Error sending on port 465

T

thiagotgc

Active Member
Dec 17, 2019
149
19
38
37
I configured the transport for port 465, but I get the error:

postfix/smtp[16316]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)
Click to expand...


When I add the parameters

#smtp_tls_wrappermode = yes
#smtp_tls_security_level = encrypt
Click to expand...


I get errors:

postfix/smtp[16791]: SSL_connect error to gmail-smtp-in.l.google.com[172.217.214.26]:25: -1
postfix/smtp[16791]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
postfix/smtp[16791]: C71146614D4: Cannot start TLS: handshake failure
Click to expand...


How to fix?
 
thiagotgc said:
I configured the transport for port 465, but I get the error:
Click to expand...
how did you configure it - what changes did you make?

if you want to have a smtpd listener on 465 you need to configure one in master.cf:

from http://www.postfix.org/TLS_README.html#server_tls
TLS is sometimes used in the non-standard "wrapper" mode where a server always uses TLS, instead of announcing STARTTLS support and waiting for remote SMTP clients to request TLS service. Some clients, namely Outlook [Express] prefer the "wrapper" mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all ports).

It is strictly discouraged to use this mode from main.cf. If you want to support this service, enable a special port in master.cf and specify "-o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8) command line option. Port 465 (smtps) was once chosen for this feature.
Click to expand...

I hope this helps!
 
Do you want to sent to a server which is using port 465? or do you want pmg to listen on port 465 (with direct tls instead of starttls)?
 
Stoiko Ivanov said:
Do you want to sent to a server which is using port 465? or do you want pmg to listen on port 465 (with direct tls instead of starttls)?
Click to expand...


I need to re-transmit to another server that listens on port 465.

NOTE: I am trying to do authenticated relay only for a specific domain. (it's possible) ?
 
thiagotgc said:
I need to re-transmit to another server that listens on port 465.
Click to expand...
check the tls howto from postfix
http://www.postfix.org/TLS_README.html

in the end there is a section about Client-side SMTPS support - this is probably what you're looking for

note that this will most likely break editing the transports via GUI - since 465 is not really standard and seldomly used I would suggest to ask the admin of the downstream server (the one that listens on 465) to enable STARTTLS on port 25 and to set a TLS Policy for this domain/transport - see section 4.6.9 in https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration

thiagotgc said:
NOTE: I am trying to do authenticated relay only for a specific domain. (it's possible) ?
Click to expand...
authentication to a downstream server should be possible - however you need to adapt the postfix configuration for that - check the postfix howto:
http://www.postfix.org/SASL_README.html#client_sasl
(additionally there are quite a few howtos in the internet on how to configure this with postfix)


to make changes to the postfix configuration persistent in PMG you need to use the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!
 
Stoiko Ivanov said:
since 465 is not really standard and seldomly used
Click to expand...

Asking just for interest

What if my mail server listens only tcp/465 or only tcp/587 (just imagine I do not have tcp/25 with STARTTLS enabled.. not have tcp/25 at all)

Would I receive mail ?

Actually I can test it in my lab, but I just think asking is faster :)
Thanks in advance
 
vusald said:
What if my mail server listens only tcp/465 or only tcp/587 (just imagine I do not have tcp/25 with STARTTLS enabled.. not have tcp/25 at all)
Click to expand...
In my experience this will not work - e-mail over the internet uses tcp/25 - very few mail-servers will still try contacting on tcp/465 in all cases
and tcp/587 is used for mail-submission (from a user to the first server with SMTP-AUTH)
Without inbound port tcp/25 you won't be able to get mail...
 
  • Like
Reactions: vusald
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back