Error sending on port 465

thiagotgc

Active Member
Dec 17, 2019
149
18
38
37
I configured the transport for port 465, but I get the error:

postfix/smtp[16316]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)


When I add the parameters

#smtp_tls_wrappermode = yes
#smtp_tls_security_level = encrypt


I get errors:

postfix/smtp[16791]: SSL_connect error to gmail-smtp-in.l.google.com[172.217.214.26]:25: -1
postfix/smtp[16791]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
postfix/smtp[16791]: C71146614D4: Cannot start TLS: handshake failure


How to fix?
 
I configured the transport for port 465, but I get the error:
how did you configure it - what changes did you make?

if you want to have a smtpd listener on 465 you need to configure one in master.cf:

from http://www.postfix.org/TLS_README.html#server_tls
TLS is sometimes used in the non-standard "wrapper" mode where a server always uses TLS, instead of announcing STARTTLS support and waiting for remote SMTP clients to request TLS service. Some clients, namely Outlook [Express] prefer the "wrapper" mode. This is true for OE (Win32 < 5.0 and Win32 >=5.0 when run on a port<>25 and OE (5.01 Mac on all ports).

It is strictly discouraged to use this mode from main.cf. If you want to support this service, enable a special port in master.cf and specify "-o smtpd_tls_wrappermode=yes" (note: no space around the "=") as an smtpd(8) command line option. Port 465 (smtps) was once chosen for this feature.

I hope this helps!
 
Do you want to sent to a server which is using port 465? or do you want pmg to listen on port 465 (with direct tls instead of starttls)?
 
Do you want to sent to a server which is using port 465? or do you want pmg to listen on port 465 (with direct tls instead of starttls)?


I need to re-transmit to another server that listens on port 465.

NOTE: I am trying to do authenticated relay only for a specific domain. (it's possible) ?
 
I need to re-transmit to another server that listens on port 465.
check the tls howto from postfix
http://www.postfix.org/TLS_README.html

in the end there is a section about Client-side SMTPS support - this is probably what you're looking for

note that this will most likely break editing the transports via GUI - since 465 is not really standard and seldomly used I would suggest to ask the admin of the downstream server (the one that listens on 465) to enable STARTTLS on port 25 and to set a TLS Policy for this domain/transport - see section 4.6.9 in https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_mail_proxy_configuration


NOTE: I am trying to do authenticated relay only for a specific domain. (it's possible) ?
authentication to a downstream server should be possible - however you need to adapt the postfix configuration for that - check the postfix howto:
http://www.postfix.org/SASL_README.html#client_sasl
(additionally there are quite a few howtos in the internet on how to configure this with postfix)


to make changes to the postfix configuration persistent in PMG you need to use the templateing system:
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!
 
since 465 is not really standard and seldomly used

Asking just for interest

What if my mail server listens only tcp/465 or only tcp/587 (just imagine I do not have tcp/25 with STARTTLS enabled.. not have tcp/25 at all)

Would I receive mail ?

Actually I can test it in my lab, but I just think asking is faster :)
Thanks in advance
 
What if my mail server listens only tcp/465 or only tcp/587 (just imagine I do not have tcp/25 with STARTTLS enabled.. not have tcp/25 at all)
In my experience this will not work - e-mail over the internet uses tcp/25 - very few mail-servers will still try contacting on tcp/465 in all cases
and tcp/587 is used for mail-submission (from a user to the first server with SMTP-AUTH)
Without inbound port tcp/25 you won't be able to get mail...
 
  • Like
Reactions: vusald

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!