS option. Now just realized when sending email to gmail (for example) using Microsoft outlook,found out this "Client did not present a ...
- 127
3
votes
1
answer
12k
views
How to disable SSLv3 in Postfix 2.11?
I just noticed (by some online check tools) that my mailserver may allow SSLv3 and updated my configuration.
My current config in Postfix 2.11.2:
# inbound
smtpd_tls_security_level = may
...
- 2,106
3
votes
1
answer
10k
views
Postfix STARTTLS encryption before authentication
I'm trying my best to configure Postfix with STARTTLS using port 25. Now the problem is STARTTLS is not working on port 25.
250-VRFY
250-ETRN
250-XXXXXXXA
250-AUTH PLAIN LOGIN
250-...
- 127
3
votes
2
answers
2k
views
Disabling SSLv2 in Courier IMAP
I'm attempting to disable SSLv2 support (amongst other things) in Courier on Linux. In /etc/courier/imapd-ssl I have:
TLS_CIPHER_LIST="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:!ADH:@STRENGTH:!3DES"
...
- 31
3
votes
2
answers
4k
views
Configure OpenLDAP using GnuTLS with TLS=required
We have an openldap server and don't want to allow unencrypted communication, so acceptable is either tls over port 389 (starttls) or ssl over 636 (ldaps).
As we use slapd.conf for configuration, ...
- 33
3
votes
3
answers
18k
views
Postfix still complains that "certificate verification failed" even when "smtp_tls_security_level = fingerprint"
I'm attempting to use Postfix (version 2.6.6 on RHEL6) to connect to and send mail via a mail relay on our internal network. I want to connect with STARTTLS on port 25 (port 465 is not available on ...
- 185
3
votes
1
answer
237
views
Sendmail process crashes as soon as STARTTLS is received
I just upgraded my server from FreeBSD 10.3 to 11.1. It's now running Sendmail 8.15.2 and OpenSSL 1.0.2k-freebsd 26 Jan 2017.
Since the upgrade, sending mail to my server is failing. I cranked up ...
- 291
3
votes
0
answers
206
views
Postfix STARTTLS works in LAN but not externally
if I connect in LAN on port 25 to my mail server, it offers STARTTLS
telnet mailserver.com 25
Trying 192.168.0.x...
Connected to mailserver.com
Escape character is '^]'.
220 mailserver.com ESMTP ...
- 59
2
votes
3
answers
30k
views
Postfix & Gmail: Authentication Required error
I configured Postfix using this guide. When I send a test E-Mail I get the following error message:
May 23 15:36:26 VM11 postfix/smtp[15321]: connect to smtp.gmail.com[2a00:1450:4001:c02::6d]:587: ...
- 135
2
votes
2
answers
700
views
TLS/SSL on http (80) with STARTTLS
I'm researching the reason why TLS/SSL is not using over HTTP. Other protocols, such as SMTP, POP3, FTP, etc can be used on SSL ports (SMTPS, POP3S, FTPS) for the first way, and the second way is to ...
- 21
2
votes
1
answer
12k
views
ssmtp settings for namecheap: Invalid response SMTP Server (STARTTLS)
I am trying to configure ssmtp to use the namecheap smtp server to send emails. My current configuration:
[email protected]
mailhub=mail.privateemail.com:465
rewriteDomain=email.com
hostname=email....
- 189
2
votes
1
answer
2k
views
Postfix 3.3.1 on Centos 8 can't enable TLSv1 or TLSv1.1
I recently migrated my main mail server to a new one, the old one had been running for almost 10 years and was the production server for around 20 domains and over 40 mailboxes.
Everything went well ...
- 63
2
votes
1
answer
4k
views
How can I enforce TLS in sendmail when I don't necessarily know the hostname of the downstream MTA (only IPs)? [e.g. by recipients' domain]
I'm running SendMail 8.14 and have some custom static routes for sending to certain domains. These domains are "internal" but not managed directly by me.
Here's an example of /etc/mail/mailertable:...
- 12.1k
2
votes
1
answer
6k
views
postfix tls not reading or finding key
I've been having issues sending mail to my server, and there are indications of TLS errors (mostly from the maillog).
What I've tried:
Ensuring that postfix / dovecot can read the certificates (made ...
user353390
2
votes
2
answers
11k
views
How to force STARTTLS in Exim?
I am learning to set up a mailserver. I got it working with postfix, now trying the same configuration with Exim. How can I force a client to take up only STARTTLS connection for SMTP outgoing ...
