Skip to main content

Questions tagged [starttls]

STARTTLS is the SMTP command to connect to email servers securely over TLS (formerly SSL). Use with an email server tag like [postfix], [exchange], etc.

Filter by
Sorted by
Tagged with
74 votes
8 answers
89k views

Is STARTTLS less safe than TLS/SSL?

In Thunderbird (and I assume in many other clients, too) I have the option to choose between "SSL/TLS" and "STARTTLS". As far as I understand it, "STARTTLS" means in simple words "encrypt if both ...
Foo Bar's user avatar
  • 889
18 votes
2 answers
5k views

Is it still "wrong" to require STARTTLS on incoming SMTP messages

According to the STARTTLS Spec Section 5: A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally. This rule prevents the STARTTLS extension ...
jackweirdy's user avatar
13 votes
3 answers
55k views

Postfix configure to use TLSv1.2

I start build my first cloud server: Ubuntu 16.04 with postfix. Question is how can i configure postfix to use TLSv1.2 when i send mail from my webshop? When my webshop sending mail to my postfix ...
John Steave's user avatar
10 votes
1 answer
37k views

Postfix Recipient address rejected: Access denied Error

Trying to use zend mail smtp to send email from my php app login authenticated and give me this constant error I don't have to deal with I look into de 36 question here on serverfault.com changing ...
MikZuit's user avatar
  • 391
9 votes
2 answers
13k views

Postfix "Trusted TLS connection established" but "Server certificate not verified"

I´m using a Postfix TLS Policy to enforce TLS for outgoing email. Unfortunately in some cases the certificate verification fails and I don´t know why. For instance, this is an excerpt of my TLS Policy ...
Jofre's user avatar
  • 569
8 votes
2 answers
36k views

TLS: hostname does not match CN in peer certificate

im trying to connect LDAP over StartTLS but Im stuck with an issue. I've followed step by step this guide https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-tls and LDAP it's ...
borjamf's user avatar
  • 89
7 votes
2 answers
33k views

lost connection after STARTTLS: Postfix

I've setup a Postfix + Courier server and have a Rails app configured with the SMTP server settings. Whenever the Rails app tries to send an email, this is what appears in the Postfix log (additional ...
webo's user avatar
  • 183
7 votes
2 answers
7k views

How can I decrypt STARTTLS communication over SMTP in a packet capture (if I have the private key)?

For the purpose of troubleshooting, I need to see what an email looks like when it's sent to my sendmail server via SMTP. The upstream server requires the SMTP connection to use STARTTLS so a packet ...
Mike B's user avatar
  • 12.1k
6 votes
3 answers
2k views

SNI like equivalent for starttls

I am trying to host two seperate domains on one IP address. I want to be able to determine from the STARTTLS command which certificate was being requested and forward to a different mail server based ...
user avatar
6 votes
1 answer
2k views

postfix TLS configuration for incoming gmx-mail

I set up my mailserver with postfix 2.7.1 and dovecot 1.2.15 and everything seemed to work just fine, but now I found out that people using @gmx.net addresses cannot send emails to me and rather ...
Stefan's user avatar
  • 163
5 votes
1 answer
15k views

Postfix STARTTLS only on port 25

I want to enable STARTTLS on port 25, but for unknown reasons it only works on port 465. master.cf: smtp inet n - - - - smtpd -o syslog_name=postfix/smtp -o ...
JohnnyFromBF's user avatar
  • 1,269
5 votes
2 answers
7k views

ejabberd starttls_required in c2s/s2s and disable SSLv3 + unsecure Ciphers

I'm using ejabberd on Ubuntu. My configuration looks like this: {5269, ejabberd_s2s_in, [ {shaper, s2s_shaper}, {max_stanza_size, 131072}, ...
pythonimus's user avatar
5 votes
1 answer
2k views

How to mitigate STARTTLS MITM (downgrading and forged certificates) between email servers?

