Koozali.org: home of the SME Server

550 A TLS connection is required

Offline cno

  • *
  • 35
  • +0/-0
550 A TLS connection is required
« on: February 23, 2019, 01:10:12 PM »
from multiple smeservers, 9.2 is fully updated and with Let's Encrypt

when I send mail to gratisdns.dk (put support @ in front)
or others who have mxhotel at gratidns.dk I get the mailer daemon return

91.221.196.198 does not like recipient.
Remote host said: 550 A TLS connection is required
Giving up on 91.221.196.198.

gratisdns says i need tls ver1.2 can't figure out if it's Let's Encrypt or not

can anyone tell me how to change it?
can't find out if it's in my end or with gratisdns, they say it is in my end !!

from https://www.ssllabs.com/ssltest/analyze.html

it says tls ver 1,2 is green and ver 1.0 and 1.1 is brown
........................

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: 550 A TLS connection is required
« Reply #1 on: February 23, 2019, 04:21:42 PM »
Think Letsencrypt is a bit of a red herring here.

Look at the error.

You are getting 550 TLS from THEIR mail server saying it needs that type of connection from YOUR mail server.

Have a read on this thread:

https://forums.contribs.org/index.php/topic,53229.0.html

This bug for reference:

https://bugs.contribs.org/show_bug.cgi?id=9349

The question that others may like to comment is if the remote server is insisting on TLS (be that right or wrong) then currently SME is unable to comply?

Your only alternative is to then use an alternative smarthost?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: 550 A TLS connection is required
« Reply #2 on: February 24, 2019, 05:40:42 AM »
Or this is a ring to implement this.

While again this enforce no security at all as encryption is oportunistic and does not prevent man in the middle attack as there is no verification of identity.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: 550 A TLS connection is required
« Reply #3 on: February 24, 2019, 09:34:10 PM »
Yes I understand it offers no real protection for the many reasons previously outlined.

However, if remote servers insist on it (regardless of the merits) and SME cannot play, then the mail server becomes ineffective leaving you with dwindling choices - you would need some form of upstream mail server that can comply, be that at an ISP, some paid for SMTP hosting, or running your own alternative upstream using say postfix etc.

For SME to be able to continue to run as standalone this would need fixing.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline cno

  • *
  • 35
  • +0/-0
Re: 550 A TLS connection is required
« Reply #4 on: February 25, 2019, 02:17:01 AM »
Thank you for all the answers

I have no idea what to do.

I can't figure out how it will be in the future. It is not just one mail server affected by this but several serveres that I manage.

........................

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: 550 A TLS connection is required
« Reply #5 on: February 25, 2019, 04:59:30 AM »
Thank you for all the answers

I have no idea what to do.


As per my comments above. Currently nothing much you can do with SME.

Quote
I can't figure out how it will be in the future. It is not just one mail server affected by this but several serveres that I manage.

Can you provide some serious evidence of this please.

Start with the sending mail logs /var/log/sqpsmtpd

We need to see some transactions & where it is failing, just to be sure.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: 550 A TLS connection is required
« Reply #6 on: February 25, 2019, 05:54:44 AM »
or if you have time and a spare server ( DO not do this on production), you can try the qmail version freshly build for https://bugs.contribs.org/show_bug.cgi?id=9349

first step would to simply test it to send regular mail between 2 servers. then try TLS.
rpm will be in smetest repo, so yum update --enablerepo=smetest

Again, not on production server!

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: 550 A TLS connection is required
« Reply #7 on: March 02, 2019, 05:47:24 AM »
a quick update to say I was able to get a TLS connection and transaction using qmail-remote to our qpsmtpd. So it should work with any other smtp server requiring or offering tls.

it remains few tweaking, tidying and integration to do . Then extensive testing before putting it in production.

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: 550 A TLS connection is required
« Reply #8 on: March 02, 2019, 09:32:45 AM »
So good so far, good job JP
--
qui scribit bis legit

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: 550 A TLS connection is required
« Reply #9 on: March 21, 2019, 02:48:14 PM »
Think Letsencrypt is a bit of a red herring here.

