[SOLVED] TLS on PMG

[dthompson]

Hi all,

I have a client who isn't able to send to a customer. It doesn't even show up in the logs, however they can email me. Both of the domains use the same PMG server. I have the TLS enabled in Configuration --> Mail Proxy --> TLS

The server is locked down with ACME Letsencrypt Certificates. I believe this is on the senders end (bad cache on the sending server pointing to the wrong server).

Enable TLS: Yes
Enable TLS Logging: Yes
Add TLS recieved header: Yes

TLS Domain Policy
digitaltransitions.ca: encrypt
mailhive.ca: encrypt
next domain: encrypt
next domain: encrypt
...

However, when I run the cert checker against checktls.com, it fails as follows:

TLS: Fails
CERT: Fails
SECURE: Fails

I get this report from them. The problem that its borking at is: TLS is not an option on this server.
What do I need to get around this? Do I need to open up another port or change a port is there something else that I'm missing entirely?

seconds		test stage and result
[000.020]		Server answered
[000.037]	<--	220 swarmx2.mailhive.ca ESMTP mailhive
[000.038]		We are allowed to connect
[000.038]	-->	EHLO www6.CheckTLS.com
[000.054]	<--	250-swarmx2.mailhive.ca 250-PIPELINING 250-SIZE 200000000 250-VRFY 250-ETRN 250-ENHANCEDSTATUSCODES 250-8BITMIME 250-SMTPUTF8 250 XKWFCHUNKING-DENIED
[000.055]		We can use this server
[000.055]		TLS is not an option on this server
[000.055]	-->	MAIL FROM:<test@checktls.com>
[000.072]	<--	250 2.1.0 Ok
[000.072]		Sender is OK
[000.072]	-->	QUIT
[000.088]	<--	221 2.0.0 Bye

 

[Stoiko Ivanov]

not sure I understand the question right - but
the test-report shows that swarmx2.mailhive.ca is not offering STARTTLS (same when trying to connect there)

Unless your server is swarmx2.mailhive.ca - you would need to ask them why they do not offer STARTTLS

If I misread your post please explain the situation with a bit more details (and some logs if available)

Thanks!

 

[dthompson]

That’s right. My PMG server is swarm1 and swarm2

How to I get it to offer STARTTLS? I have a let’s encrypt cert on it and as far as I can tell everything to do with TLS is enabled

What do I need to do in order to get the servers to allow STARTTLS on it? Where should I be looking on the servers, GUI or CLI to enable that feature?

Thanks

 

[Stoiko Ivanov]

Hmm - could you try restarting postfix:

systemctl restart postfix

Thanks!

 

[dthompson]

Thanks, I tried that as well and no go.
There doesn't seem to be anywhere that I can enable this feature.

I've seen this thread here: https://forum.proxmox.com/threads/starttls-on-internal-port-26.41985/

But that doesn't seem to be quite the same issue I am having.

 

[Stoiko Ivanov]

Hmm - that's odd - could you please try to connect to port 25 on the PMG via netcat and issue an 'EHLO' command:

nc -v localhost 25
EHLO test.com

please post the output - it should look like this:

nc -v localhost 25
Connection to localhost 25 port [tcp/smtp] succeeded!
220 hostname2.domain.de Mailgatway - Companyname Mailgateway in2
EHLO test.com
250-pmg6.rosa.proxmox.com
250-PIPELINING
250-SIZE 104857600
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-SMTPUTF8
250 CHUNKING

(the 250-STARTTLS is the line which is needed for TLS support)

alternatively also try the `openssl s_client` command:

openssl s_client -starttls smtp -connect localhost:25

* If the 250-STARTTLS is not present in the first output - my first guess is that an adapted template in '/etc/pmg/templates' breaks the config (since it works here on PMG 6.1)
* which version of PMG are you running? (`pmgversion -v`)
* If the 250-STARTTLS is present in the first output - then PMG does offer TLS but it gets stripped somewhere on the way (some kind of firewall, content-inspection proxy, IPS, .... could be at blame)

I hope this helps!

 

[dthompson]

You hit the nail on the head. It was my firewall my friend!

* If the 250-STARTTLS is present in the first output - then PMG does offer TLS but it gets stripped somewhere on the way (some kind of firewall, content-inspection proxy, IPS, .... could be at blame)

I disabled it and not it shows as being all good. I honestly never ever though about the firewall IPS being an issue. Disabled and now we are all good!

Thank you very much!

 

[Stoiko Ivanov]

Glad you found the issue!

I honestly never ever though about the firewall IPS being an issue.

I've been there - but once you spent 5 hours debugging such an issue and start questioning your sanity - it's something you remember

Please mark the thread as 'SOLVED' - it might help others running into this

Thanks!