I'm not as technically inclined as most on this site so please keep that in mind. I wanted to learn more about email security so I did some research and everything is according to my understanding, ...
Ian Last's user avatar
5 votes
3 answers
416 views

Is a self signed cerificate secure from man in the middle once you have accepted it

I have a mail server that has a self signed SSL certificate. I use Thunderbird to access this server, and it asks me to accept this certificate. So lets say I accept this in a semi secure location, ...
Don Juan's user avatar
5 votes
0 answers
6k views

LDAP with TLS: connect error(-11)

I configured OpenLDAP and today I've configured the TLS for more security following these guide lines: Configure OpenLDAP with TLS=required Modifying the cn=config.ldif with config file: dn: cn=...
Neil's user avatar
  • 355
4 votes
2 answers
3k views

How do I log tls-encrypted smtp traffic?

I'd like to know what my local postfix says to the Amazon SES smtpd after the STARTTLS. In plain text, so I can understand it. Amazon SES requires TLS, so I can't temporarily turn it off. I currently ...
Johannes Ernst's user avatar
4 votes
3 answers
8k views

Why is port 587 preferred over port 465 in SMTP?

I have recently been developing a C# client which sends emails via a SMTP server. However I have been as to what the different terms ment, like: STARTTLS/TLS/SSL... I had a faint idea of what they ...
Choppa dude's user avatar
4 votes
1 answer
1k views

Postfix TLS encryption: smtp_* vs smptd_*

I am really confused about the postfix TLS settings. There are in each case settings for private keys and public keys. smtpd_tls_cert_file = smtpd_tls_key_file = smtpd_* And smtp_tls_cert_file = ...
cytopia's user avatar
  • 187
4 votes
0 answers
481 views

How can I explicitly disable TLS when sending to one specific recipient?

I have a SendMail 8.14 server deployed in the middle of an SMTP workflow (Outbound mail looks like Exchange -> SendMail -> Appliance -> Internet) I have TLS configured for the first three hosts. ...
Mike B's user avatar
  • 12.1k
3 votes
3 answers
10k views

Client did not present a certificate (Postfix)

I have postfix SMTP relay which have been configured with TLS option. Now just realized when sending email to gmail (for example) using Microsoft outlook,found out this "Client did not present a ...
David A's user avatar
  • 127
3 votes
1 answer
12k views

How to disable SSLv3 in Postfix 2.11?

I just noticed (by some online check tools) that my mailserver may allow SSLv3 and updated my configuration. My current config in Postfix 2.11.2: # inbound smtpd_tls_security_level = may ...
burnersk's user avatar
  • 2,106
3 votes
1 answer
10k views

Postfix STARTTLS encryption before authentication

I'm trying my best to configure Postfix with STARTTLS using port 25. Now the problem is STARTTLS is not working on port 25. 250-VRFY 250-ETRN 250-XXXXXXXA 250-AUTH PLAIN LOGIN 250-...
David A's user avatar
  • 127
3 votes
2 answers
2k views

Disabling SSLv2 in Courier IMAP

I'm attempting to disable SSLv2 support (amongst other things) in Courier on Linux. In /etc/courier/imapd-ssl I have: TLS_CIPHER_LIST="HIGH:!MEDIUM:!SSLv2:!LOW:!EXP:!aNULL:!ADH:@STRENGTH:!3DES" ...
Ian480's user avatar
  • 31
3 votes
2 answers
4k views

Configure OpenLDAP using GnuTLS with TLS=required

We have an openldap server and don't want to allow unencrypted communication, so acceptable is either tls over port 389 (starttls) or ssl over 636 (ldaps). As we use slapd.conf for configuration, ...
blockbax's user avatar
3 votes
3 answers
18k views

Postfix still complains that "certificate verification failed" even when "smtp_tls_security_level = fingerprint"

I'm attempting to use Postfix (version 2.6.6 on RHEL6) to connect to and send mail via a mail relay on our internal network. I want to connect with STARTTLS on port 25 (port 465 is not available on ...
fronzee's user avatar
  • 185
3 votes
1 answer
237 views