...

The question that others may like to comment is if the remote server is insisting on TLS (be that right or wrong) then currently SME is unable to comply?

Your only alternative is to then use an alternative smarthost?

Correct, correct and incorrect. There is an alternative, which is to use the experimental qmail update which Jean-Philippe has been working on. It will do opportunistic encryption, so will be able to deliver that email.

It seems a strange decision by gratisdns.dk to refuse plaintext SMTP.

Offline cno

  • *
  • 35
  • +0/-0
Re: 550 A TLS connection is required
« Reply #10 on: March 21, 2019, 05:50:46 PM »
thanks for everything everybody

if it help gratisdns.dk / larsendata.dk says: (traslated with google)

https://status.larsendata.dk/

TLS 1.2 requirements from the Data Inspectorate

Since we have had a lot of questions regarding our requirement for TLS 1.2, we would like to point out that this is a requirement from the Data Inspectorate.

See more here: https://www.datatilsynet.dk/emner/persondatasikkerhed/transmission-af-personinformation-via-e-mail/

If the connection from the sender's machine to the sender's mail server is over an open network, the connection at the handover of the e-mail to this mail server must also be secured with TLS. Only TLS 1.2 or later should be used

It is also a requirement that the mail server certificates are from approved issuers and match the host name of the mail server. Self-signed certificates cannot be approved. However, it is possible to use the same host name and thus only one certificate per. mail server although there are many different domains on the same server.

We sell SSL certificates from DKK 300 on GratisDNS.dk

https://web.gratisdns.dk/ssl/

Exchange servers

Microsft has made a guide to TLS 1.2 implementation which can be found here:

https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/

Note that Exchange 2007 and earlier versions are not supported and should be updated immediately.
........................

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: 550 A TLS connection is required
« Reply #11 on: March 21, 2019, 06:51:53 PM »
Makes me laugh when banks & all those supposedly secure businesses can't get their stuff together.

So we get a mail from:

'barclaycarddatasecuritymanager.co.uk'

Go to that as a URL (just for the giggles)

https://barclaycarddatasecuritymanager.co.uk/

Ha - some lazy sod hasn't bothered with a redirect, or a proper cert for the site, which should be:

https://www.barclaycarddatasecuritymanager.co.uk/

I did tell them about this, like 7 months ago......

<shakes head>
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Knuddi

  • *
  • 540
  • +0/-0
    • http://www.scanmailx.com
Re: 550 A TLS connection is required
« Reply #12 on: April 04, 2019, 01:46:07 PM »
I can confirm that GratisDNS requires a TLS based connection when receiving email (also being a client of theirs). The local danish regulator has enforced that encryption should be used when transmitting sensitive data. Whether being opportunistic or not using TLS is better than not even trying - the SME server is seriously behind here.... I "hacked" the SMTP Proxy code in my SME server to ensure TLS connection to the external smart host I use (hack is in Bugzilla already)

TLS does not provide any guarantees BUT there is a good chance that if the SME would send as TLS to the MX record, then its either directly to the server itself of a spam filter provider where properly all provides TLS and will also deliver to end server using TLS.

@CNO,
Just reach out to me at ScanMailX and I can help with a local Danish SMTP relay that supports TLS :-)

Rgds,
Jesper

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: 550 A TLS connection is required
« Reply #13 on: April 04, 2019, 04:53:26 PM »
It will benefit everyone if people tested the update qmail that JPP spent a lot of his time on.

https://bugs.contribs.org/show_bug.cgi?id=9349

Currently in smeupdates-testing

The more people test the quicker it will get released.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline cno

  • *
  • 35
  • +0/-0
Re: 550 A TLS connection is required
« Reply #14 on: April 05, 2019, 08:58:16 AM »
I can confirm it works and has run since 27/3-19 on 3 different servers without any problems.
one of the servers send/receive around 1000 mails everly day without any problems now.

Jean-Philippe Pialasse thanks for the gerat help

I only run this

yum update qmail --enablerepo=smeupdates-testing
signal-event post-upgrade; signal-event reboot
........................