SMTP Problem

[Apashh]

Hello,

I'm on 1.1.10-3 and my email not send.... How change smtp settings or email without access on web console ? Maybe in sqlite ?

Thanks !

[dignow]

We do not have 587 opened to public. Just specific hosts in the cloud, like the rustdesk server for example

@CLU91 Hi, do you use your own smtp server and self-signed cert?

If so, you may need to specify the custom pem file.

The command in https://github.com/rustdesk/rustdesk-server-pro/issues/99#issuecomment-1775027493 may not help debugging

$ openssl s_client -connect smtp.office365.com:587 -starttls smtp

[CLU91]

We do not have 587 opened to public. Just specific hosts in the cloud, like the rustdesk server for example

@CLU91 Hi, do you use your own smtp server and self-signed cert?

The command in #99 (comment) may not help debug

$ openssl s_client -connect smtp.office365.com:587 -starttls smtp

We use an on-premise Microsoft Exchange Server, but not a self-signed cert. We have an official one from Digicert. See second screenshot in https://github.com/rustdesk/rustdesk-server-pro/issues/99#issuecomment-1775027493

[rustdesk]

We do not have 587 opened to public. Just specific hosts in the cloud, like the rustdesk server for example

@CLU91 Hi, do you use your own smtp server and self-signed cert?

If so, you may need to specify the custom pem file.

The command in #99 (comment) may not help debugging

$ openssl s_client -connect smtp.office365.com:587 -starttls smtp

@dignow but your simple_mail_test.zip worked. What's the difference from our hbbs? native_tls vs rs_tls?

[dignow]

@CLU91 Can you please try https://github.com/rustdesk/rustdesk-server-pro/issues/99#issuecomment-1759306323 again, thanks.

[CLU91]

No we receive an error with your updated mail test script:

[dignow]

The previous test demo uses native-tls and the later one uses tokio1-rustls-tls.

[rustdesk]

https://github.com/rustls/rustls/issues/413#issuecomment-712401369 More compatibility issue if we switch from rusttls-tls to native-tls. Allow us more time for this.

[dignow]

This test can print the handeshake messages with the -l t flag.

smtp_test.zip

This app uses tokio1-rustls-tls.

The test app in https://github.com/rustdesk/rustdesk-server-pro/issues/99#issuecomment-1755332344 uses native-tls.

[CLU91]

Update: It's working with stronger Ciphers and an A-Rating of the mailserver. We doing an internal domain switch at the moment so it happens that we have a new mailserver implemented. I used SMTPS with the new server which comes with stronger ciphers. Mail working as expected now.

Anyways... there is a lot of companies out there that not running on the strongest TLS 1.3 encryption. I think there should be some kind of downgrade compatability. Can you guys implement a button where you switch between the TLS Versions Rust is using? Just my two cents....

regards

[rustdesk]

It is not an issue which a button can solve, though from outside side, a button is enough, but from dev side, this button is almost impossible.

We are still thinking about a good solution.

[Coolguy3289]

Just installed a fresh version of RustDesk Pro, when attempting to add SMTP credentials to a local Mail Relay with no authentication, I get the following: Note I've changed teh domain for this screenshot, but used my actual domain during the test when I hit submit.

Running 1.1.10-5

[rustdesk]

@Coolguy3289 please try out https://github.com/rustdesk/rustdesk-server-pro/releases/tag/1.1.11

[Coolguy3289]

@Coolguy3289 please try out https://github.com/rustdesk/rustdesk-server-pro/releases/tag/1.1.11

This fixed it

[andrewheberle]

I'm having the same SMTP SSL error:

Connection error: Connection error: error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:

I've verified I can send email using the version of the test app that uses native-tls however the one that uses the same TLS library as RustDesk (ie tokio1-rustls-tls) fails because the certificate we are using is issued from our internal Root CA, not a public one.

@dignow Is there any way to provide a custom Root CA for the test app in https://github.com/rustdesk/rustdesk-server-pro/issues/99#issuecomment-1775326168?

RustDesk SMTP config:

[rustdesk]

The docker version is using native tls. You can also consider migrating to docker.

[andrewheberle]

The docker version is using native tls. You can also consider migrating to docker.

I should have noted that I am using the Docker version on Linux, however I get that error.

The test program from https://github.com/rustdesk/rustdesk-server-pro/issues/99#issuecomment-1755332344 is able to send mail fine via the mail relay we have set up, but RustDesk (under Docker) fails with the "wrong version number" error above.

The mail relay is a Go based SMTP server that is built using the TLS defaults for Go 1.22 which means it supports TLSv1.3 and a modern set of ciphers, which does work with the test program but not RustDesk itself.

If there is any further info I can provide please let me know.

RustDesk Version: 1.3.11

SSL handshake info from "openssl s_client -connect mail-relay:587 -starttls smtp":

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1893 bytes and written 390 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

[rustdesk]

Did you test the test program under host or under docker?

[andrewheberle]

After doing testing with running the test program under Docker and having it work (see the Dockerfile below), I decided to test adding the root CA certificate into the hbbs container by mounting it into /usr/local/share/ca-certificates/root-ca.crt and changing the command for the hbbs container to /bin/sh -c 'update-ca-certificates && exec hbbs' so the new root CA certificate would be trusted and then running hbbs as normal.

After doing this I no longer got the wrong version number error, despite previously giving the path to the root CA certificate in the Web UI, so there seems to be some difference when providing the CA certificate this way compared to via the Web UI (or maybe I am misunderstanding that option in the Web UI).

I had previously run it both from the host (in this case it was the Windows version of the test program) and also via Docker on the same Linux host, in both case the email could be sent fine.

The test on Windows had the internal root CA certificate in the "Trusted Root Certificate Authorities" certificate store and for the Docker test on Linux the root CA certificate was added to "/usr/local/share/ca-certificates" and "update-ca-certificates" was run during the image build process.

Here is the Dockerfile used for the test:

FROM ubuntu:20.04

COPY simple_test_linux /bin/simple_test_linux

RUN apt-get -qqy update && \
    apt-get -qqy install openssl ca-certificates libssl1.1 && \
    chown root:root /bin/simple_test_linux && \
    chmod +x /bin/simple_test_linux && \
    rm -rf /var/lib/apt/lists/*

COPY root-ca.pem /usr/local/share/ca-certificates/root-ca.crt

RUN update-ca-certificates

ENTRYPOINT [ "/bin/simple_test_linux" ]

So unsure if this will solve others problems that have the wrong version number error, but for me the fix was to ensure the root CA certificate is added into the container and update-ca-certificates is run before starting the hbbs process.

The hbbs section from my docker-compose.yml file for this is below (this is not the complete config BTW, but shows the relevant additions):

  hbbs:
    container_name: hbbs
    image: rustdesk/rustdesk-server-pro:1.3.12
    command:
      - /bin/sh
      - -c
      - update-ca-certificates && exec hbbs
    volumes:
      - ./smtp/ca.pem:/usr/local/share/ca-certificates/root-ca.crt:ro

The same could be achieved by the following docker run command as per the RustDesk Server Pro simple install guide for Docker:

sudo docker run --name hbbs \
    -v ./data:/root \
    -v ./smtp/ca.pem:/usr/local/share/ca-certificates/root-ca.crt:ro \
    -td --net=host --restart unless-stopped \
    rustdesk/rustdesk-server-pro /bin/sh -c 'update-ca-certificates && exec hbbs'

Hopefully this helps others.

[rustdesk]

Thank you very much.