Sendmail process crashes as soon as STARTTLS is received

I just upgraded my server from FreeBSD 10.3 to 11.1. It's now running Sendmail 8.15.2 and OpenSSL 1.0.2k-freebsd 26 Jan 2017. Since the upgrade, sending mail to my server is failing. I cranked up ...
FKEinternet's user avatar
3 votes
0 answers
206 views

Postfix STARTTLS works in LAN but not externally

if I connect in LAN on port 25 to my mail server, it offers STARTTLS telnet mailserver.com 25 Trying 192.168.0.x... Connected to mailserver.com Escape character is '^]'. 220 mailserver.com ESMTP ...
Florian's user avatar
  • 59
2 votes
3 answers
30k views

Postfix & Gmail: Authentication Required error

I configured Postfix using this guide. When I send a test E-Mail I get the following error message: May 23 15:36:26 VM11 postfix/smtp[15321]: connect to smtp.gmail.com[2a00:1450:4001:c02::6d]:587: ...
Bastian's user avatar
  • 135
2 votes
2 answers
700 views

TLS/SSL on http (80) with STARTTLS

I'm researching the reason why TLS/SSL is not using over HTTP. Other protocols, such as SMTP, POP3, FTP, etc can be used on SSL ports (SMTPS, POP3S, FTPS) for the first way, and the second way is to ...
deathvu's user avatar
  • 21
2 votes
1 answer
12k views

ssmtp settings for namecheap: Invalid response SMTP Server (STARTTLS)

I am trying to configure ssmtp to use the namecheap smtp server to send emails. My current configuration: [email protected] mailhub=mail.privateemail.com:465 rewriteDomain=email.com hostname=email....
Sgoettschkes's user avatar
2 votes
1 answer
2k views

Postfix 3.3.1 on Centos 8 can't enable TLSv1 or TLSv1.1

I recently migrated my main mail server to a new one, the old one had been running for almost 10 years and was the production server for around 20 domains and over 40 mailboxes. Everything went well ...
moray's user avatar
  • 63
2 votes
1 answer
4k views

How can I enforce TLS in sendmail when I don't necessarily know the hostname of the downstream MTA (only IPs)? [e.g. by recipients' domain]

I'm running SendMail 8.14 and have some custom static routes for sending to certain domains. These domains are "internal" but not managed directly by me. Here's an example of /etc/mail/mailertable:...
Mike B's user avatar
  • 12.1k
2 votes
1 answer
6k views

postfix tls not reading or finding key

I've been having issues sending mail to my server, and there are indications of TLS errors (mostly from the maillog). What I've tried: Ensuring that postfix / dovecot can read the certificates (made ...
user avatar
2 votes
2 answers
11k views

How to force STARTTLS in Exim?

I am learning to set up a mailserver. I got it working with postfix, now trying the same configuration with Exim. How can I force a client to take up only STARTTLS connection for SMTP outgoing ...
Elan's user avatar
  • 123
2 votes
2 answers
5k views

SMTP server requires STARTTLS

I am using fetchmial. Below is my configuration. I want the retrieved emails to be sent to my gmail address. But I encountered an error below. Could someone help me with this? Thank you in advance. ...
user1500178's user avatar
2 votes
2 answers
5k views

How secure is using "Normal password" for SMTP with connection type = STARTTLS? [closed]

I'm using an email client for the first time - for the most part I've always used gmail via the web interface. Now I'm setting up thunderbird to connect to an email server of my own (on my own server, ...
harshath.jr's user avatar
2 votes
1 answer
932 views

Do any reputable mail servers require STARTTLS encryption for SMTP delivery?

