Error sending on port 465

T

thiagotgc

Well-Known Member
Dec 17, 2019
153
22
58
38
I configured the transport for port 465, but I get the error:

postfix/smtp[16316]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)
Click to expand...


When I add the parameters

#smtp_tls_wrappermode = yes
#smtp_tls_security_level = encrypt
Click to expand...


I get errors:

postfix/smtp[16791]: SSL_connect error to gmail-smtp-in.l.google.com[172.217.214.26]:25: -1
postfix/smtp[16791]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
postfix/smtp[16791]: C71146614D4: Cannot start TLS: handshake failure
Click to expand...


How to fix?
 
thiagotgc said:
I configured the transport for port 465, but I get the error:
Click to expand...
how did you configure it - what changes did you make?

if you want to have a smtpd listener on 465 you need to configure one in master.cf:

from http://www.postfix.org/TLS_README.html#server_tls
TLS is sometimes used in the non-standard "wrapper" mode where a server always uses TLS, instead of announcing STARTTLS support and waiting for remote SMTP clients to request TLS service. Some clients, namely Outlook [Express] prefer the "wrapper" mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all ports).

It is strictly discouraged to use this mode from main.cf. If you want to support this service, enable a special port in master.cf and specify "-o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8) command line option. Port 465 (smtps) was once chosen for this feature.
Click to expand...

I hope this helps!
 
Do you want to sent to a server which is using port 465? or do you want pmg to listen on port 465 (with direct tls instead of starttls)?
 
Stoiko Ivanov said:
Do you want to sent to a server which is using port 465? or do you want pmg to listen on port 465 (with direct tls instead of starttls)?
Click to expand...


I need to re-transmit to another server that listens on port 465.

NOTE: I am trying to do authenticated relay only for a specific domain. (it's possible) ?
 
thiagotgc said:
I need to re-transmit to another server that listens on port 465.
Click to expand...
check the tls howto from postfix
http://www.postfix.org/TLS_README.html

in the end there is a section about Client-side SMTPS support - this is probably what you're looking for

note that this will most likely break editing the transports via GUI - since 465 is not really standard and seldomly used I would suggest to ask the admin of the downstream server (the one that listens on 465) to enable STARTTLS on port 25 and to set a TLS Policy for this domain/transport - see section 4.6.9 in https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration

thiagotgc said:
NOTE: I am trying to do authenticated relay only for a specific domain. (it's possible) ?
Click to expand...
authentication to a downstream server should be possible - however you need to adapt the postfix configuration for that - check the postfix howto:
http://www.postfix.org/SASL_README.html#client_sasl
(additionally there are quite a few howtos in the internet on how to configure this with postfix)


to make changes to the postfix configuration persistent in PMG you need to use the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!
 
Stoiko Ivanov said:
since 465 is not really standard and seldomly used
Click to expand...

Asking just for interest

What if my mail server listens only tcp/465 or only tcp/587 (just imagine I do not have tcp/25 with STARTTLS enabled.. not have tcp/25 at all)

Would I receive mail ?

Actually I can test it in my lab, but I just think asking is faster :)
Thanks in advance
 
vusald said:
What if my mail server listens only tcp/465 or only tcp/587 (just imagine I do not have tcp/25 with STARTTLS enabled.. not have tcp/25 at all)
Click to expand...
In my experience this will not work - e-mail over the internet uses tcp/25 - very few mail-servers will still try contacting on tcp/465 in all cases
and tcp/587 is used for mail-submission (from a user to the first server with SMTP-AUTH)
Without inbound port tcp/25 you won't be able to get mail...
 
  • Like
Reactions: vusald
You must log in or register to reply here.
Top Bottom