Sender-dependent transports with transport encryption on port 465 fails

[maxmeyer]

Prior to placing the issue, please check following: (fill out each checkbox with a X once done)

• [x] I understand that not following below instructions might result in immediate closing and deletion of my issue.
• [x] I have understood that answers are voluntary and community-driven, and not commercial support.
• [x] I have verified that my issue has not been already answered in the past. I also checked previous issues.

---

Description of the bug: What kind of issue have you exactly come across?

I tried to setup a transport encryption for a relay host, but this fails with the following error message in the logs:

Aug 20 00:57:35 mail enforced-tls-smtp/smtp[961]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)

Reproduction of said bug: How exactly do you reproduce the bug?

1. Configure Sender-dependent transports

   I configured a relayhost with [smtp.example.org]:465. I also tested the setup, with the "Test"-Button. Here's the result:

   

2. After that I set up a TLS policy map

   I also tried example.org, [smtp.example.org]:456, smtp.example.org:456

3. The next step was restarting SOGO

4. Send an email

5. After that I found this log line in the docker output

       Aug 20 00:57:35 mail enforced-tls-smtp/smtp[961]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)

6. And the mail is queued

   

I have tried or I do... (fill out each checkbox with a X if applicable)

• [ ] In case of WebUI issue, I have tried clearing the browser cache and the issue persists.
• [ ] I do run mailcow on a Synology, QNAP or any other sort of NAS.
• [x] I do run mailcow on Docker/Docker-Compose in a VM

System information

Further information (where applicable):

Question	Answer
My operating system	CentOS 7.x
Is Apparmor, SELinux or similar active?	NO
Virtualization technlogy (KVM, VMware, Xen, etc)	KVM, ProxMox
Server/VM specifications (Memory, CPU Cores)	4 GiB, 1 CPU, 1 Core
Docker Version (docker version)	19.03.1
Docker-Compose Version (docker-compose version)	docker-compose version 1.18.0, build 8dd22a9
Reverse proxy (custom solution)	Traefik

My setup should look like this:

[ Mailcow ] -> SMTP with TLS encryption -> [ External Mail Provider ]:465

I'm using the latest "docker-compose" setup with some minor modifications due to my local environment. I'm using these container images:

ipv6nat-mailcow (robbertkl/ipv6nat) (Started on Tue, 20 Aug 2019 00:47:55 +0200)
rspamd-mailcow (mailcow/rspamd:1.45) (Started on Mon, 19 Aug 2019 23:32:32 +0200)
acme-mailcow (mailcow/acme:1.61) (Started on Mon, 19 Aug 2019 23:32:31 +0200)
netfilter-mailcow (mailcow/netfilter:1.28) (Started on Mon, 19 Aug 2019 23:32:28 +0200)
nginx-mailcow (nginx:mainline-alpine) (Started on Mon, 19 Aug 2019 23:32:29 +0200)
php-fpm-mailcow (mailcow/phpfpm:1.43) (Started on Mon, 19 Aug 2019 23:32:26 +0200)
olefy-mailcow (mailcow/olefy:1.1) (Started on Mon, 19 Aug 2019 23:32:25 +0200)
mysql-mailcow (mariadb:10.2) (Started on Mon, 19 Aug 2019 23:32:25 +0200)
clamd-mailcow (mailcow/clamd:1.27) (Started on Mon, 19 Aug 2019 23:32:24 +0200)
redis-mailcow (redis:5-alpine) (Started on Mon, 19 Aug 2019 23:32:25 +0200)
watchdog-mailcow (mailcow/watchdog:1.56) (Started on Mon, 19 Aug 2019 23:32:24 +0200)
dovecot-mailcow (mailcow/dovecot:1.85) (Started on Mon, 19 Aug 2019 23:32:24 +0200)
memcached-mailcow (memcached:alpine) (Started on Mon, 19 Aug 2019 23:32:20 +0200)
solr-mailcow (mailcow/solr:1.6) (Started on Mon, 19 Aug 2019 23:32:23 +0200)
dockerapi-mailcow (mailcow/dockerapi:1.32) (Started on Mon, 19 Aug 2019 23:32:18 +0200)
postfix-mailcow (mailcow/postfix:1.37) (Started on Mon, 19 Aug 2019 23:32:22 +0200)
unbound-mailcow (mailcow/unbound:1.8) (Started on Mon, 19 Aug 2019 23:32:19 +0200)
sogo-mailcow (mailcow/sogo:1.58) (Started on Tue, 20 Aug 2019 00:45:28 +0200)

