Thanks all for helping me :),i was working a direct bulk mail sender project,
my program was running properly then it gave me an error then i've spend too much time with a lot of searching from articles i did debug (very low level ) in last 2 days(im asleep).
problem causing this from little thing "str(email)" email represents sender list(for bulking diffrent accounts) and its supposed to be a list not a str :/, it take soooo much time but in this journey i've learned a lot of cool things 🙂
shortly : dont be afraid to make little mistakes
i can connect with external openssl but couldnt with telnet(on mail.example.com:587)
openssl s_client -starttls smtp -connect mail.example.com:587
after i execute starttls in smtp connection closed by foreign host
mail.log
Dec 6 15:45:45 example postfix/submission/smtpd[5149]: connect from unknown[********]
Dec 6 15:45:57 example postfix/submission/smtpd[5149]: SSL_accept error from unknown[********]: -1
Dec 6 15:45:57 example postfix/submission/smtpd[5149]: warning: TLS **library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:252:**
Dec 6 15:45:57 example postfix/submission/smtpd[5149]: lost connection after STARTTLS from unknown[*******]
Dec 6 15:45:57 example postfix/submission/smtpd[5149]: disconnect from unknown[*********] ehlo=1 starttls=0/1 commands=1/2
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
command_directory = /usr/sbin
compatibility_level = 2
daemon_directory = /usr/lib/postfix/sbin
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
local_recipient_maps = unix:passwd.byname $alias_maps
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 2
mydestination = mail.example.com,example.com, localhost,localhost.localdomain
mydomain = example.com
myhostname = mail.example.com
mynetworks = 168.100.189.0/28, 127.0.0.0/8,***.**.***.**/25
myorigin = /etc/mailname
newaliases_path = /usr/bin/newaliases
non_smtpd_milters = inet:localhost:12301
recipient_delimiter = +
sendmail_path = /usr/sbin/postfix
setgid_group = postdrop
smtp_tls_ciphers = high
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit
smtpd_milters = inet:localhost:12301
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = auth/dovecot
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_cert_file = /etc/postfix/cert-20181202-231932.pem
smtpd_tls_ciphers = high
smtpd_tls_key_file = /etc/postfix/key-20181202-231932.pem
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtputf8_enable = yes
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtual
master.cf
smtp inet n - y - - smtpd
#smtp inet n - y - 1 postscreen
#smtpd pass - - y - - smtpd
#dnsblog unix - - y - 0 dnsblog
#tlsproxy unix - - y - 0 tlsproxy
#submission inet n - y - - smtpd
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_wrappermode=no
#-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
-o smtpd_sasl_type=dovecot
# -o smtpd_sasl_path = auth/dovecot
-o smtpd_sasl_path=private/auth
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions= permit_mynetworks,permit_sasl_authenticated,reject
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - y - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
dovecot.conf
disable_plaintext_auth = no
mail_privileged_group = mail
mail_location = maildir:~/Maildir
auth_mechanisms = plain
auth_username_format ="%Ln"
userdb {
driver = passwd
}
passdb {
args = %s
driver = pam
}
protocols = " imap"
protocol imap {
mail_plugins = " auto"
}
plugin {
autocreate = Trash
autocreate2 = Sent
autosubscribe = Trash
autosubscribe2 = Sent
}
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
listen = *
ssl=yes
ssl_cert = </etc/postfix/cert-20181202-231932.pem
ssl_key = </etc/postfix/key-20181202-231932.pem
netstat
netstat --proto=inet -pnl | grep 587
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 5073/master
openssl s_client -starttls smtp -connect mail.example.com:587
CONNECTED(00000003)
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = Some-State, O = Internet Widgits Pty Ltd
verify return:1
---
Certificate chain
0 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
---
Server certificate
-----BEGIN CERTIFICATE-----
******************************
-----END CERTIFICATE-----
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
issuer=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2531 bytes and written 302 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: E34DC2BC95BF207D4B5E38C6FABD2A25AC43290A994C50C7AEC183CA224A31D2
Session-ID-ctx:
Master-Key: 0413A1112B664D6FA2EA348D70F6614AF5567338F0C61FDDC62030DC24A9C7719332CE322960AC5DD1D84A1205E2B0B9
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 97 4c 40 cf ae aa cc f3-32 80 52 0d fe 9f c0 da .L@.....2.R.....
0010 - a5 b8 3f 3c 0d ae 29 a7-88 b4 c1 6b 65 bf 38 e0 ..?<..)....ke.8.
0020 - cc f9 05 93 43 4f 60 d4-a2 0f 3e 27 88 3e 13 1b ....CO`...>'.>..
0030 - 6a 31 01 86 5a 83 4c 80-a4 c4 5f 6b 6c bb ee e6 j1..Z.L..._kl...
0040 - 5c 02 71 e1 2f 1e 96 38-4c 58 65 02 2e 89 78 96 \.q./..8LXe...x.
0050 - 45 a6 b5 0c b4 b5 b6 61-65 c5 43 37 8d 4c 82 99 E......ae.C7.L..
0060 - 88 2f 48 98 ce 9a 68 35-d8 1a b8 86 ff 3b ce 15 ./H...h5.....;..
0070 - 0e e2 fd 02 60 07 1b 2a-2c 6d 0d 3b 32 25 f9 0d ....`..*,m.;2%..
0080 - d6 f8 31 2f 04 88 84 c9-bb 98 b3 fa ee 72 bd c1 ..1/.........r..
0090 - 75 29 31 29 cb 68 99 36-49 77 4e 4a 07 71 ed 6c u)1).h.6IwNJ.q.l
00a0 - 20 88 c3 4d f3 d1 1c 3e-a4 16 7a 53 53 8b 51 17 ..M...>..zSS.Q.
Start Time: 1544115275
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
250
telnet mail.example.com 587
Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix (Ubuntu)
ehlo mail.example.com
250-mail.example.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
starttls
220 2.0.0 Ready to start TLS
auth plain AHJvb3QAZXhhbXBsZXBhc3M=
Connection closed by foreign host.
Best Answer
The STARTTLS command indicates that the client wants to upgrade the connection to TLS. After the successful response from the server the client should now upgrade the connection to TLS.
openssl s_client ... -starttls smtp
exactly does this, i.e. initiates a TLS handshake with the server and let the user talk to the server using the now encrypted connection once this handshake is done.Your attempt to do this with
telnet
instead does no upgrade to TLS.telnet
has no idea of how a TLS handshake should be done and when it should be done. This means you just continue to talk in plain with the server even though the server expects the start of a TLS handshake. That's why your server attempts to interpret yourauth plain ...
as a TLS ClientHello and since it is no TLS fails to proceed and emits the error message you see.In short: you cannot use
telnet
for this.