- 123
2
votes
2
answers
5k
views
SMTP server requires STARTTLS
I am using fetchmial. Below is my configuration. I want the retrieved emails to be sent to my gmail address. But I encountered an error below. Could someone help me with this? Thank you in advance.
...
- 21
2
votes
2
answers
5k
views
How secure is using "Normal password" for SMTP with connection type = STARTTLS? [closed]
I'm using an email client for the first time - for the most part I've always used gmail via the web interface. Now I'm setting up thunderbird to connect to an email server of my own (on my own server, ...
- 149
2
votes
1
answer
932
views
Do any reputable mail servers require STARTTLS encryption for SMTP delivery?
Are there any large, reputable MTAs (like gmail, hotmail, icloud, etc) that will bounce mail or otherwise fail to deliver if the receiving MTA doesn't support STARTTLS?
Put another way, will ...
- 306
2
votes
2
answers
1k
views
SVN Edge not authenticating correctly with domain controller
SVN Edge (version 4.0.10-3880.131) not authenticating correctly with domain controller.
I have SVN Edge setup and working perfectly when I use LDAP Security Level of NONE..
However when set to SSL, ...
- 121
2
votes
2
answers
5k
views
Does Exchange 2010 encrypt inbound and outbound email traffic by default?
The higher ups have recently asked about this as I'm sure there are compliance issues that need to be addressed. I was under the assumption that Exchange uses opportunistic TLS or StartTLS to try to ...
- 790
2
votes
0
answers
71
views
postfix wrappermode depending on destination
My ISP accepts mail on port 465 thus requiring smtp_tls_wrappermode = yes. However, I also have another internal server, to which I forward mail on port 25 using STARTTLS, but with ...
- 305
2
votes
1
answer
2k
views
Getting postfix to relay SMTP/SSL/TLS to Charter/Spectrum
I'm running Postfix on Debian as an MX for a small LAN and trying to get SMTPS working with mobile.charter.net over port 587. I followed a few links off google for setting this up along with a post on ...
- 331
2
votes
1
answer
131
views
CentOS OpenLDAP STARTTLS wierdness
I am having a very strange problem configuring my CentOS OpenLDAP for STARTTLS. Here's what's going on.
I have a bunch os scripts that I use to configure my system. I do this to document a machine's ...
- 21
2
votes
1
answer
1k
views
Properly Configure Postfix to be secure (SASL + TLS)
I've followed online tutorials online to setup my mail server with SASL and TLS, and amavis.
It all seems to works - except i can send mails even if i don't authenticate first - which is not good.
I ...
- 167
2
votes
1
answer
792
views
Validate email address at my own domain with gmail
I need to have the ability to send email using gmail's web interface, but have them appear to originate from my own domain instead of originating at a gmail address. In order to do this, gmail asks ...
- 120
2
votes
0
answers
787
views
Does Google require TLS on port 587? Exchange 2010 SMTP has mail sent to GMAIL backed up in queue
Exchange 2010 SMTP has mail backed up in queue. Any email sent to Gmail sits in the queue while any email sent to another personal domain which has email filtering enabled errors,
"asp.reflexion.net ...
- 21
1
vote
1
answer
1k
views
Configuring postfix to use TLS for a particular server?
Running kubuntu 10.04 on my host, let's call it alpha. I've got postfix as my system MTA. I've got crons running on alpha that need to send email to a remote host, let's call it mailhost. I cannot ...
- 1,641
1
vote
1
answer
931
views
postfix cannot communicate with target server via TLS/SSL
I am able to connect my postfix server with TLS. All things are set up. But when i send a message with this secure connection, target server (for example gmail) receive my message without TLS/SSL ...
- 144
1
vote
1
answer
562
views
How can I tell if my LDAP authentications are using StartTLS?
I'm setting up a new OpenLDAP server on Ubuntu 12.04 with a copy of our current LDAP database. I've gotten most of the configuration down, I think, but I'm having trouble telling if the LDAP queries ...
- 1,382
1
vote
2
answers
659
views
Handling http and https requests using a single port with lihgttpd
At the moment I am using http and https as different port.
And based on request uri,
I made a redirection rule from http to https switch and vice versa.
But If I can use only a single port for https ...
- 113
1
vote
1
answer
2k
views
Mail server sending to postfix refusing TLS connection with "certificate expired", but it's not
Since April 30, I'm seeing errors like that in my mail log:
May 1 02:27:27 afaron postfix/smtpd[2644268]: connect from r137.info.hofer.at[66.117.17.137]
May 1 02:27:27 afaron postfix/smtpd[2644268]: ...
- 173