Further notes:

• Output of git diff origin/master, any other changes to the code? If so, please post them.
• All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn, ip6tables -L -vn, iptables -L -vn -t nat and ip6tables -L -vn -t nat

• Check docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 (set the IP accordingly, if you changed the internal mailcow network) and docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @1.1.1.1 - output? Timeout?

  General logs:

  • Please take a look at the official documentation.

[andryyy]

I think this happens due to using smtp: as transport (or the smtp_enforced_tls:).

It will probably work with port 25 or 587. You should go with port 587 and enforce TLS.

That' a good find. :) We should disable port 465 or add a checkbox/auto-detection, when smtp should be used TLS-wrapped.

Can you try 587 and enforce TLS?

------ Originalnachricht ------ Von: "Dennis Günnewig" notifications@github.com An: "mailcow/mailcow-dockerized" mailcow-dockerized@noreply.github.com Cc: "Subscribed" subscribed@noreply.github.com Gesendet: 24.08.2019 10:42:38 Betreff: [mailcow/mailcow-dockerized] Sender-dependent transports with transport encryption on port 465 fails (#2881)

Prior to placing the issue, please check following:(fill out each checkbox with a X once done)

I understand that not following below instructions might result in immediate closing and deletion of my issue. I have understood that answers are voluntary and community-driven, and not commercial support. I have verified that my issue has not been already answered in the past. I also checked previous issues https://github.com/mailcow/mailcow-dockerized/issues.

Description of the bug: What kind of issue have you exactly come across?

I tried to setup a transport encryption for a relay host, but this fails with the following error message in the logs:

Aug 20 00:57:35 mail enforced-tls-smtp/smtp[961]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)

Reproduction of said bug: How exactly do you reproduce the bug?

Configure Sender-dependent transports

I configured a relayhost with [smtp.example.org]:465. I also tested the setup, with the "Test"-Button. Here's the result:

image https://user-images.githubusercontent.com/114236/63634728-b6ef4080-c65a-11e9-90b9-cb96eb664415.png

After that I set up a TLS policy map

I also tried example.org, [smtp.example.org]:456, smtp.example.org:456

The next step was restarting SOGO

Send an email

After that I found this log line in the docker output

Aug 20 00:57:35 mail enforced-tls-smtp/smtp[961]: SMTPS wrappermode (TCP port 465) requires setting "smtp_tls_wrappermode = yes", and "smtp_tls_security_level = encrypt" (or stronger)

And the mail is queued

image https://user-images.githubusercontent.com/114236/63634803-ce7af900-c65b-11e9-8eb1-8cf2585b84ce.png

I have tried or I do...(fill out each checkbox with a X if applicable)

In case of WebUI issue, I have tried clearing the browser cache and the issue persists. I do run mailcow on a Synology, QNAP or any other sort of NAS. I do run mailcow on Docker/Docker-Compose in a VM System information

Further information (where applicable):

QuestionAnswer My operating system CentOS 7.x Is Apparmor, SELinux or similar active? NO Virtualization technlogy (KVM, VMware, Xen, etc) KVM, ProxMox Server/VM specifications (Memory, CPU Cores) 4 GiB, 1 CPU, 1 Core Docker Version (docker version) 19.03.1 Docker-Compose Version (docker-compose version) docker-compose version 1.18.0, build 8dd22a9 Reverse proxy (custom solution) Traefik My setup should look like this:

I'm using the latest "docker-compose" setup with some minor modifications due to my local environment. I'm using these container images:

ipv6nat-mailcow (robbertkl/ipv6nat) (Started on Tue, 20 Aug 2019 00:47:55 +0200) rspamd-mailcow (mailcow/rspamd:1.45) (Started on Mon, 19 Aug 2019 23:32:32 +0200) acme-mailcow (mailcow/acme:1.61) (Started on Mon, 19 Aug 2019 23:32:31 +0200) netfilter-mailcow (mailcow/netfilter:1.28) (Started on Mon, 19 Aug 2019 23:32:28 +0200) nginx-mailcow (nginx:mainline-alpine) (Started on Mon, 19 Aug 2019 23:32:29 +0200) php-fpm-mailcow (mailcow/phpfpm:1.43) (Started on Mon, 19 Aug 2019 23:32:26 +0200) olefy-mailcow (mailcow/olefy:1.1) (Started on Mon, 19 Aug 2019 23:32:25 +0200) mysql-mailcow (mariadb:10.2) (Started on Mon, 19 Aug 2019 23:32:25 +0200) clamd-mailcow (mailcow/clamd:1.27) (Started on Mon, 19 Aug 2019 23:32:24 +0200) redis-mailcow (redis:5-alpine) (Started on Mon, 19 Aug 2019 23:32:25 +0200) watchdog-mailcow (mailcow/watchdog:1.56) (Started on Mon, 19 Aug 2019 23:32:24 +0200) dovecot-mailcow (mailcow/dovecot:1.85) (Started on Mon, 19 Aug 2019 23:32:24 +0200) memcached-mailcow (memcached:alpine) (Started on Mon, 19 Aug 2019 23:32:20 +0200) solr-mailcow (mailcow/solr:1.6) (Started on Mon, 19 Aug 2019 23:32:23 +0200) dockerapi-mailcow (mailcow/dockerapi:1.32) (Started on Mon, 19 Aug 2019 23:32:18 +0200) postfix-mailcow (mailcow/postfix:1.37) (Started on Mon, 19 Aug 2019 23:32:22 +0200) unbound-mailcow (mailcow/unbound:1.8) (Started on Mon, 19 Aug 2019 23:32:19 +0200) sogo-mailcow (mailcow/sogo:1.58) (Started on Tue, 20 Aug 2019 00:45:28 +0200)

Further notes:

Output of git diff origin/master, any other changes to the code? If so, please post them.All third-party firewalls and custom iptables rules are unsupported. Please check the Docker docs about how to use Docker with your own ruleset. Nevertheless, iptabels output can help us to help you: iptables -L -vn, ip6tables -L -vn, iptables -L -vn -t nat and ip6tables -L -vn -t nat Check docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @172.22.1.254 (set the IP accordingly, if you changed the internal mailcow network) and docker exec -it $(docker ps -qf name=acme-mailcow) dig +short stackoverflow.com @1.1.1.1 - output? Timeout? General logs:

Please take a look at the official documentation https://mailcow.github.io/mailcow-dockerized-docs/debug-logs/. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/mailcow/mailcow-dockerized/issues/2881?email_source=notifications&email_token=AAWV2FQEPVPHS7U7IP7YFZ3QGDX75A5CNFSM4IPFTFH2YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HHFMFVQ, or mute the thread https://github.com/notifications/unsubscribe-auth/AAWV2FVLIZSU273IFZGNAATQGDX75ANCNFSM4IPFTFHQ.

[maxmeyer]

@andryyy I works fine with 587 and TLS encryption

It will probably work with port 25 or 587. You should go with port 587 and enforce TLS.

I configured Outgoing TLS policy map overrides > [smtp.mailbox.org]:587 secure, ran tshark -i any tcp port 587 -d tcp.port==587,ssl and sent a Test-E-Mail afterwards. TLS is used as configured. I've no wrong configured relayhost in the internet to do a false test. My mail provider always does TLS encryption. So I cannot test, if this fails if the SMTP-server does not support TLS.

What I tried anyway was to disable TLS-encryption with Outgoing TLS policy map overrides > [smtp.mailbox.org]:25 none which had the desired effect. There was no TLS encryption after I did that change.

checkbox/auto-detection, when smtp should be used TLS-wrapped.

I would prefer an port-based autodetection.

[andryyy]

Port is difficult. You can run any port with wrapped TLS. We could combine this with a detection for port 465 and auto-check something in the UI.

[AlluraRed]

SMTP provider I'm contractually bond with (long story) only offers port 465 for now. Any chance I can use it to relay on mailcow? Or is this still a huge challenge?