[SOLVED] TLS on PMG

D

dthompson

Well-Known Member
Nov 23, 2011
146
14
58
Canada
www.digitaltransitions.ca
Hi all,

I have a client who isn't able to send to a customer. It doesn't even show up in the logs, however they can email me. Both of the domains use the same PMG server. I have the TLS enabled in Configuration --> Mail Proxy --> TLS

The server is locked down with ACME Letsencrypt Certificates. I believe this is on the senders end (bad cache on the sending server pointing to the wrong server).

Enable TLS: Yes
Enable TLS Logging: Yes
Add TLS recieved header: Yes

TLS Domain Policy
digitaltransitions.ca: encrypt
mailhive.ca: encrypt
next domain: encrypt
next domain: encrypt
...

However, when I run the cert checker against checktls.com, it fails as follows:

TLS: Fails
CERT: Fails
SECURE: Fails

I get this report from them. The problem that its borking at is: TLS is not an option on this server.
What do I need to get around this? Do I need to open up another port or change a port is there something else that I'm missing entirely?

secondstest stage and result
[000.020]Server answered
[000.037]<-- 220 swarmx2.mailhive.ca ESMTP mailhive
[000.038]We are allowed to connect
[000.038] -->EHLO www6.CheckTLS.com
[000.054]<-- 250-swarmx2.mailhive.ca
250-PIPELINING
250-SIZE 200000000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SMTPUTF8
250 XKWFCHUNKING-DENIED
[000.055]We can use this server
[000.055]TLS is not an option on this server
[000.055] -->MAIL FROM:<test@checktls.com>
[000.072]<-- 250 2.1.0 Ok
[000.072]Sender is OK
[000.072] -->QUIT
[000.088]<-- 221 2.0.0 Bye
 
not sure I understand the question right - but
the test-report shows that swarmx2.mailhive.ca is not offering STARTTLS (same when trying to connect there)

Unless your server is swarmx2.mailhive.ca - you would need to ask them why they do not offer STARTTLS

If I misread your post please explain the situation with a bit more details (and some logs if available)

Thanks!
 
That’s right. My PMG server is swarm1 and swarm2

How to I get it to offer STARTTLS? I have a let’s encrypt cert on it and as far as I can tell everything to do with TLS is enabled

What do I need to do in order to get the servers to allow STARTTLS on it? Where should I be looking on the servers, GUI or CLI to enable that feature?

Thanks
 
Hmm - could you try restarting postfix:
Code: 
systemctl restart postfix

Thanks!
 
Hmm - that's odd - could you please try to connect to port 25 on the PMG via netcat and issue an 'EHLO' command:
Code: 
nc -v localhost 25
EHLO test.com
please post the output - it should look like this:
Code: 
nc -v localhost 25
Connection to localhost 25 port [tcp/smtp] succeeded!
220 hostname2.domain.de Mailgatway - Companyname Mailgateway in2
EHLO test.com
250-pmg6.rosa.proxmox.com
250-PIPELINING
250-SIZE 104857600
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SMTPUTF8
250 CHUNKING
(the 250-STARTTLS is the line which is needed for TLS support)

alternatively also try the `openssl s_client` command:
Code: 
openssl s_client -starttls smtp -connect localhost:25


* If the 250-STARTTLS is not present in the first output - my first guess is that an adapted template in '/etc/pmg/templates' breaks the config (since it works here on PMG 6.1)
* which version of PMG are you running? (`pmgversion -v`)
* If the 250-STARTTLS is present in the first output - then PMG does offer TLS but it gets stripped somewhere on the way (some kind of firewall, content-inspection proxy, IPS, .... could be at blame)

I hope this helps!
 
You hit the nail on the head. It was my firewall my friend!

* If the 250-STARTTLS is present in the first output - then PMG does offer TLS but it gets stripped somewhere on the way (some kind of firewall, content-inspection proxy, IPS, .... could be at blame)
Click to expand...

I disabled it and not it shows as being all good. I honestly never ever though about the firewall IPS being an issue. Disabled and now we are all good!

Thank you very much!
 
Glad you found the issue!

dthompson said:
I honestly never ever though about the firewall IPS being an issue.
Click to expand...
I've been there - but once you spent 5 hours debugging such an issue and start questioning your sanity - it's something you remember ;)

Please mark the thread as 'SOLVED' - it might help others running into this

Thanks!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back