LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 04-06-2018, 05:57 AM   #16
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled

Yes because of this, I removed client certificates and checked. still my issue is same.
 
Old 04-06-2018, 06:13 AM   #17
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,740

Rep: Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559
Is there any clues in the log if you increase smtp_tls logging verbosity?
Is the server advertising STARTTLS on initial connection?
 
Old 04-07-2018, 03:54 AM   #18
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
Thanks for being with me to help on this.
Even I put the log level = 3, all I can see is only below when I sending emails.

Quote:
Apr 7 08:51:28 MyServerName postfix/qmgr[16551]: EEB48B80232: from=<my-from-address@doimain.com>, size=774, nrcpt=1 (queue active)
Apr 7 08:51:28 MyServerName postfix/smtpd[16555]: disconnect from unknown[86.96.239.79]
Apr 7 08:51:29 MyServerName postfix/smtp[16679]: initializing the client-side TLS engine
Apr 7 08:51:29 MyServerName postfix/smtp[16679]: EEB48B80232: enabling PIX workarounds: disable_esmtp delay_dotcrlf for gmail-smtp-in.l.google.com[64.233.167.27]:25
Apr 7 08:51:29 MyServerName postfix/smtp[16679]: EEB48B80232: TLS is required, but was not offered by host gmail-smtp-in.l.google.com[64.233.167.27]
Apr 7 08:51:29 MyServerName postfix/smtp[16679]: EEB48B80232: enabling PIX workarounds: disable_esmtp delay_dotcrlf for alt1.gmail-smtp-in.l.google.com[108.177.14.26]:25
Apr 7 08:51:30 MyServerName postfix/smtp[16679]: EEB48B80232: TLS is required, but was not offered by host alt1.gmail-smtp-in.l.google.com[108.177.14.26]
Apr 7 08:51:30 MyServerName postfix/smtp[16679]: EEB48B80232: enabling PIX workarounds: disable_esmtp delay_dotcrlf for alt2.gmail-smtp-in.l.google.com[74.125.200.26]:25
Apr 7 08:51:31 MyServerName postfix/smtp[16679]: EEB48B80232: TLS is required, but was not offered by host alt2.gmail-smtp-in.l.google.com[74.125.200.26]
Apr 7 08:51:31 MyServerName postfix/smtp[16679]: EEB48B80232: enabling PIX workarounds: disable_esmtp delay_dotcrlf for alt3.gmail-smtp-in.l.google.com[64.233.187.27]:25
Apr 7 08:51:32 MyServerName postfix/smtp[16679]: EEB48B80232: TLS is required, but was not offered by host alt3.gmail-smtp-in.l.google.com[64.233.187.27]
Apr 7 08:51:32 MyServerName postfix/smtp[16679]: EEB48B80232: enabling PIX workarounds: disable_esmtp delay_dotcrlf for alt4.gmail-smtp-in.l.google.com[173.194.202.26]:25
Apr 7 08:51:33 MyServerName postfix/smtp[16679]: EEB48B80232: to=<my-to-address@gmail.com>, relay=alt4.gmail-smtp-in.l.google.com[173.194.202.26]:25, delay=4.1, delays=0.03/0.01/4.1/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host alt4.gmail-smtp-in.l.google.com[173.194.202.26])
 
Old 04-07-2018, 04:02 AM   #19
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,740

Rep: Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559
Quote:
Is the server advertising STARTTLS on initial connection?
Can you telnet to the ggl server & supply the EHLO to check it's offer?
What about direct to the ones that work for me?
 
1 members found this post helpful.
Old 04-07-2018, 04:16 AM   #20
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
So badly here is my output.

Quote:
telnet gmail-smtp-in.l.google.com 25
Trying 64.233.167.27...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 ************************************************
EHLO smtp.mydomain.com
250-mx.google.com at your service, [X.X.X.X]
250-SIZE 157286400
250-8BITMIME
250-XXXXXXXA
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-XXXXXXXB
250 XXXXXXXC

^]
telnet> q
Connection closed.

But if I use the smtp.gmail.com;

Quote:
telnet smtp.gmail.com 587
Trying 74.125.206.108...
Connected to smtp.gmail.com.
Escape character is '^]'.
220 smtp.gmail.com ESMTP l41sm25047376wrl.2 - gsmtp
EHLO smtp.mydomain.com
250-smtp.gmail.com at your service, [X.X.X.X]
250-SIZE 35882577
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8
If I pointed to MX record which you get;

Quote:
telnet gmail-smtp-in.l.google.com 25
Trying 64.233.167.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 **********************************************
EHLO smtp.mydomain.com
250-mx.google.com at your service, [X.X.X.X]
250-SIZE 157286400
250-8BITMIME
250-XXXXXXXA
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-XXXXXXXB
250 XXXXXXXC

Something wrong very badly. why this MX servers not offer STARTTLS for my server

I did an another test using OpenSSL, what I can see is, the server does not offer any ciphers?

Quote:
openssl s_client -connect gmail-smtp-in.l.google.com:25 -starttls smtp
CONNECTED(00000003)
didn't find starttls in server response, trying anyway...
140335390373632:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:252:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 285 bytes and written 209 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1523092487
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---

Last edited by kkrrss; 04-07-2018 at 04:18 AM.
 
Old 04-07-2018, 04:26 AM   #21
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,740

Rep: Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559
I'm out of ideas now, but clearly it's not your config, so I don't think you can "fix" anything. For some reason those servers aren't offering STARTTLS to you (maybe ip/location based ??)
 
1 members found this post helpful.
Old 04-07-2018, 04:30 AM   #22
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
Thank you very much for assisting me till now.
I will keep trying to figure out this. Will get back to you if I found any (Y)
 
Old 04-07-2018, 05:26 AM   #23
kkrrss
Member
 
Registered: Jun 2016
Posts: 56

Original Poster
Blog Entries: 1

Rep: Reputation: Disabled
@Descendant

Finally found the root course.
This is because of SMTP inspection in our ASA firewall. I have asked our Network admin to disabled it form ASA firewall. then this is work perfectly.

Quote:
telnet alt3.gmail-smtp-in.l.google.com 25
Trying 64.233.187.26...
Connected to alt3.gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP c32-v6si10192401plj.381 - gsmtp
EHLO smtp.mydomain.com
250-mx.google.com at your service, [X.X.X.X]
250-SIZE 157286400
250-8BITMIME
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-CHUNKING
250 SMTPUTF8

Trusted TLS connection established to gmail-smtp-in.l.google.com[64.233.184.27]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits

Thanks a lot for your support.

I'm sure this thread would be much more helpful for future Postfix users or any other.
 
Old 04-07-2018, 07:00 AM   #24
descendant_command
Senior Member
 
Registered: Mar 2012
Posts: 1,740

Rep: Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559Reputation: 559
Aha.
Nice find.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Enable / Configure Outgoing Emails for External Domains such as GMAIL devUnix Linux - General 3 09-17-2013 02:01 AM
LXer: How To Automatically Add A Disclaimer To Outgoing Emails With alterMIME (Postfix On Debian Squ LXer Syndicated Linux News 1 01-16-2013 09:47 PM
LXer: Adding Disclaimers To Outgoing Emails With alterMIME (Postfix On Debian Lenny) LXer Syndicated Linux News 0 09-22-2010 12:40 AM
Postfix emails send outgoing mail with wrong domain name michael.smith Ubuntu 2 01-30-2010 12:23 AM
Count outgoing emails GuitsBoy Linux - Server 3 11-27-2007 04:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration