Koozali.org formerly Contribs.org

Accounts server cannot send email using SME email server

Accounts server cannot send email using SME email server
« on: November 06, 2019, 04:35:42 PM »
A client of mine is running SME 9.2 in server only mode. The SME server provides DHCP, email, and file services, with a router handling the internet connection. All users either use Mozilla Thunderbird on PC’s/laptops or the stock clients on Android and iphones/ipads. The SMTP settings used are mail.mydomain.co.uk SMTP Port 465, SSL, Normal password. Everything works fine. The SME Server IP address is 192.168.0.250, with the router being on 192.168.0.1

They also have a server on the network that runs their accounts software supplied by ‘Acme Accounts’ (a made up name). This has been set up with a static IP 192.168.0.20. I did not add this to the hostnames in the server manager, as there was no need as it ran independently of the SME Server.
One of the functions of the accounts server is to email invoices out to clients, and this has worked fine up until recently when some customers reported that they were not receiving emails. My client spoke to Acme Accounts, and they suggested that it may be because the mail server being used was the one hosted by the Acme accounts, and it may help to switch to my client’s own email server. I was asked to supply log in details so the accounts server could send email via SME Server.
I created an account on the SME server, and tested it both internally and externally using Mozilla Thunderbird on a PC. It works fine.
However, when they tried it on their software they got a timeout with the following error:
Quote
2019-11-05T16:01:02.163134+00:00 mtl postfix/smtp[22580]: 2E9C312E30F: to=<kevin@acme.co.uk>, relay=mail.mydomain.co.uk[82.69.37.28]:465, delay=519, delays=219/0.01/300/0, dsn=4.4.2, status=deferred (conversation with mail.mydomain.co.uk[82.69.37.28] timed out while receiving the initial server greeting)

This told me that the Acme server was accessing the SME Server over the internet, rather than locally, however they reported that if they used port 25 with the login details they could send emails to local addresses, but not to external ones.

I suggested that they change their DNS settings to use the SME server (as all other clients do), and I created a hostname on the SME server for the Acme server with its MAC address and IP address. I also suggested that they try using STARTTLS with port 25 to see if that made any difference.

They have tried all of this, and have got nowhere. The last message I had from them was:
Quote
I’ve tried every combination of the available details (we can only use SSL or TLS not STARTTLS – that I am aware of anyway) and at present we have come full circle, with a time out while talking to that mail server.
I closest I get to it working is on port 25, with TLS turned on, using the authentication details. It gets to talk to the server, which then gives back a relaying error.

Normally when we see that talking to an exchange type server it is because the Acme server need to be whitelisted on the exchange type server to be allowed to relay email through the server as an external mail client. Their normal default stance is to only allow client to talk to them and not to allow other mail systems to send via them.

I think the Acme server is Linux based, but I’m not sure, so I have asked for what software they use to send emails, and also a copy of some of the bounces they are getting.

Any help would be greatly appreciated, thanks.
Jim

Re: Accounts server cannot send email using SME email server
« Reply #1 on: November 06, 2019, 10:49:05 PM »
OK, done a bit more digging. I went through the sqsmtpd log file, and found one entry where Acme had tried to send a message using SME. This is below:
Code: [Select]
2019-11-06 14:03:40.021440500 122006 Accepted connection 0/10 from 192.168.0.20 / mtl.mydomain.co.uk
2019-11-06 14:03:40.021598500 122006 Connection from mtl.mydomain.co.uk [192.168.0.20]
2019-11-06 14:04:57.369092500 122006 (connect) tls: fail, unable to establish SSL
2019-11-06 14:04:57.369337500 122006 (deny) logging::logterse: ` 192.168.0.20 mtl.mydomain.co.uk tls 903 Cannot establish SSL session msg denied before queued
2019-11-06 14:04:57.369431500 122006 550 Cannot establish SSL session
2019-11-06 14:04:57.369464500 122006 click, disconnecting
2019-11-06 14:04:58.099352500 2433 cleaning up after 122006
2019-11-06 14:11:14.780296500 122078 Accepted connection 0/10 from 192.168.0.20 / mtl.mydomain.co.uk
2019-11-06 14:11:14.780470500 122078 Connection from mtl.mydomain.co.uk [192.168.0.20]
2019-11-06 14:11:34.615469500 122079 Accepted connection 1/10 from 192.168.0.20 / mtl.mydomain.co.uk
2019-11-06 14:11:34.615643500 122079 Connection from mtl.mydomain.co.uk [192.168.0.20]
2019-11-06 14:14:46.427842500 122079 (connect) tls: fail, unable to establish SSL
2019-11-06 14:14:46.427844500 122078 (connect) tls: fail, unable to establish SSL
2019-11-06 14:14:46.428199500 122078 (deny) logging::logterse: ` 192.168.0.20 mtl.mydomain.co.uk tls 903 Cannot establish SSL session msg denied before queued
2019-11-06 14:14:46.428201500 122079 (deny) logging::logterse: ` 192.168.0.20 mtl.mydomain.co.uk tls 903 Cannot establish SSL session msg denied before queued
2019-11-06 14:14:46.449397500 122078 550 Cannot establish SSL session
2019-11-06 14:14:46.449399500 122079 550 Cannot establish SSL session
2019-11-06 14:14:46.449400500 122079 click, disconnecting
2019-11-06 14:14:46.449400500 122078 click, disconnecting

It appears to be failing to establish an SSL connection. I'm a bit out of my depth here, but I did find a bug (9162) where error 903 cropped up. It was to do with TLS. Am I on the right lines, or barking up the wrong tree entirely? :-)
Jim

Offline Jean-Philippe Pialasse

  • *
  • 1,395
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Accounts server cannot send email using SME email server
« Reply #2 on: November 07, 2019, 05:07:56 AM »
what are the configurations option to establish a remote smtp connexion on your ACME ?
if you use sqpsmtpd then this is port 465 and should be SSL not startssl or TLS with normal password.
and the username is not an email address, but only the part before the @

Offline mmccarn

  • *
  • 2,464
Re: Accounts server cannot send email using SME email server
« Reply #3 on: November 07, 2019, 12:58:47 PM »
You may also need to either get a "real" certificate for your SME server or figure out how to configure "ACME Accounts" to allow insecure certificates if your SME is using the default self-signed certificate.

Re: Accounts server cannot send email using SME email server
« Reply #4 on: November 07, 2019, 02:37:25 PM »
what are the configurations option to establish a remote smtp connexion on your ACME ?
if you use sqpsmtpd then this is port 465 and should be SSL not startssl or TLS with normal password.
and the username is not an email address, but only the part before the @
Thanks. Unfortunately I can't get access to the Acme server, and I'm not sure how it works or is set up. I'm told that it uses Fetchmail to handle the email, but I thought that was only for retrieving email, not sending it. It might be used for relaying it I suppose.

I'm waiting to hear more back from Acme tech support, and in the meantime I'm exploring other options for getting things to work. I'll let you know when I hear more.
Jim

Re: Accounts server cannot send email using SME email server
« Reply #5 on: November 07, 2019, 02:39:06 PM »
You may also need to either get a "real" certificate for your SME server or figure out how to configure "ACME Accounts" to allow insecure certificates if your SME is using the default self-signed certificate.
Thanks. The SME server is set up with the letsencrypt contrib, so that shouldn't be a problem provided the Acme server uses mail.mydomain.co.uk as the server. If they use the IP address of the mail server then it would be a problem I think.
Jim

Offline Jean-Philippe Pialasse

  • *
  • 1,395
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Accounts server cannot send email using SME email server
« Reply #6 on: November 09, 2019, 07:48:08 PM »
If they can only get  mail to local client then they do not use the credential at all.


Anyway you would have thr answer if you take the time to check the log looking for their hostname ip or some other relevant information.

Checking both qpsmtpd and sqpsmtpd