Are there any large, reputable MTAs (like gmail, hotmail, icloud, etc) that will bounce mail or otherwise fail to deliver if the receiving MTA doesn't support STARTTLS? Put another way, will ...
ATLief's user avatar
  • 306
2 votes
2 answers
1k views

SVN Edge not authenticating correctly with domain controller

SVN Edge (version 4.0.10-3880.131) not authenticating correctly with domain controller. I have SVN Edge setup and working perfectly when I use LDAP Security Level of NONE.. However when set to SSL, ...
now_world's user avatar
  • 121
2 votes
2 answers
5k views

Does Exchange 2010 encrypt inbound and outbound email traffic by default?

The higher ups have recently asked about this as I'm sure there are compliance issues that need to be addressed. I was under the assumption that Exchange uses opportunistic TLS or StartTLS to try to ...
jmreicha's user avatar
  • 790
2 votes
0 answers
71 views

postfix wrappermode depending on destination

My ISP accepts mail on port 465 thus requiring smtp_tls_wrappermode = yes. However, I also have another internal server, to which I forward mail on port 25 using STARTTLS, but with ...
Lars Hanke's user avatar
2 votes
1 answer
2k views

Getting postfix to relay SMTP/SSL/TLS to Charter/Spectrum

I'm running Postfix on Debian as an MX for a small LAN and trying to get SMTPS working with mobile.charter.net over port 587. I followed a few links off google for setting this up along with a post on ...
Nstevens's user avatar
  • 331
2 votes
1 answer
131 views

CentOS OpenLDAP STARTTLS wierdness

I am having a very strange problem configuring my CentOS OpenLDAP for STARTTLS. Here's what's going on. I have a bunch os scripts that I use to configure my system. I do this to document a machine's ...
Mister Rose's user avatar
2 votes
1 answer
1k views

Properly Configure Postfix to be secure (SASL + TLS)

I've followed online tutorials online to setup my mail server with SASL and TLS, and amavis. It all seems to works - except i can send mails even if i don't authenticate first - which is not good. I ...
537mfb's user avatar
  • 167
2 votes
1 answer
792 views

Validate email address at my own domain with gmail

I need to have the ability to send email using gmail's web interface, but have them appear to originate from my own domain instead of originating at a gmail address. In order to do this, gmail asks ...
alex_223's user avatar
  • 120
2 votes
0 answers
787 views

Does Google require TLS on port 587? Exchange 2010 SMTP has mail sent to GMAIL backed up in queue

Exchange 2010 SMTP has mail backed up in queue. Any email sent to Gmail sits in the queue while any email sent to another personal domain which has email filtering enabled errors, "asp.reflexion.net ...
Bilal's user avatar
  • 21
1 vote
1 answer
1k views

Configuring postfix to use TLS for a particular server?

Running kubuntu 10.04 on my host, let's call it alpha. I've got postfix as my system MTA. I've got crons running on alpha that need to send email to a remote host, let's call it mailhost. I cannot ...
dirtside's user avatar
  • 1,641
1 vote
1 answer
931 views

postfix cannot communicate with target server via TLS/SSL

I am able to connect my postfix server with TLS. All things are set up. But when i send a message with this secure connection, target server (for example gmail) receive my message without TLS/SSL ...
xangr's user avatar
  • 144
1 vote
1 answer
562 views

How can I tell if my LDAP authentications are using StartTLS?

I'm setting up a new OpenLDAP server on Ubuntu 12.04 with a copy of our current LDAP database. I've gotten most of the configuration down, I think, but I'm having trouble telling if the LDAP queries ...
zymhan's user avatar
  • 1,382
1 vote
2 answers
659 views

Handling http and https requests using a single port with lihgttpd

At the moment I am using http and https as different port. And based on request uri, I made a redirection rule from http to https switch and vice versa. But If I can use only a single port for https ...
agfe2's user avatar
  • 113
1 vote
1 answer
2k views

Mail server sending to postfix refusing TLS connection with "certificate expired", but it's not

Since April 30, I'm seeing errors like that in my mail log: May 1 02:27:27 afaron postfix/smtpd[2644268]: connect from r137.info.hofer.at[66.117.17.137] May 1 02:27:27 afaron postfix/smtpd[2644268]: ...
Tobias Leupold's user avatar